Resolve Alerts (Change Alert Status)
After you have reviewed alerts in Secureworks® Taegis™ XDR, resolve them by setting one of the following statuses:
- True Positive: Benign — Activity was correctly identified, but either it does not compromise the targeted system or data, or it has been mitigated.
- True Positive: Malicious — A confirmed security incident. Activity indicates that your organization's systems or data have been compromised or that measures put in place to protect them have failed.
- False Positive — Activity that is misidentified and non-malicious.
- Not Actionable — The activity may be valid, but remediation actions may not be possible.
- Open — The alert has not been reviewed or assessed.
Tip
Once alerts are resolved they no longer appear on the Alert Triage Dashboard or on the Alerts page as they are now considered triaged.
Note
Alert ratings help the system learn what types of alerts and information within those alerts are valuable to your organization. As the system gradually learns, you can expect to see this influence the severity, confidence, and suggested prioritization of similar activity.
There are a few ways to apply one of these labels:
From an Individual Alert ⫘
When viewing alerts from the side panel preview or the individual alert page, there is a persistent Alert Details Header across all views and tabs containing a drop-down option to set the alert Status.
Alert Details Header
Note
The Alert Details Header displays the Status Reason once provided when resolving the alert and links to any investigations the alert is added to.
To change alert status:
- View an Alert from the side panel preview or the individual alert page.
- Locate the Status dropdown and select a suitable status.
- (Optional) Provide further details about why this status applies.
- Select Submit.
Resolve Alert by Changing the Status
From a Table of Alerts ⫘
When viewing a table of alerts, such as on the Alerts page or in search results:
- Select one or more alerts using the checkmark.
- Select Actions > Resolve Alerts.
- Choose a status and provide further (optional) details about why this status applies.
- Select OK.
Resolving Alerts in Search Results
From an Investigation ⫘
When an investigation is closed, its related alerts and genesis alerts will be labeled automatically according to the close code. See Close an Investigation for steps and to see how close codes map to alert labels.
What is the Difference between a False Positive and True Positive? ⫘
To understand how benign events are classified, what decisions you may have to make, and what comes next, it helps to think about security events and alerts like a building’s fire alarm.
POSITIVE | NEGATIVE | |
---|---|---|
TRUE | The building catches fire, and the alarm sounds. | The building is not on fire, and the alarm does not sound. |
FALSE | There is no fire, but someone pulls the fire alarm. | The building is on fire, but the alarm does not sound. |
False Positives and True Negatives
This analogy helps explain how to label alerts in XDR:
Labels | Fire Alarm Analogy | Alert Examples |
---|---|---|
False Positive | A prankster pulls the fire alarm even though there is no danger. | - DGA detector classifying a domain malicious when it is not. - Anti-virus classifying file as malicious when it is not. |
True Positive: Benign | The fire department tests the alarms, or someone smokes in the bathroom. There is no danger, even though the alarm is triggered. | - Administrative commands that are also used by threat actors - Legitimate applications registering persistence - Internal penetration test |
True Positive: Malicious | A fire starts in the kitchen and the alarm sounds. The fire will be put out. | - Malware Infection - Successful Exploit - Account Compromise |
Not Actionable | The fire alarm is malfunctioning in the neighbor’s house. | - Malware infection identified on guest wireless network - Activity identified on unowned assets |
XDR Alert Examples