Taegis ManagedXDR Dashboard

dashboards alerts investigations widgets managedxdr

The Secureworks® Taegis™ ManagedXDR Dashboard features several widgets that enable security managers to:

Monitor the work conducted by Secureworks on their behalf
Understand the value that Secureworks provides
Summarize and report on that value to their CISO

ManagedXDR Dashboard

Accessing the Dashboard ⫘

To access the ManagedXDR Dashboard, open the Dashboards menu from the left-hand side navigation and select ManagedXDR.

Only users using a tenant with a ManagedXDR subscription are able to view the ManagedXDR Dashboard.

Edit the ManagedXDR Dashboard using the following tips.

Edit Dashboard Settings ⫘

Date/Time ⫘

The ManagedXDR Dashboard uses master date/time settings, which change the time period of all widgets at the same time.

Change the time period using the drop-down date/time picker at the top right of the dashboard. The default time period is 72 Hours, but choosing a custom time period overwrites it. The most recent time period selected becomes the new default.

Date/Time Picker

Note

Alerts may be searched for any time period.

However, event data is treated differently and can be searched for any period of 31 days or less in duration. Event data can be queried either from Advanced Search by choosing any non-Alert Type or from Quick Search. When using either of these ways to query event data, a custom date picker allows you to specify a search time range. From this custom date picker, you can select any start date for which the account may have retained data. But when selecting the end date for the search time range, note that the number of days in the range (the difference between the start and end date) must be less than or equal to 31 days.

Trend Lines vs. Percentages ⫘

Several widgets display percentages and trend lines. The percentage compares the selected time period to the previous time period. The trend line provides additional context by depicting the selected time period plus the previous three time periods.

For example, if the time scope for the Event Pipeline widget is Last 72 Hours, the number compares to the 3 days prior, and the trend line depicts the last 12 days.

Negative Anomaly	No Anomaly	Positive Anomaly

The current value is beyond the established threshold (+/- 2 standard deviations) between this period and the last period, and those changes are negatively anomalous.	The current value is within the established threshold (+/- 2 standard deviations) between this period and the last period, meaning there are no anomalies.	The current value is beyond the established threshold (+/- 2 standard deviations) between this period and the last period, and those changes are positively anomalous.

Anomaly Thresholds in XDR

Widgets ⫘

Event Pipeline ⫘

The Event Pipeline widget highlights the breakdown of event filtering via ManagedXDR, through the following metrics:

Alerts — The number of alerts triggered by raw events during the selected time period
New Investigations — The number of new investigations created from those alerts during the selected time period
Handed Off — The number of those investigations that were sent by Secureworks to your security team for further investigation or remediation during the selected time period, excluding Threat Hunt type investigations

Event Pipeline Widget

Below each metric is a percentage and a trend line, which compare the current time period being viewed to previous time periods. (See Trend Lines vs. Percentages to learn about what each represents.) Select one of the metrics to open up a side drawer with more detailed information about the alerts or investigations.

Export Data ⫘

Tip

For users opted in to Preview mode, see Export Data for changes to exporting widget data.

Select the download icon icon on any widget to download a CSV of the current chart. The Event Pipeline CSV file contains the following fields:

Start Date/Time — The date and time of the start of the selected time frame
End Date/Time — The date and time of the end of the selected time frame
Analytic Name — The metric: Alerts, New Investigations, or Handed Off
Current Period — The number of alerts or investigations in the selected time frame, depending on the metric
Percent Change — The change between the selected time period to the previous time period, as a percentage
Prior Period 1 — The number of alerts or investigations (depending on the metric) in the most recent period prior
Prior Period 2 — The number of alerts or investigations (depending on the metric) in the second most recent period prior
Prior Period 3 — The number of alerts or investigations (depending on the metric) in the third most recent period prior

Tip

You can also download a CSV of the side drawer data tables when you drill down into ManagedXDR Dashboard metrics.

Ongoing Investigations ⫘

The Ongoing Investigations widget displays any investigation that is currently open, active, or awaiting action.

Ongoing Investigations Widget

Select any investigation to go to that investigation’s details.
By default, this widget is sorted from Oldest to Newest investigations.
Edit the sort order as needed, then select Apply.
The top five open investigations that match the filters are displayed on the ManagedXDR Dashboard. Choose View All to see the entire matching list in a side drawer.
Select the Refresh icon to reload the list.

Tip

Want to assign an ongoing investigation to someone? See Hand Off an Investigation.

Export Data ⫘

Tip

For users opted in to Preview mode, see Export Data for changes to exporting widget data.

Select the download icon icon on any widget to download a CSV of the current chart. The Ongoing Investigations CSV file contains the following fields:

Start Date/Time — The date and time of the start of the selected time frame
End Date/Time — The date and time of the end of the selected time frame
Data Exported — The date and time that the CSV file was exported
Investigation Name — The title of the investigation
Assignee — The user to whom the investigation is assigned at the time of the CSV export
Updated — The date and time that the investigation was last updated

Tip

You can also download a CSV of the side drawer data tables when you drill down into ManagedXDR Dashboard metrics.

Mean Response Times ⫘

The Mean Response Times widget highlights MDR’s impact on the timeliness of event handling, through the following three metrics:

Hand Off — The mean amount of time elapsed from when a Secureworks analyst took ownership of an investigation to the initial handoff to your organization
Acknowledge — The mean amount of time elapsed from when Secureworks initially handed off an investigation to when someone in your organization initially viewed it
Resolution — The mean amount of time elapsed from when Secureworks initially handed off an investigation to the time the investigation is resolved. If an investigation has been reopened, the time is calculated from the initial handoff to the most recent resolution of that investigation.

Response Time Widget

Below each metric is a percentage that compares the current time period being viewed to previous time periods. (See Trend Lines vs. Percentages to learn about what each represents.) Select one of the metrics to open up a side drawer with more detailed information about the events, alerts, or investigations.

Scatter Chart ⫘

Select one of the metrics to open up a side drawer with additional information. This includes a scatter chart which maps how the individual response times and mean response time correspond with the Service Level Agreement (SLA). Below the chart is a list of all matching investigations or alerts.

Some tips for reading the scatter chart:

The X-axis displays the date of completion.
The Y-axis displays the response time in minutes.
Purple dots indicate alerts or investigations that met the SLA.
Red dots indicate alerts or investigations that exceeded the SLA.
Hover over a dot to view details about that specific investigation, such as when it was handed off and who is the assignee.
A red line indicates the SLA.
A solid black line indicates the mean response time for the currently displayed time period.
A yellow line indicates the mean response time for the currently displayed time period, and it was anomalous (a significant increase over the last time period).
Zoom in on any part of the time period by grabbing and dragging the handles of the scroll bar below the chart. Once zoomed in on any given area, you can click on the highlighted region and drag it to scroll through time.
The list of matching investigations or alerts updates as you adjust the time period scroll bar.

Export Data ⫘

Tip

For users opted in to Preview mode, see Export Data for changes to exporting widget data.

Select the download icon icon on any widget to download a CSV of the current chart. The Response Time CSV file contains the following fields:

Start Date/Time — The date and time of the start of the selected time frame
End Date/Time — The date and time of the end of the selected time frame
Data Exported — The date and time that the CSV file was exported
Analytic — The metric: Mean Time to Hand Off, Mean Time to Acknowledge, or Mean Time to Resolve
Current Period — The mean number of minutes elapsed for each metric in the selected time frame
Previous Period — The mean number of minutes elapsed for each metric in the most recent period prior
Percent Change — The change between the selected time period to the previous time period, as a percentage

Tip

You can also download a CSV of the side drawer data tables when you drill down into ManagedXDR Dashboard metrics.

Completed Investigations ⫘

The Completed Investigations widget displays the total number of completed investigations for the selected time period, and a percentage comparing the selected time period to the previous time period. It also features a bar chart breaking down the investigations into the following categories:

False Positive — The number of investigations with activity determined to be false positive and did not constitute security incidents.
Confirmed Security Incidents — The number of investigations that have been closed with a status of Confirmed Security Incident, providing an indication of how many investigations required further actions to address a threat.
Inconclusive — The number of investigations where the activity’s root cause was not identified and no further activity was detected.
Unknown — The number of investigations that did not fall into one of the categories above. These may be older investigations from before the current close codes were available in Secureworks® Taegis™ XDR.

Select one of the bars to open up a side drawer with a list of matching investigations for that category, including their status.

Completed Investigations Widget

Export Data ⫘

Tip

For users opted in to Preview mode, see Export Data for changes to exporting widget data.

Select the download icon icon on any widget to download a CSV of the current chart. The Completed Investigations CSV file contains the following fields:

Start Date/Time — The date and time of the start of the selected time frame
End Date/Time — The date and time of the end of the selected time frame
Data Exported— The date and time that the CSV file was exported
Category — The investigation category: False Positive, True Positive, Inconclusive, Unknown, or Total
Quantity — The number of investigations in the category
Percent of Total — The percentage that the category comprises compared to the total
Percent Change — The change between the selected time period to the previous time period, as a percentage

Tip

You can also download a CSV of the side drawer data tables when you drill down into ManagedXDR Dashboard metrics.

Note

Completed Investigations also has two sub-widgets: Confirmed Security Incidents and False Positives.

Confirmed Security Incidents ⫘

Confirmed Security Incidents is a sub-widget of Completed Investigations that provides an overview of which resolved security incidents were most significant to your organization. It displays how many investigations with the close code ’Confirmed Security Incidents’ there were in the selected time period, and what MITRE ATT&CK™ Initial Access Vector they map to, if available. It also displays a trend bar chart and percentage comparing the number of confirmed security incidents to the previous four time periods, both overall and per Initial Access Vector category.

Important

The large-sized number displays a count of investigations with the close code ’Confirmed Security Incidents.’ Initial Access Vectors are not always associated with an investigation or may have multiple associations. As a result, the sum of these Initial Access Vectors may exceed or be less than the total number of ’Confirmed Security Incidents’ investigations.

Confirmed Security Incidents Widget

Initial Access Vector Information ⫘

Select one of the Initial Access Vector metrics to open up a side drawer with more detailed information about the confirmed security incidents in that category. This includes a bar chart of the confirmed security incidents in the selected time period.

Some tips for reading this chart:

The X-axis displays the date of the security incident.
The Y-axis displays the number of security incidents.
Hover over a bar to view the number of confirmed security incidents in that time period.
A yellow or green bar indicates that the number of confirmed security incidents was anomalous compared to the previous time period. Hover over the bar to see the change in percentage.
Zoom in on any part of the time period by grabbing and dragging the handles of the scroll bar below the chart.
Once zoomed in on any given area, you can click on the highlighted region and drag it to scroll through time.
The list of matching investigations below the bar chart updates as you adjust the time period scroll bar. Select the title to open that investigation’s details page.

Export Data ⫘

Select the download icon icon on any widget to download a CSV of the current chart. The Confirmed Security Incidents CSV file contains the following fields:

Start Date/Time — The date and time of the start of the selected time frame
End Date/Time — The date and time of the end of the selected time frame
Data Exported — The date and time that the CSV file was exported
Initial Access Vector — The category of the MITRE ATT&CK Initial Access Vector, as well as the total of all categories
Current Period — The number of confirmed security incidents for each category in the selected time frame
Percent Change — The change between the selected time period to the previous time period, as a percentage
Prior Period 1 — The number of confirmed security incidents in the most recent period prior
Prior Period 2 — The number of confirmed security incidents in the second most recent period prior
Prior Period 3 — The number of confirmed security incidents in the third most recent period prior

Tip

You can also download a CSV of the side drawer data tables when you drill down into ManagedXDR Dashboard metrics.

False Positives ⫘

False Positives is a sub-widget of Completed Investigations that displays the number of false positives in the selected time period. A breakdown is provided by the detector that generated the genesis alert. It also displays a trend bar chart and percentage that compares the number of false positives to the previous three. The widget also displays a pie chart representation of the proportion of genesis alerts by detector type for the current period.

Important

The large-sized number displays a count of investigations with the close code ’False Positive.’ The number of detectors represented in the pie chart is calculated based on which genesis alerts associated with the investigation are classified as ’False Positive.’ Because an investigation can have 1 to n number of genesis alerts, the sum of these detectors may exceed or be less than the total number of ’False Positive’ investigations.

Tip

See Trend Lines vs. Percentages to learn about the difference between the trend data and the percentage.

False Positives

Total Hunting Leads Investigated (ManagedXDR Elite Only) ⫘

Note

This widget is only available to ManagedXDR Elite customers.

The Total Hunting Leads Investigated widget displays a pie chart of all open alerts that have been triaged during the selected time period, broken down according to their status:

True Positive: Malicious — A confirmed security incident. Activity indicates that your organization's systems or data have been compromised or that measures put in place to protect them have failed.
True Positive: Benign — Activity was correctly identified, but either it does not compromise the targeted system or data, or it has been mitigated.
False Positive — Activity that is misidentified and non-malicious
Not Actionable — The activity may be valid, but remediation actions may not be possible

Hover over a pie segment for the total count of each status.

Total Hunting Leads Investigated Widget

Hunting Summary (ManagedXDR Elite Only) ⫘

Note

This widget is only available to ManagedXDR Elite customers.

The Hunting Summary widget displays counts of the following Threat Hunting metrics:

Total Hunting Leads — The total count of low confidence events, or combination of events, that indicate potential malicious activity requiring further investigation
Total Hunting Investigations — The total count of investigations categorized as Threat Hunt, ManagedXDR Threat Hunt, ManagedXDR Elite Threat Hunt, or CTU Threat Hunt
Total Hunting Playbooks Conducted — The total count of investigations with a description containing ’Targeted Threat Hunt’
Alerts Suppressed — The total count of alerts suppressed by alert suppression rules

Below each metric is a percentage and a trend line, which compare the current time period being viewed to previous time periods. (See Trend Lines vs. Percentages to learn about what each represents.)

Hunting Summary Widget

Export Options ⫘

Export Dashboard to PNG ⫘

To export the entire dashboard to a PNG image file, select Actions from the top right of the dashboard and choose Download as PNG. The file automatically downloads.

Export Dashboard to PNG

Export Dashboard Data ⫘

To export all data from the dashboard to a CSV or JSON file, select Actions from the top right of the dashboard and choose the Export Data CSV or JSON option.

Export Dashboard Data

Export Widgets to PNG ⫘

To export an individual widget to a PNG image file, select the vertical ellipsis from the top right of the desired widget and choose Download as PNG. The file automatically downloads.

Export Widget to PNG

Tip

You can also export the visuals resulting from drilling down into certain widgets to PNG.

To export widget data as a CSV or JSON file, select the vertical ellipsis from the top right of the desired widget and choose the Export Data CSV or JSON option.

Export Widget Data

Export Table Data ⫘

Download a CSV of the side drawer data tables when you drill down into ManagedXDR metrics:

Select one of the metrics from a widget to open up a side drawer with more detailed information.
Open the Actions menu and select Export All as CSV or as JSON to download all of the table’s data.
Or, use the checkmarks to select individual rows. Then open the Actions menu and select Export Selected as CSV or as JSON.

Export Table Data

Taegis ManagedXDR Dashboard

Accessing the Dashboard ⫘

Edit Dashboard Settings ⫘

Date/Time ⫘

Trend Lines vs. Percentages ⫘

Widgets ⫘

Event Pipeline ⫘

Export Data ⫘

Ongoing Investigations ⫘

Export Data ⫘

Mean Response Times ⫘

Scatter Chart ⫘

Export Data ⫘

Completed Investigations ⫘

Export Data ⫘

Confirmed Security Incidents ⫘

Initial Access Vector Information ⫘

Export Data ⫘

False Positives ⫘

Total Hunting Leads Investigated (ManagedXDR Elite Only) ⫘

Hunting Summary (ManagedXDR Elite Only) ⫘

Export Options ⫘

Export Dashboard to PNG ⫘

Export Dashboard Data ⫘

Export Widgets to PNG ⫘

Export Widget Data ⫘

Export Table Data ⫘

On this page: