Detectors Overview ⫘
Secureworks® Taegis™ XDR includes detectors that continuously monitor your environment data for malicious activity. Currently, the following are available:
Tip
Use the Taegis XDR Creator column to search for alerts created by specific detectors.
Note
Some detectors currently only include event_ID
references and do not provide ContributingEvents
. This prevents the alert service from storing the event data, so XDR is unable to search against these detectors using the event data. These are indicated in the ’Can be searched using underlying events’ column.
Detector Type | Description | Taegis XDR Creator | Can be searched using underlying events |
---|---|---|---|
Account Compromise | Detector that combines multiple entities related to user login and post-login behavior to identify an account that exhibits signs of being taken over by a threat actor | app:detect:account-compromise-aggregator | No |
Bring Your Own Threat Intel | Detector that enables you to integrate Threat Intel indicator lists and generate alerts when those indicators are found in normalized telemetry | app:detect:byoti | No |
Brute Force | Detector that looks for repeated password attempts | app:detect:brute-force-detector | No |
Business Email Compromise | Detector that looks for specific techniques that threat actors use against O365 email accounts | app:event-filter:bec | Yes |
Cloud Recon to Change | Detector that identifies unusual exfiltration of AWS RDS data by a user | app:detect:cloud-unusual-recon-user | Yes |
Cloud Watchlist | Detector that converts events sourced from security providers monitoring public cloud assets into XDR alerts | app:event-filter:cloudwatchlist | Yes |
Domain Watchlist | Detector that looks for malicious domains using Threat Indicator feeds from CTU and third parties | app:detect:domain_blacklist | Yes |
Domain Generation Algorithms | Detector that alerts on suspicious domains within network connection data | app:detect:dga | Yes |
Email Watchlist | Detector that converts 3rd party email security events into alerts and assigns a severity and confidence based on the activity observed | app:event-filter:email | Yes |
Endpoint Watchlists | Detectors that consolidate alerts pulled from endpoint integrations into XDR and apply CTU-curated watchlists to normalized endpoint telemetry | app:event-filter | Yes |
File Analysis | Detector that identifies malicious files on endpoints with Taegis Endpoint Agent | app:file-analysis and app:detect:file_appearances | No |
Hands-On-Keyboard | Detector that scores process events for a set timeframe using machine learning models and then uses these scores to identify potential Hands-On-Keyboard activity | app:detect:hands-on-keyboard | No |
IP Watchlist | Detector that identifies netflow events that contained a known bad IP address | app:threat-intel-enrichment-netflow:v0.3.0 | Yes |
iSensor | Detector that prevents network-based threats in real-time using Secureworks proprietary signatures | app:event-filter:nids | Yes |
Kerberoasting | Detector that identifies a possible Kerberos Ticket Granting Service (TGS) Service Ticket (ST) attack where a threat actor gathers, extracts, and cracks account password hashes offline in order to recover plaintext passwords | app:detect:kerberoasting-detector | No |
Network IDS | Detector that converts Network IDS events into alerts | app:event-filter:nids | Yes |
Password Spray | Detector that identifies an attempt to steal account credentials by attempting logins using common account names and frequently used passwords | app:detect:password-spray-detector | Yes |
Penetration Test | Detector that identifies when a potential penetration test is ongoing | app:detect:tactic-detector | No |
Portscanning and Broadscanning | Detectors that identify attempts by a threat actor to search assets in your environment for open ports that might present attack opportunities | app:detect:portscanning and app:detect:broadscanning | Yes |
Punycode | Detector that looks for phishing domains that use punycode to disguise URLs as legitimate ones | app:detect:punycode | Yes |
Quick Mail Consent (MS o365) |
Detector that looks for granted Mail.Read or Mail.ReadWrite permissions
and related consented application permission sets in MS o365
|
app:detect:o365-quick-mail-consent | Yes |
Rare Program to Rare IP | Detector that looks at anomalous connections between programs and IP addresses | app:detect:rare-process-to-rare-ip | No |
SharpHound | Detector that identifies instances where the SharpHound data collector has been run on your network using the default collection method | app:detect:sharphound | No |
Snapshot Exfiltration | Detector that looks for malicious AWS EC2 snapshot exports | app:detect:snapshot-exfiltration | No |
Stolen Credentials | Detector that looks for impossible travel conditions for user credentials | app:detect:stolen-user-credentials | No |
Suspicious DNS Activity | Detector that looks for DNS queries that might have been performed by malware | app:detect:suspicious-dns | Yes |
Tactic Graph | Detector that models adversarial behavior to detect threats | app:detect:tactic-detector | No |
Taegis Watchlist | Detector that applies a Secureworks CTU curated ruleset to normalized telemetry sourced from any ingested data source to detect threats | app:event-filter | Yes |