🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Threat Intelligence Alert Enrichment

alerts threat intelligence


Entities are data items that Taegis can recognize and categorize, including but not limited to IP addresses, file hashes, program hashes, or domains. Analysts triaging alerts analyze these entities observed within network, cloud, and endpoint data to identify potential indicators of compromise used by threat actors.

Alert Details feature a Threat Intelligence tab that gathers all of the known entities from an alert and provides additional Threat Intelligence enrichment data from the Secureworks Counter Threat Unit™, VirusTotal, and APIVoid.

View Threat Intelligence Enrichment on an Alert

Threat Intelligence Tab on Alert Details

Threat Intelligence Tab on Alert Details

To view Threat Intelligence enrichment data on an alert:

  1. Open an alert to view its Alert Details.
  2. Select the Threat Intelligence tab. The number in the tab indicates the number of entities with enrichment data available.
  3. The left-side panel contains a list of Known Entities from this alert that were recognized by Taegis™ XDR. The entities that have enrichment data available are marked with a red flag icon ../../img/red_flag_icon.png.

Tip

Hover over a red flag to see the APIVoid count and the Geotag.

  1. Select an entity to display its enrichment data in the right-side panel.

Available Enrichment Data

The following Threat Intelligence sections are displayed for entities, where available. If no information is available, the section will state No information found.

VirusTotal and APIVoid Enrichment Data

VirusTotal Enrichment Data

VirusTotal Enrichment Data

APIVoid Enrichment Data

APIVoid Enrichment Data

Secureworks leverages enrichment data from VirusTotal and APIVoid. The metrics indicate how many security vendors flagged the selected threat indicator as malicious. Vendors that have flagged the entity as malicious are marked with a red warning icon and are listed first in the list. Vendors that have not yet flagged the entity are marked with a green check mark.

Note

At this time, APIVoid enrichment data is only available for IP addresses. More threat indicators will be enriched in the near future.

VirusTotal enrichment data is available for IP addresses, domains, URLs, or file hashes. If available, a link to the VirusTotal URL search is provided. Select this link to open the search in a new tab and automatically copy the entity to your clipboard.

The Related TI section displays a list of specific Threat Intelligence reports where the threat indicator is referenced. To learn more, see the Threat Intelligence Reports topic.

Geolocation

The Geolocation sections display location data, such as country, city, and state/province, for network-based indicators, such as IPs, domains, and URLs.

Reputation Status

The Reputation Status section provides indicator-specific context, such as the count and name of the watchlists by which the indicator was observed, the intel source, and when it was created and last updated.

WHOIS

The WHOIS section returns WHOIS data for network-based threat indicators from the WHOIS service, including, but not limited to, the registrar, registrant, and address.

 

On this page: