Threat Intelligence Alert Enrichment
Entities are data items that Taegis can recognize and categorize, including but not limited to IP addresses, file hashes, program hashes, or domains. Analysts triaging alerts analyze these entities observed within network, cloud, and endpoint data to identify potential indicators of compromise used by threat actors.
Alert Details feature a Threat Intelligence tab that gathers all of the known entities from an alert and provides additional Threat Intelligence enrichment data from the Secureworks Counter Threat Unit™, VirusTotal, and APIVoid.
View Threat Intelligence Enrichment on an Alert ⫘
Threat Intelligence Tab on Alert Details
To view Threat Intelligence enrichment data on an alert:
- Open an alert to view its Alert Details.
- Select the Threat Intelligence tab. The number in the tab indicates the number of entities with enrichment data available.
- The left-side panel contains a list of Known Entities from this alert that were recognized by Taegis™ XDR. The entities that have enrichment data available are marked with a red flag icon .
Hover over a red flag to see the APIVoid count and the Geotag.
- Select an entity to display its enrichment data in the right-side panel.
Available Enrichment Data ⫘
The following Threat Intelligence sections are displayed for entities, where available. If no information is available, the section will state
No information found.
VirusTotal and APIVoid Enrichment Data ⫘
VirusTotal Enrichment Data
APIVoid Enrichment Data
Secureworks leverages enrichment data from VirusTotal and APIVoid. The metrics indicate how many security vendors flagged the selected threat indicator as malicious. Vendors that have flagged the entity as malicious are marked with a red warning icon and are listed first in the list. Vendors that have not yet flagged the entity are marked with a green check mark.
At this time, APIVoid enrichment data is only available for IP addresses. More threat indicators will be enriched in the near future.
VirusTotal enrichment data is available for IP addresses, domains, URLs, or file hashes. If available, a link to the VirusTotal URL search is provided. Select this link to open the search in a new tab and automatically copy the entity to your clipboard.
- The latest update time is displayed next to the metrics. To refresh the results, select the refresh icon .
- Run a pivot search on the selected entity by selecting the magnifying glass icon next to the entity name in this section.
- Collapse or expand the list of vendors by selecting the arrow.
Related TI ⫘
The Related TI section displays a list of specific Threat Intelligence reports where the threat indicator is referenced. To learn more, see the Threat Intelligence Reports topic.
The Geolocation sections display location data, such as country, city, and state/province, for network-based indicators, such as IPs, domains, and URLs.
Reputation Status ⫘
The Reputation Status section provides indicator-specific context, such as the count and name of the watchlists by which the indicator was observed, the intel source, and when it was created and last updated.
The WHOIS section returns WHOIS data for network-based threat indicators from the WHOIS service, including, but not limited to, the registrar, registrant, and address.