🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Automatic Investigations

tenant settings investigations automation


Automatic Investigations in Taegis™ XDR can be set up to monitor newly-created alerts and create a new investigation from alerts that meet the criteria, or likewise append alerts to existing investigations that match specified attributes.

Automatic Investigations

Automatic Investigations

Rules may be defined at either the partner level and applied to all child tenants or by individual tenants. Rules define a Query Language alert query over the incoming alerts stream and set of Group By definitions that group alerts together into investigations by attributes—for example, entities or the title—of the alerts.

Working with Automatic Investigation Templates

Create an Automatic Investigation Template

  1. From the Secureworks® Taegis™ XDR left-hand side navigation, select Tenant Settings → Auto Investigations. The Automatic Investigations page displays.
  2. Select the Templates tab.

Automatic Investigation Templates

Automatic Investigation Templates

  1. From the Actions pull-down menu on the right, select Create New Template. The Create New Investigation Template dialog displays.

Create New Template

Create New Template

  1. Enter a Template Title.
  2. Enter an Investigation Title that will be assigned to investigations created from this template.
  3. Select the Priority Level for investigations created from this template.

Investigation Priority

Investigation Priority

  1. Select the Investigation Type.
  2. (Optional) Give the template a description. This is to help you and others using the template to know what the template is for.
  3. Select Submit to close out the dialog and save the template. It now lists on the templates tab.
  4. Follow the steps in the next section to edit the template to add values, edit the title and key findings scripts, and add tags.

Edit Automatic Investigation Templates

  1. From the Secureworks® Taegis™ XDR left-hand side navigation, select Tenant Settings → Auto Investigations.
  2. The Automatic Investigations page displays. Select the Templates tab to display the currently available templates.

Automatic Investigation Templates

Automatic Investigation Templates

  1. Select the template you want to edit from the cards or list. The template editor displays.

Template Editor

Template Editor

  1. Make the edits you need, then choose Save.

Note

You cannot set the Assignee of automatic investigations to Secureworks, only to the tenant or a registered tenant user. For assistance with an investigation created by customer-created auto investigation rules, request help through chat or @secureworks in an investigation comment.

Tip

You can edit values in the template that aren’t available in the template creation dialog, such as add tags or scripting.

Share Automatic Investigation Templates

To share an automatic investigation template with another user within the tenant, select the Copy share link icon for a direct URL.

Share Automatic Investigation Template

Share Automatic Investigation Template

Working with the Auto Investigation Rule Builder

Create an Automatic Investigation Rule

  1. From the Secureworks® Taegis™ XDR left-hand side navigation, select Tenant Settings → Auto Investigations.
  2. The Automatic Investigations page displays. Select New Rule from the top right-hand corner.
  3. The Rule Builder panel displays.

Auto Investigation Rule Builder Details

Auto Investigation Rule Builder Details

Define the Rule Details

  1. Enter a Rule Title that describes the purpose of the rule.

  2. Select a rule state. Choose from:

  1. Select a template from the Investigation Template pull-down menu.

  2. Optionally, provide a description.

  3. Set the Rule Evaluation Order. For more information, see Rule Order.

  4. Add any tags to the rule, then select Continue.

Determine the Rule Criteria

  1. Add a Taegis™ XDR Query Language statement that filters for the alerts you want the rule to apply to. For more on Taegis™ XDR’s Query Language, see Advanced Search Query Language.

  2. If you want the user to be able to append Alerts to investigations created by this rule, add a Taegis™ XDR Query Language statement to find the alerts you want to append. For more on Taegis™ XDR’s Query Language, see Advanced Search Query Language.

  3. The Ignore Alert Prioritization option defaults to off. Enable this option by selecting the checkbox to make the rule ignore the alert prioritization information and execute the rule regardless of if the system automatically deprioritized an alert being evaluated.

Configure Alert Grouping

  1. Define if alerts should be appended to an existing investigation and which investigation alerts should be appended to. For more information, see Group By.

Note

This field is mandatory to create the Auto Investigation rule. You must specify at least one alert attribute.

Edit Automatic Investigation Rules

To edit a rule, select the Edit Rule pencil icon from the Actions column for the desired rule. Edit the details, rule criteria, or alert grouping criteria and then select Submit to save.

Auto Investigation Rule Actions

Auto Investigation Rule Actions

Export and Import Automatic Investigation Rules

Delete Automatic Investigation Rules

To delete a configured rule, select the Delete Rule icon from the Actions column for the desired rule and confirm your action by selecting Delete.

Rule Evaluation

The following are taken into account when rules are evaluated:

Rule Monitoring and Testing

Rules can be put into a test status in which rules are evaluated but not actually appended to investigations. Metrics are collected and logs generated as though the action was actually performed.

Rule Processing

Important

Rules defined at the child tenant level are executed first before MSSP partner rules; use caution if you are a ManagedXDR customer or have services provided by a Secureworks MSSP partner.

Rule Order

Rules are processed in the order defined by the order value on the rule—lower value is processed first. Rule processing stops after the first match. Tenant rules are processed before partner rules.

Group By

The Group By values on a rule determine if an alert should be appended to an existing investigation. When a rule is matched, group_by criteria are evaluated. If an existing open investigation is found matching any of the results returned by the group_by expressions, the alert is added to the existing investigation rather than creating a new one.

Each expression may return either a single result or a list. If more than one expression is defined, the entire set of results is combined into one flattened OR list.

For example, the following returns a list of usernames identified as entities associated with the alert. If an existing open investigation contains an alert with any one of the resulting usernames, the alert would be added to the existing investigation.

group_by:
  - "${alertUsernames(alert)}"

To enforce that all of the usernames within the alert must match, the list of usernames needs to be converted into a single string value. This can be done using the join macro:

group_by:
  - "${join(alertUsernames(alert))}"

In a more complex example, the following returns a list of IPs identified as entities associated with the alert that do not match the specified addresses (127.0.0.1 or 0.0.0.0). If an existing open investigation contains an alert with any one of the resulting IPs, the alert would be added to the existing investigation.

group_by:
  - "${alertIPs(alert).filter(e, !(e in ['127.0.0.1', '0.0.0.0']))}"

The following example defines a single group_by clause that joins multiple alert attributes into a single value for the group_by clause. All of these attributes must then match an existing open investigation before the alert would be appended:

group_by:
  - "${join(alertHostnames(alert).filter(e, e != 'localhost')+alertSensorIds(alert))}

By default, any rule can append to any open investigation if the group_by values match. You may add the name of the rule to the group_by value to ensure that only this rule can append to investigations created by itself:

group_by:
  - "${alertHostnames(alert).map(h, h + 'The Name of This Rule')}"

Note

Group By matches are not rule-specific. This means any rule can append to any investigation if the Group By values match.

Each distinct row in the Group By list can result in a match. The matches are evaluated using an OR condition. To match with an AND condition, one must define a single row. In some cases, it may be possible to use the Group By count to result in an AND condition.

Adding Alerts

Rules are evaluated against the alerts associated with an investigation when that investigation is created or alerts are added to the investigation. If a rule matches an alert that is associated with the investigation, then additional alerts may be added to the investigation as defined by the append filter on the rule.

Notes

Alert Processing

Medium and higher severity alerts are processed in a sequential fashion as they are created or published. For each alert, the rules are evaluated and an investigation is either created or appended to for the first rule that matches the alert. The filter on the rule is used to match the alert, but note that alerts are also evaluated against the append_filter and can be appended to an investigation if both the append_filter and group_by criteria match the alert.

Rules that have an append state or an append_filter defined continue to be evaluated in order until both the filter or append_filter and group_by match. If an alert matches the filter, but the group_by doesn’t, then the alert is evaluated against the next rule in the ordered list of rules.

 

On this page: