Skip to content

Detection Severity and Confidence🔗

Note

The terms Alerts and Investigations have recently been changed to Detections and Cases in Taegis XDR. You may still see references to the old terms while we continue to work towards platform convergence of Sophos and Taegis technologies. For more information, see Taegis Terminology Updates.

Severity and confidence scores make it easier for you to prioritize detection triage in your environment and address the most pressing detections first. Find the severity and confidence for a detection in the Detection Details panel.

Detection Severity and Confidence

  • Severity is a measure of how much of a potential threat the activity poses to your environment. The severity score ranges from 0.01 to 1. The higher the score, the bigger the potential threat posed by the activity. Severities have the following ratings:

    • Informational: 0 - 0.199...
    • Low: 0.2 to 0.399...
    • Medium: 0.4 - 0.599...
    • High: 0.6 - 0.799...

    • Critical: 0.8-1

      Note

      If the detection's severity level has changed, a message is displayed on the detection details.

  • Confidence is a measure of how confident our systems are that the detection is accurate and represents malicious activity. The confidence score ranges from 1-100. The higher the score, the more confident we are that the detection indicates genuine malicious activity.

Tip

Threat Score is a contextually-aware priority value assigned to detections by the patent-pending Taegis Prioritization Engine. For more information, see Threat Score.

How are Severity and Confidence Determined?🔗

Each detector collects varying data from your environment to monitor for malicious activity, and uses varying aspects of this data to determine a severity and confidence score.

For example, the DGA Detector is a machine learning model-based detector that computes the probability that a domain is potentially an indicator of malicious activity. Both severity and confidence scores are based on the probability computed by the detector.

Other detectors define both severity and confidence statically, such as the Tactic Graphs™ Detector, which has a static severity and confidence score defined per adversary tactic. Similarly, Secureworks® Taegis™ XDR watchlist detectors use a static severity and confidence score set by the security researchers who created the watchlist.

Third-Party Detections🔗

In determining which third-party detections will become detections in Secureworks® Taegis™ XDR, the Secureworks Counter Threat Unit™ (CTU) evaluates the third-party detections for accuracy, usefulness, and relevance. The guidelines used to determine the severity of those associated XDR detections can be found in the Third-Party Integration Detection Handling Policy Knowledge Base article.