Detections🔗
Note
The terms Alerts and Investigations have recently been changed to Detections and Cases in Taegis XDR. You may still see references to the old terms while we continue to work towards platform convergence of Sophos and Taegis technologies. For more information, see Taegis Terminology Updates.
Secureworks® Taegis™ XDR takes an event or events from a detector and turns it into a detection. Review the detection details to determine if it should be investigated further.
All detections are available on the Detections page, which includes a table of detections that can be filtered and exported.
Note
The Detections table is limited to 10,000 results. Apply filters to narrow the results.
Note
Detections prefixed with RESEARCH indicate that the detector or mechanism that generated the detection is in research mode as a part of our process to verify the feasibility of the detection as well as the false positive rate.
Tip
Threat Score is a contextually-aware priority value assigned to detections by the patent-pending Taegis Prioritization Engine. For more information, see Threat Score.
View All Detections🔗
The Detections page can be accessed by selecting Detections > Detections from the Taegis Menu.
When you open any list of detections throughout XDR, the Detections panel displays prepopulated with filtered detections. For example, select View All from the Recent Detections widget to view recent detections.
Select a detection title to view some of its essential details in a preview side panel. This allows you to continue browsing through the results table without losing your place or your filters. To view the full details of the detection, select Open in a New Tab. The detection details panel opens in a new tab.
Tip
Adjust the width of the preview side panel by holding and dragging it.
Filter for Detections🔗
To filter the Detections table:
-
Use the collapsible filters menu to narrow down the list of matching detections.
Note
Filter results are aggregated to a maximum of 1,000. Adjust the time period or additional filters to narrow results further.
-
Use Include Options in the filters menu to include or exclude custom detections and triaged detections. They are excluded by default.
-
Change the selected time period using the drop-down date/time picker at the top right of the dashboard. The default time period is 72 Hours, but choosing a custom time period overwrites it. The most recent time period you select becomes the new default.
Filter Detections
Schema Changes🔗
XDR's new Detections framework has an updated schema which changes how you construct search queries in XDR and through the new Alerts GraphQL API. Some fields have been moved, and some have been removed entirely. The following table summarizes the changes:
| Previous | New |
|---|---|
| alert_type | Moved to metadata.creator.detector.detector_id |
| attack_categories | Moved to attack_technique_ids |
| attack_categories_info | Moved to enrichment_details.mitre_attack_info |
| confidence | Moved to metadata.confidence |
| creator | Moved to metadata.creator.detector.detector_id |
| creator_version | Moved to metadata.creator.detector.version |
| data | Moved to enrichment_details or third_party_details |
| description | Moved to metadata.description |
| insert_timestamp | Moved to metadata.created_at |
| investigations | Moved to investigation_ids.id |
| labels_data | Moved to status and resolution_reason |
| message | Moved to metadata.title |
| references | Moved to reference_details |
| related_entities | Moved to entities.entities |
| severity | Moved to metadata.severity |
| timestamp | Moved to metadata.began_at |
| investigation_info | REMOVED. Reference Case queries |
| ranking_data | REMOVED |
| source | REMOVED |
Export Detections🔗
You can export data from detections tables in XDR as a CSV file.
Export Selected🔗
- Use the checkboxes to select the detections you wish to download.
- From the Actions menu on the upper right-hand of the results table, select Export Selected as CSV. The download request is sent and is processed.
- Navigate to Data Exports to check the status of the request and download any available files.
Export All🔗
- From the Actions menu on the upper right-hand of the results table, select Export All as CSV. The download request is sent and is processed.
- Navigate to Data Exports to check the status of the request and download any available files.
Note
Downloadable files have an expiration date, which is listed in the Downloads table File Expiration column.
Tip
Files available for download are limited to 100,000 rows. If a data set larger than 100,000 rows in size is needed, you must refine the data table through date picker or search parameters and/or submit multiple requests spanning the full desired dataset.