Advanced Detectors

Secureworks® Taegis™ XDR advanced detectors are purpose-built detectors that identify sophisticated threats and high-risk exposures across your environment. Unlike rule-based detectors that match known signatures, advanced detectors use behavioral analysis, statistical modeling, and evidence correlation to detect malicious activity, even when adversaries modify their tactics.

Advanced detectors process telemetry from endpoints, cloud environments, identity providers, and network sources to create high-fidelity, actionable detections in your XDR tenant.

How Advanced Detectors Work

Most advanced detectors go beyond single-event matching. Instead, they analyze patterns across multiple data points and time windows to build a picture of what is happening in your environment. Advanced detectors use the following:

• Behavioral correlation: Combine signals from different data sources—such as process execution, network connections, and authentication events—to identify suspicious chains of activity.
• Statistical anomaly detection: Establish baselines of normal behavior and flag deviations, such as a user logging in from an unseen location or a program communicating with a rare external IP.
• Evidence accumulation: Gather multiple pieces of evidence before generating a detection, reducing false positives and providing richer context for investigation.
• Severity adjustment: Dynamically adjust detection severity as new evidence is discovered, so the most critical threats are prioritized appropriately.

When advanced detectors are triggered in your environment, XDR generates detections that are shown on your Detection Triage Dashboard. Each detection includes the underlying evidence, severity assessment, and relevant context to support investigation and response.

Detection Processing

Advanced detectors process telemetry using two methods:

Processing Type	Behavior	Detectors
Streaming	Events are analyzed in near real-time as they are ingested.	Account Compromise, Brute Force, Cloud Recon to Change, DGA, Hands-on-Keyboard, Impossible Travel, Kerberoasting, Password Spray, Punycode, Snapshot Exfiltration, Stolen User Credentials
Batch	Events are analyzed periodically at scheduled intervals.	Rare Program to Rare IP

Streaming detectors typically generate detections within minutes of the triggering events. Some streaming detectors like Kerberoasting and Password Spray wait until the activity window closes before alerting, which may introduce additional delay.

Research Detections

Detections prefixed with RESEARCH in the title are in an evaluation phase. During this phase, the detection is deployed to gather feedback and monitor performance before it is made generally available. Research detections are not expected to be triaged by analysts. Documentation is published when the detection reaches general availability.

Requirements

Advanced detectors require the following data sources, integrations, or schemas:

• Auth
• Cloudaudit
• DNS
• Netflow
• Process
• Third Party
• XDR Detections

The specific data sources required depend on which detectors are relevant to your environment. Detectors are enabled automatically when the required data sources are available in your tenant.

Data Quality and Detection Coverage

The effectiveness of advanced detectors depends on the quality and completeness of normalized telemetry. Each schema defines fields as Required, Recommended, or Optional:

• Required: Fields must be present for events to be processed.
• Recommended: Fields significantly improve detection coverage. When recommended fields are populated, more detectors will evaluate the event and generate detections.
• Optional: Fields add context to detections and improve the investigation experience.

Ensuring that your integrations populate as many relevant fields as possible will enhance detection coverage and enable more advanced detectors to operate on your telemetry.

Outputs

Detections from advanced detectors are pushed to the XDR Detection Database and Detection Triage Dashboard.

Configuration Options

Advanced detectors are enabled by default when the required data sources or integrations are available in your tenant. No additional configuration is required.

MITRE ATT&CK Coverage

Advanced detectors map to multiple MITRE ATT&CK tactics, techniques, and sub-techniques. All MITRE mappings for advanced detectors are available in the Detector Explorer, where you can filter by MITRE ATT&CK to see the full coverage matrix. The specific mapping is also shown in each individual detection when they are generated in your tenant.

Detector Testing

Use the following examples to search for detections.

Example

To query for detections generated by advanced detectors:

FROM detection WHERE metadata.creator.detector.detector_id MATCHES 'app:detect:*'

Example

To query for detections generated by a specific detector, replace the detector name found in the Available Detectors table:

FROM detection WHERE metadata.creator.detector.detector_id='app:detect:stolen-user-credentials'

FAQs

Why do RESEARCH-prefixed detections have no documentation?

Research detections are in an evaluation phase and are not yet generally available. Documentation is published when the detector is promoted to general availability. Research detections are not expected to be triaged.

What are the detection thresholds for a specific detector?

Detection thresholds are not disclosed. Many thresholds are configurable and subject to change as detectors are tuned. Sharing threshold values could allow adversaries to evade detection.

References

• Schemas
  • Auth
  • Cloudaudit
  • DNS
  • Netflow
  • Process
  • Third Party
  • XDR Detections
• Detectors
  • Tactic Graphs