Cloud Watchlist🔗
The Cloud Watchlist detector converts events sourced from security providers monitoring public cloud assets into Secureworks® Taegis™ XDR detections. The converted detections are assigned a severity and confidence based on the activity observed and XDR detection severity and confidence specifications. The original provider severity and confidence can also be referenced in the original event data as needed.
Requirements🔗
This detector requires the following data sources, integrations, or schemas:
- Microsoft Graph Security
Examples of security threats that can be sourced from third party providers include:
- Atypical Travel
- Compromised Accounts
- Ransomware Activity
- Custom Detections
- Malware Detections
Input(s)🔗
Detections are from the following normalized sources:
- Auth
Input Field(s)🔗
| Field |
|---|
provider |
sensor_type |
status |
title |
vendor_severity |
Outputs🔗
Detections from this detector are pushed to the XDR Detection Database and Detection Triage Dashboard.
Configuration Options🔗
This detector is enabled by default when the required data sources or integrations are available in the tenant.
MITRE ATT&CK Category🔗
This detector has no MITRE Mapping.
Detector Testing🔗
This detector does not have a supported testing method, though an Advanced Search will verify if detections originated with this detector.
Note
If no supported testing method is available, an Advanced Search will show you if any detections came from this detector if a qualifying event was observed. A search with no results does not indicate the detector is not working. A lack of search results for the detector may only indicate that the specific attack has not been observed in the tenant. However, it could indicate the underlying data is not available. Ensure the required schemas are provided in Data Sources along with the supported device type(s) for that schema.
References🔗
- Schemas