Detectors Overview🔗
Secureworks® Taegis™ XDR includes detectors that continuously monitor your environment data for malicious activity. The table below lists the available detectors. Use the links in the table or the navigation to view specific pages to learn more about each detector.
Tip
Use the XDR Creator column to find the detector name that can be used in an Advanced Search to identify alerts created by the specified detector. For example, FROM alert WHERE metadata.creator.detector.detector_id='creator-name'
Note
Some detectors currently only include event_ID references and do not provide ContributingEvents. This prevents the alert service from storing the event data, so XDR is unable to search against these detectors using the event data. These are indicated in the ‘Can be searched using underlying events’ column.
Available Detectors🔗
| Detector Type | Description | XDR Creator | Can be searched using underlying events |
|---|---|---|---|
| Account Compromise | Detector that combines multiple entities related to user login and post-login behavior to identify an account that exhibits signs of being taken over by a threat actor | app:detect:account-compromise-aggregator | No |
| Bring Your Own Threat Intel | Detector that enables you to integrate Threat Intel indicator lists and generate alerts when those indicators are found in normalized telemetry | app:detect:byoti | No |
| Brute Force | Detector that looks for repeated password attempts | app:detect:brute-force-detector | No |
| Business Email Compromise | Detector that looks for specific techniques that threat actors use against O365 email accounts | app:event-filter:bec | Yes |
| Cloud Recon to Change | Detector that identifies unusual exfiltration of AWS RDS data by a user | app:detect:cloud-unusual-recon-user | Yes |
| Cloud Watchlist | Detector that converts events sourced from security providers monitoring public cloud assets into XDR alerts | app:event-filter:cloudwatchlist | Yes |
| Domain Generation Algorithms | Detector that alerts on suspicious domains within network connection data | app:detect:dga | Yes |
| Domain Watchlist | Detector that looks for malicious domains using Threat Indicator feeds from CTU and third parties | app:detect:domain_blacklist | Yes |
| Email Watchlist | Detector that converts 3rd party email security events into alerts and assigns a severity and confidence based on the activity observed | app:event-filter:email | Yes |
| Endpoint Watchlists | Detectors that consolidate alerts pulled from endpoint integrations into XDR and apply CTU-curated watchlists to normalized endpoint telemetry | app:event-filter | Yes |
| File Analysis | Detector that identifies malicious files on endpoints with Taegis Endpoint Agent | app:file-analysis and app:detect:file_appearances | No |
| Hands-On-Keyboard | Detector that scores process events for a set timeframe using machine learning models and then uses these scores to identify potential Hands-On-Keyboard activity | app:detect:hands-on-keyboard | No |
| Impossible Travel | Detector that consumes authentication-focused logon events looking for unusual pairings that indicate an impossible amount of travel has occurred in the time between logon events for a single user | app:detect:impossible-travel | Yes |
| IP Watchlist | Detector that identifies netflow events that contained a known bad IP address | app:threat-intel-enrichment-netflow:v0.3.0 | Yes |
| Kerberoasting | Detector that identifies a possible Kerberos Ticket Granting Service (TGS) Service Ticket (ST) attack where a threat actor gathers, extracts, and cracks account password hashes offline in order to recover plaintext passwords | app:detect:kerberoasting-detector | No |
| Network IDS | Detector that converts Network IDS events into alerts | app:event-filter:nids | Yes |
| Password Spray | Detector that identifies an attempt to steal account credentials by attempting logins using common account names and frequently used passwords | app:detect:password-spray-detector | Yes |
| Penetration Test | Detector that identifies when a potential penetration test is ongoing | app:detect:tactic-detector | No |
| Portscanning and Broadscanning | Detectors that identify attempts by a threat actor to search assets in your environment for open ports that might present attack opportunities | app:detect:portscanning and app:detect:broadscanning | Yes |
| Punycode | Detector that looks for phishing domains that use punycode to disguise URLs as legitimate ones | app:detect:punycode | Yes |
| Quick Mail Consent (MS O365) | Detector that looks for granted Mail.Read or Mail.ReadWrite permissions and related consented application permission sets in MS o365 |
app:detect:o365-quick-mail-consent | Yes |
| Rare Program to Rare IP | Detector that looks at anomalous connections between programs and IP addresses | app:detect:rare-process-to-rare-ip | No |
| SharpHound | Detector that identifies instances where the SharpHound data collector has been run on your network using the default collection method | app:detect:sharphound | No |
| Snapshot Exfiltration | Detector that looks for malicious AWS EC2 snapshot exports | app:detect:snapshot-exfiltration | No |
| Stolen User Credentials | Detector that combines signals from multiple sources to identify suspected stolen user credentials for a single user | app:detect:stolen-user-credentials | Yes |
| Suspicious DNS Activity | Detector that looks for DNS queries that might have been performed by malware | app:detect:suspicious-dns | Yes |
| Tactic Graph | Detector that models adversarial behavior to detect threats | app:detect:tactic-detector | No |
| Taegis™ NDR | Detector that prevents network-based threats in real-time using Secureworks proprietary signatures | app:event-filter:nids | Yes |
| Taegis Watchlist | Detector that applies a Secureworks CTU curated ruleset to normalized telemetry sourced from any ingested data source to detect threats | app:event-filter | Yes |