Skip to main content

Alerts and Escalations

What are Security Detections?

Security Detections are alerts identified as potential risks, cybersecurity threats, or events that may result in negative business impacts. Detections might include alerts from our SecOps platform, produced based on defined use cases, as well as detections generated from your integrated log sources.

What are Escalations?

When our SOC team identifies an event that requires your attention or non-immediate action, an Escalation is created and sent to your team, and progress is tracked. If a response is not received, our team will follow up until the notification is resolved.

What are Incidents?

Incidents are high-severity security events declared by our SOC team that might require an immediate response. We follow the defined escalation path (e.g. calling your team members) to ensure that incidents are resolved as quickly as possible.

I am using your SOC service (TD Complete). What are the minimum efforts I must invest?

Responding to Notifications is the minimum effort we expect. As a SOC subscriber, our team will monitor and triage your security detections. Recommended involvement (shown below as security operations awareness maturity levels) includes:

  • L1: At a minimum, all that is required from you is to respond to our escalations.
  • L2: To achieve greater operations awareness, review the security detections dashboard daily or review email alerts generated based on security detections.
  • L3: Conduct a one-hour monthly threat hunt to review all critical areas of the business: O365 access, network traffic flows, emerging threat activity, endpoint connections, CIS benchmarking, and verify privileged user access, among others.

Who manages and keeps the alert definitions up to date?

Our SecOps team is responsible for the creation and maintenance of all use cases and correlations.

Can I create my own custom alerts specific to my environment?

Yes, a custom alerting GUI is available to partners who meet certain commitments. Additionally, you can request the addition of new alerts by contacting us at support@threatdefence.com.

How many alerts should I expect per month?

For an organization with 500 users, you can expect approximately 30-50 alerts per month, assuming more than 15 data sources are onboarded (including email, endpoints, servers, dark web, vulnerability scans, and other apps and services). These alerts may result in 2-3 Notifications created by our SOC team, which might require action from your IT team.

How can we create our playbooks?

Creating playbooks is an option for MSSPs with a dedicated team of detection engineers. This process necessitates the involvement of several SOC experts to ensure quality. Please contact your platform account manager, our team can review your requirements and advise on the best options available.