# Alerts and Escalations *** ## What are Security Detections? **Security Detections** are alerts raised when potential risks, cyber threats, or suspicious events are identified.\ They include detections generated by the ThreatDefence SecOps platform (based on predefined use cases) as well as alerts ingested from your integrated log sources. *** ## What are Escalations? An **Escalation** is created when our SOC team identifies an event that requires your attention or non-immediate action.\ Escalations are tracked until resolved, and if no response is received, our team will follow up with your designated contacts. *** ## What are Incidents? **Incidents** are high-severity security events declared by the SOC team that typically require an immediate response.\ For incidents, the SOC follows the agreed escalation path (for example, direct phone calls to your team) to ensure rapid containment and resolution. *** ## Minimum Customer Effort (SOC Service – TD Complete) As a SOC subscriber, our team continuously monitors and triages your detections.\ The **minimum effort expected from you is to respond to Notifications**. Recommended involvement can be aligned to the following **operations awareness maturity levels**: * **L1 (Minimum):** Respond to escalations raised by the SOC team. * **L2 (Intermediate):** Review the Security Detections dashboard daily or monitor email alerts generated from detections. * **L3 (Advanced):** Conduct a one-hour monthly threat hunt across critical areas such as O365 access, network flows, endpoint activity, CIS benchmarking, privileged user access, and emerging threats. *** ## Who Manages Alert Definitions? All use cases and detection correlations are created, managed, and continuously updated by the ThreatDefence SecOps team. *** ## Can I Create Custom Alerts? Yes. * A **custom alerting GUI** is available for partners who meet specific commitments. * Alternatively, you can request new alerts by contacting [**support@threatdefence.com**](mailto:support@threatdefence.com). *** ## How Many Alerts Should I Expect? As a guideline: * An organization with **\~500 users** and **15+ onboarded data sources** (e.g., email, endpoints, servers, dark web, vulnerability scans) can expect **30–50 alerts per month**. * These will typically result in **2–3 Escalations** requiring IT team action. *** ## Can We Create Playbooks? Yes, but this is best suited for **MSSPs with a dedicated detection engineering team**.\ Playbook creation requires input from SOC experts to ensure quality. ➡️ Contact your platform account manager for a review of your requirements and advice on available options. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.threatdefence.com/getting-started/frequently-asked-questions/alerts-and-escalations.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.