Investigate Security Signals



A Cloud SIEM security signal is created when Datadog detects a threat while analyzing logs against detection rules. View, search, filter, and correlate security signals in the Signal Explorer without needing to learn a dedicated query language. You can also assign security signals to yourself or another user in the Datadog platform. In addition to the Signal Explorer, you can configure Notification Rules to send signals to specific individuals or teams to keep them informed of issues.

You must have the Security Signals Write permission to modify a security signal, such as change the state and view signal action history in Audit Trail. See Role Based Access Control for more information about Datadog’s default roles and granular role-based access control permissions available for Datadog Security in the Cloud Security.

View signals by status in the Signal Explorer

In the Signals Explorer, use the facet panel or search bar to group and filter your signals. For example, to view all signals with a HIGH or CRITICAL severity that are in the open or under review triage state, do one of the following:

  • In the facet panel’s Severity section, select Critical, High, and Medium. In the Signal State section, make sure only open and under_reviewed are selected.
  • In the search bar, enter status:(high OR critical OR medium) @workflow.triage.state:(open OR under_review).

To add the column Signal State, select the Options button in the top right corner above the table and add the facet: @workflow.triage.state. This displays the signal status and allows you to sort by status through the header.

Use different visualizations to investigate the threat activity in your environment. For example, in the Visualize by field, you can group signals by:

  • Rules List to see the volume and alerting trends across the different detection rules.
  • Timeseries to view signal trends over time.
  • Pie chart to see the relative volume of each of the detection rules.
The Signal Explorer showing signals categoraized by detection rules

After you have filtered your signals to your use case, create a saved view so that you can reload your query later.

Triage a signal or multiple signals

  1. Navigate to Cloud SIEM.
  2. Click Signals.
  3. Click on a security signal from the table.
  4. To assign a signal to yourself or another Datadog user, click the user profile icon with the plus sign in the top left corner of the signal side panel.
    The profile icon next to the triage status
  5. To update the triage status of the security signal, navigate to the top left corner of the signal side panel and select the status you want from the dropdown menu. The default status is OPEN.
    The profile icon next to the triage status
    • Open: Datadog Security triggered a detection based on a rule, and the resulting signal is not yet resolved.
    • Under Review: During an active investigation, you can switch the signal state to Under Review. From the Under Review state, you can move the signal state to Archived or Open as needed.
    • Archived: When the detection that caused the signal has been resolved, you can transition it to the Archived state. If an archived issue resurfaces, or if further investigation is necessary, a signal can be changed back to an Open state within 30 days of being created.

Use bulk actions to triage multiple signals. To use bulk actions, first search and filter your signals in the Signal Explorer, then:

  1. Click on the checkbox to the left of the signals that you want to take a bulk action on. To select all signals in the Signal Explorer list, select the checkbox next to the Status column header.
  2. Click on the Bulk Actions dropdown menu above the signals table and select the action you want to take.

Note: The Signals Explorer stops dynamically updating when performing a bulk action.

The Signal Explorer showing the bulk action option

Case Management

Sometimes you need more information than what is available in a single signal to investigate the signal. Use Case Management to collect multiple signals, create timelines, discuss with colleagues, and keep a notebook of the analysis and findings.

To create a case from a security signal:

  1. Click the Escalate Investigation dropdown menu.
  2. Select Create a case to start a security investigation.

Note: If a case is determined to be critical after further investigation, click Declare Incident in the case to escalate it to an incident.

Declare an incident

Whether it is based on a single signal or after an investigation of a case, certain malicious activity demands a response. You can declare incidents in Datadog to bring together developers, operations, and security teams to address a critical security event. Incident Management provides a framework and workflow to help teams effectively identify and mitigate incidents.

To declare an incident in the signal panel:

  1. Click the Escalate Investigation dropdown menu.
  2. Select Declare incident.
  3. Fill out the incident template.

Workflow automation

You can trigger a Workflow automatically for any Security Signal. You can also manually trigger a Workflow from a Cloud SIEM Security Signal. See Trigger a Workflow from a Security Signal and Automate Security Workflows with Workflow Automation for more information.

Threat intelligence

Datadog Cloud SIEM offers integrated threat intelligence provided by our threat intelligence partners. These feeds are constantly updated to include data about known suspicious activity (for example, IP addresses known to be used by malicious actors), so that you can quickly identify which potential threats to address.

Datadog automatically enriches all ingested logs for indicators of compromise (IOCs) from our threat intelligence feeds. If a log contains a match to a known IOC, a threat_intel attribute is appendeded to the log event to provide additional insights based on available intelligence.

The query to see all threat intelligence matches in the Security Signals Explorer is @threat_intel.indicators_matched:*. The following are additional attributes to query for threat intelligence:

  • For @threat_intel.results.category: attack, corp_vpn, cryptomining, malware, residential_proxy, tor, scanner
  • For @threat_intel.results.intention: malicious, suspicious, benign, unknown
The Signal Explorer showing a bar graph of signals broken down by the threat intel categories of residential proxy, corp_vpn, cryptomining, and malware

See the Threat Intelligence documentation for more information on threat intelligence feeds.

Search by network IP attributes

When a suspicious activity is detected from your logs, determine whether the suspicious actor has interacted with your systems by searching for its network IP. Use the following query to search by IP attributes in the Log Explorer: @network.ip.list:<IP address>. The query searches IPs anywhere within the logs, including the tags, attributes, error, and message fields.

You can also launch this query directly from the signal panel:

  1. Click on the IP address in the Context section.
  2. Select View Logs with @network.client.ip:<ip_address>.
The signal panel showing the threat options for the selected IP address

Further reading