From the Security Signals Explorer, correlate and triage security signals.
In this view, you can:
The Security Signals search results are displayed in the Security Signals Table.
Filter the contents of the table with the list of available facets. Configure the content of your Security Signals Table according to your needs and preferences with the Options button in the upper right.
Click on any Security Signal to open the Security Signal Panel and see more details about it.
The details you need first when triaging an issue can be found in the top portion of the Security Signal Panel. From here, you can determine the severity of the signal, when it was generated, access the rule settings, and quickly share this signal to a teammate.
The first seen and last seen date are updated, if new data is made available from the past or the attack continues. In addition, any configured group bys on the rule are displayed in this section. This example rule is configured with a group by of
usr.name. Finally, any tags which are set on the rule are displayed below the group bys.
Below the overview of the signal is the detailed information related to the signal. First displayed is the text configured in the rule to help the person reviewing the signal understand the purpose of the signal and how to respond. The last section is a list of log samples to provide context on why the signal triggered. Click on any of the samples to see the full log.
Switch between the Security Signals Table and the Security Signals Analytics modes by clicking on the Signal Mode button in the upper left corner of the page:
After Security Signals are generated by the Security Rules Engine, you can graph Security Signal queries and see maximums, minimums, percentiles, unique counts, and more.
Follow the log graphing guide to learn more about all the graphing options.