---
title: Investigate Security Signals
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > App and API Protection > Investigate Security
  Signals
---

# Investigate Security Signals

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Overview{% #overview %}

AAP security signals are created when Datadog detects a threat based on a detection rule. View, search, filter, and investigate security signals in the [Signals Explorer](https://app.datadoghq.com/security/appsec/signals?query=%40workflow.rule.type%3A%22Application%20Security%22&column=time&order=desc&viz=stream&start=1694726477747&end=1695331277747&paused=false), or configure [Notification Rules](https://docs.datadoghq.com/security/notifications/rules.md) to send signals to third-party tools.

## Signals Explorer columns{% #signals-explorer-columns %}

The Signals Explorer displays the following columns.

{% dl %}

{% dt %}
Severity
{% /dt %}

{% dd %}
There are five severity states: **Info**, **Low**, **Medium**, **High**, and **Critical**. **High** and **Critical** indicate a major impact to service availability or active compromise.
{% /dd %}

{% dt %}
Title
{% /dt %}

{% dd %}
The name of the signal. Titles might update when new data is correlated, altering the assessed impact of the attack.
{% /dd %}

{% dt %}
Service/Env
{% /dt %}

{% dd %}
The service and environment identified in the attack. Hover over the service name to link to the service page and code repo, and to see who is on-call for the service.
{% /dd %}

{% dt %}
Entities
{% /dt %}

{% dd %}
The attackers and the victims of an attack. Attackers are identified by IP addresses. Victims are identified as authenticated users. Hover over the IP list and then click an IP to see details such as **Threat Intelligence** and **Security Activity**.
{% /dd %}

{% dt %}
Triage State
{% /dt %}

{% dd %}
You can assign a responder and set a triage state for the signal. Available states are **Open**, **Under Review**, and **Archived**.
{% /dd %}

{% dt %}
Creation Date
{% /dt %}

{% dd %}
The date when the signal was first created. Signals are sorted by date by default.
{% /dd %}

{% /dl %}

## Filter security signals{% #filter-security-signals %}

To filter the security signals in the [Signals Explorer](https://app.datadoghq.com/security/appsec/signals?query=%40workflow.rule.type%3A%22Application%20Security%22&column=time&order=desc&viz=stream&start=1694726477747&end=1695331277747&paused=false), use the search query `@workflow.triage.state:<status>`, where `<status>` is the state you want to filter on (`open`, `under_review`, or `archived`). You can also use the **Signal State** facet on the facet panel.

## Triage a signal{% #triage-a-signal %}

You can triage a signal by assigning it to a user for further investigation. The assigned user can then track their review by updating the signal's status.

1. On the [Signals Explorer](https://app.datadoghq.com/security/appsec/signals?query=%40workflow.rule.type%3A%22Application%20Security%22&column=time&order=desc&viz=stream&start=1694726477747&end=1695331277747&paused=false) page, click the user profile icon in the **Triage State** column.
1. Select a user to assign the signal.
1. To update the status of the security signal, click the triage status dropdown menu and select a status. The default status is **Open**.
   - **Open**: The signal has not yet been resolved.
   - **Under Review**: The signal is actively being investigated. From the **Under Review** state, you can move the signal to **Archived** or **Open** as needed.
   - **Archived**: The detection that caused the signal has been resolved. From the **Archived** state, you can move the signal back to **Open** if it's within 30 days of when the signal was originally detected.

**Note**: To modify security signals, you must have the `security_monitoring_signals_write` permission. See [Role Based Access Control](https://docs.datadoghq.com/account_management/rbac/permissions.md#cloud-security-platform) for more information about Datadog's default roles and granular role-based access control permissions available for App and API Protection.

## Declare an incident{% #declare-an-incident %}

Use [Incident Management](https://docs.datadoghq.com/incident_response/incident_management.md) to create an incident for a security signal.

Declare an incident if:

- An issue is or might be impacting customers.
- You believe an issue (even if it's internal) needs to be addressed as an emergency.

If you don't know whether you should declare an incident, notify other users and increase severity appropriately.

1. On the [Signals Explorer](https://app.datadoghq.com/security/appsec/signals?query=%40workflow.rule.type%3A%22Application%20Security%22&column=time&order=desc&viz=stream&start=1694726477747&end=1695331277747&paused=false) page, select a security signal to open its details panel.
1. On the signal panel, click **Declare Incident** or select the dropdown arrow and select **Add to an existing incident**.
1. When you declare a new incident, in the **Declare Incident** settings, configure the incident by specifying details such as the severity level and incident commander.
   1. Estimate impact. Severity levels go from SEV-1 (critical) to SEV-5 (minor impact). When in doubt, always choose the higher severity.
1. Click **Declare Incident**.

## Run a workflow{% #run-a-workflow %}

Use [Workflow Automation](https://docs.datadoghq.com/service_management/workflows.md) to manually trigger a workflow for a security signal.

1. Make sure the workflow you want to run has a security trigger.
1. On the [Signals Explorer](https://app.datadoghq.com/security/appsec/signals?query=%40workflow.rule.type%3A%22Application%20Security%22&column=time&order=desc&viz=stream&start=1694726477747&end=1695331277747&paused=false) page, open a security signal.
1. In the **Respond** section, click **Run Workflow**.
1. In **Run a workflow**, select the workflow you want to run or click **New Workflow**.
   - Depending on the workflow you select, you might be required to enter additional input parameters.
   - If you selected **New Workflow**, Run a Security Workflow opens. To learn more about workflows, see [Workflow Automation](https://docs.datadoghq.com/service_management/workflows.md).
1. Click **Run**.

## Review and remediate{% #review-and-remediate %}

1. On the [Signals Explorer](https://app.datadoghq.com/security/appsec/signals?query=%40workflow.rule.type%3A%22Application%20Security%22&column=time&order=desc&viz=stream&start=1694726477747&end=1695331277747&paused=false) page, open a security signal.
1. In the signal details, view each of the sections, such as **What Happened**, **Activity Summary**, and **Detection Rule**.
1. Review the **Next Steps** and take action:
   - Click **Block all Attacking IPs** (by specific duration or permanently).
   - Click **Automated Attacker Blocking** (based on [detection](https://docs.datadoghq.com/security/application_security/policies.md#respond-to-threats-in-real-time-by-automating-attacker-blocking) rules). This setting requires the App and API Protection **Protect Write** permission.
   - Click **[Block with Edge WAF](https://docs.datadoghq.com/security/application_security/policies.md#blocking-attack-attempts-with-in-app-waf)**.

## Bulk actions{% #bulk-actions %}

When you select one or more signals, you can use **Bulk Actions** to perform the following.

### Set state{% #set-state %}

Set the triage state to **Open**, **Under Review**, or **Archived**.

### Assign the signal to users{% #assign-the-signal-to-users %}

Select **Assign selection** and then select the user(s) to assign to the signal.

Select **Remove all assignments** to reset the signal assignment to none.

### Case management{% #case-management %}

Datadog [Case Management](https://docs.datadoghq.com/incident_response/case_management.md) offers a centralized place to triage, track, and remediate issues detected by Datadog and third-party integrations.

1. On the [Signals Explorer](https://app.datadoghq.com/security/appsec/signals?query=%40workflow.rule.type%3A%22Application%20Security%22&column=time&order=desc&viz=stream&start=1694726477747&end=1695331277747&paused=false) page, select a security signal.
1. In **Bulk Actions**, select **Create a case**.
1. Select **Create a case** or **Add to an existing case** to add the signal to an existing case.
1. Enter a title and optional description.
1. Click **Create Case**.

When you click **Create Case**, you are directed to Case Management and the project you selected.

## Saved views{% #saved-views %}

You can save different configurations of the Signals Explorer as views. For example, you could filter the explorer to show all unassigned signals and then save that as a view.

When a configuration is saved as a view, you and your teammates can use it later.

A view contains the explorer's current selections for:

- Time and query
- Displayed columns and sorting
- Analytics aggregation settings
- Timeline visibility
- Displayed facets
- Aggregate by detection rule

1. To save a view, configure the explorer to display the view you want and then click **Save**.
1. Enter a name for the view, and then select the teams you want to share the view with.
1. Click **Save**.

To see all of the saved views, click **Views** next to the **Signals Explorer** page title.

## Further Reading{% #further-reading %}

- [Explore AAP threat detection OOTB rules](https://docs.datadoghq.com/security/default_rules.md?category=cat-application-security#cat-application-security)
- [Configure custom AAP threat detection rules](https://docs.datadoghq.com/security/application_security/policies/custom_rules.md)
- [AAP threat intelligence](https://docs.datadoghq.com/security/application_security/how-it-works/threat-intelligence.md)