Investigate Security Signals
Overview
ASM security signals are created when Datadog detects a threat based on a detection rule. View, search, filter, and investigate security signals in the Signals Explorer, or configure Notification Rules to send signals to third-party tools.
In the Signals Explorer, filter by attributes and facets to find critical threats. Click on a signal to see details about it, including the service owner and attack details. Attack details include the authenticated user and their IP address, what rule they triggered, attack flow, related traces, and other security signals. From this page, you can block IP addresses and users, and also click to create a case and declare an incident.
Filter security signals
To filter the security signals in the Signals Explorer, use the search query @workflow.triage.state:<status>, where <status> is the state you want to filter on (open, under_review, or archived). You can also use the Signal State facet on the facet panel.
Triage a signal
You can triage a signal by assigning it to a user for further investigation. The assigned user can then track their review by updating the signal’s status.
- On the Signals Explorer page, select a security signal.
- On the signal side panel, click the user profile icon and select a user.
- To update the status of the security signal, click the triage status dropdown menu and select a status. The default status is Open.
- Open: The signal has not yet been resolved.
- Under Review: The signal is actively being investigated. From the Under Review state, you can move the signal to Archived or Open as needed.
- Archived: The detection that caused the signal has been resolved. From the Archived state, you can move the signal back to Open if it’s within 30 days of when the signal was originally detected.
Note: To modify security signals, you must have the security_monitoring_signals_write permission. See Role Based Access Control for more information about Datadog’s default roles and granular role-based access control permissions available for Application Security Management.
Create a case
Use Case Management to track, triage, and investigate security signals.
- On the Signals Explorer page, select a security signal.
- On the signal side panel, select the Create a case dropdown. Select Create a new case, or Add to an existing case to add the signal to an existing case.
- Enter a title and optional description.
- Click Create Case.
Declare an incident
Use Incident Management to create an incident for a security signal.
- On the Signals Explorer page, select a security signal.
- On the signal side panel, click the Declare Indident dropdown menu and select Create an incident, or Add to an existing incident.
- On the incident creation modal, configure the incident by specifying details such as the severity level and incident commander.
- Click Declare Incident.
Run a workflow
Use Workflow Automation to manually trigger a workflow for a security signal.
- On the Signals Explorer page, select a security signal.
- Scroll down to the What is Workflow Automation section.
- Click Run Workflow.
- On the workflow modal, select the workflow you want to run. Depending on the workflow, you may be required to enter additional input parameters.
- Click Run.
- On the Signals Explorer page, select a security signal.
- On the signal side panel, click each of the tabs, such as Attack Flow, Activity Summary, and Rule Details, to review the information.
- Review the Suggested Next Steps, and take action:
- Click Block all Attacking IPs (by specific duration or permanently).
- Click Automated Attacker Blocking (based on detection rules).
- Click Block with Edge WAF.
Further Reading
Additional helpful documentation, links, and articles:
