Security Signals Explorer
Overview
From the Security Signals Explorer, correlate and triage security signals. You can also access Cloud SIEM, Cloud Security Management Misconfigurations (CSM Misconfigurations), Cloud Security Management Threats (CSM Threats), and Application Security Management dashboards from this page.
Explore your Security Signals
The Security Signals search results are displayed in the Security Signals Table.
Filter the contents of the table with the list of available facets such as Source
and Status
. Configure the content of your Security Signals Table according to your needs and preferences with the Options button in the upper right.
Inspect a Security Signal
View additional details by clicking on any Security Signal. This opens a panel which includes information about the severity of the signal, and when it was generated.
Actionable information includes the ability to:
- Change the status of the signal.
- Access the rule settings of the signal.
- Share or assign the signal to a teammate.
The first seen and last seen date are updated, if new data is made available from the past or the attack continues. For Cloud SIEM and CSM Threats signals, a “What Happened” section is displayed in the Overview tab and any configured group bys or rule customizations related to the detection rule is displayed. This example detection rule is configured with a group by of usr.name
. Finally, any tags which are set on the detection rule are displayed below the group bys in the header for CSM Misconfigurations misconfigurations and in the Context section for Cloud SIEM and CSM Threats signals.
To better understand activity, the Security Signal Panel summarizes tags and attributes from all logs that trigger a signal so you can troubleshoot without having to pivot to Log Explorer. For example, in the Context section, you can determine at a glance the list of IPs attempting to log into a user account, or the AWS accounts and availability zones running the authentication service.
Below the header of Cloud SIEM and CSM Threats signals are tabs with detailed information related to the signal:
Overview
displays why the rule generated a security signal in the What Happened section, including group by tag and customization based on rule type. In addition, context information and JSON associated to the signal is displayed along with any security profiles related to the signal and any suppression suggestions, if available (CSM Threats only).Rule Details
displays rule details, such as the text configured in the detection rule to help the person reviewing the signal understand the purpose of the signal and how to respond. The users can also pivot into rule modification, such as modifying suppression queries for the rule.Logs
includes a visualization and list of log samples to provide context on why the signal triggered. Click on any of the samples in the table to see the full log.Related Signals
are displayed as a timeline of other signals which contain the same group by values to assist with triaging the signal.Suggested Actions
provides investigation queries, related dashboards, and links to cloud provider consoles based on Security Signal characteristics that guide investigations and provide insights to a resolution.
Below the header of CSM Misconfigurations signals are tabs with detailed information related to the signal:
Message
displays the text configured in the detection rule to help the person reviewing the signal understand the purpose of the signal and how to respond.Findings
includes a list of each resource that has been evaluated by the rule.Related Issues
includes a list of other signals which contain the same group by values to assist with triaging the signal.
Case Management
You can create a case from a Cloud SIEM security signal to track, triage, and investigate your signals. Click Escalate Investigation to see the dropdown menu. Select Create a case to start a security investigation. If a case is determined to be critical after further investigation, click Declare Incident in the case to escalate it to an incident. See Case Management for more information.
Workflow Automation
You can trigger a Workflow automatically for any Security Signal. You can also manually trigger a Workflow from a Cloud SIEM Security Signal. See Trigger a Workflow from a Security Signal for more information.
Threat intelligence
Datadog Cloud SIEM offers threat intelligence feeds curated by threat intelligence partners. These feeds are constantly updated to include data about known suspicious activity (for example, indicators of compromise or IOCs), so you can quickly identify which potential threats to address.
Datadog automatically implements threat intelligence by analyzing all ingested logs that have relevant attributes. If a log contains a compromise indication, such as an anonymized IP tied to a VPN, proxy, or Tor exit node, a threat_intel
attribute is append to the log event to provide additional insights based on available intelligence.
The query to see all threat intelligence matches in the Security Signals Explorer is @threat_intel.indicators_matched:*
. The following are additional attributes to query for threat intelligence:
@threat_intel.results.category "anonymizer", "scanner"
@threat_intel.results.intention "malicious", "unknown"
@threat_intel.results.subcategory options "proxy", "tor", "vpn"
Note: Proxy, Tor, and VPN subcategory attributes are provided only by threat intelligence partner IPinfo.
Search by network IP attributes
When Datadog Cloud SIEM detects suspicious activity from your logs, determine whether the suspicious actor has interacted with your systems by searching for its network IP. Use the following query to search by IP attributes in the Log Explorer: @network.ip.list:<IP address>
. The query searches IPs anywhere within the logs, including the tags, attributes, error, and message fields.
Anomaly detection
If the Security Signal you are reviewing is generated by the Anomaly Detection method, a graph visualizes the anomaly. A bounding box on the right hand side of the graph shows where the anomaly is detected.
Process ancestry tree in CSM Threats signals
CSM Threats signals come equipped with a process ancestry tree to detect potentially malicious activity in your systems. Identify any suspicious processes and determine the extent of an attack for better investigation and remediation.
The waterfall structure shows the consecutive executions of child processes associated with contextual information. The metadata for each process helps you gain more visibility into the system activity and spot security breaches.
Key types of information:
command line
to identify which Unix utility the process spawned.environment variables
to determine if the process inherited any sensitive information.command line arguments
to collect any identifying data used by an attacker while the process was running.
Visualize your security signals analytics
Switch between the Security Signals Table and the Security Signals Analytics modes by clicking on the Signal Mode button in the upper left corner of the page:
After Security Signals are generated by the Security Rules Engine, you can graph Security Signal queries and see maximums, minimums, percentiles, unique counts, and more.
Follow the log graphing guide to learn more about all the graphing options.
Further Reading
Additional helpful documentation, links, and articles: