---
title: Investigate Security Signals
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > Workload Protection > Investigate Security Signals
---

# Investigate Security Signals

[Workload Protection](https://docs.datadoghq.com/security/workload_protection.md) security signals are created when Datadog detects a threat based on a security rule. View, search, filter, and investigate security signals in the [Signals Explorer](https://app.datadoghq.com/security/workload-protection/signals), or configure [Notification Rules](https://docs.datadoghq.com/security/notifications/rules.md) to send signals to third-party tools.

To modify security signals, you must have the `security_monitoring_signals_write` permission. See [Role Based Access Control](https://docs.datadoghq.com/account_management/rbac/permissions.md#cloud-security-platform) for more information about Datadog's default roles and granular role-based access control permissions available for Cloud Security.

## Filter security signals{% #filter-security-signals %}

To filter the security signals in the [Signals Explorer](https://app.datadoghq.com/security/workload-protection/signals), use the search query `@workflow.triage.state:<status>`, where `<status>` is the state you want to filter on (`open`, `under_review`, or `archived`). You can also use the Signal State facet on the facet panel.

## Triage a signal{% #triage-a-signal %}

You can triage a signal by assigning it to a user for further investigation. The assigned user can then track their review by updating the signal's status.

1. On the [Signals Explorer](https://app.datadoghq.com/security/workload-protection/signals), select a security signal.
1. On the signal side panel, click the user profile icon and select a user.
1. To update the status of the security signal, click the triage status dropdown menu and select a status. The default status is Open.
   - Open: The signal has not yet been resolved.
   - Under Review: The signal is actively being investigated. From the Under Review state, you can move the signal to Archived or Open as needed.
   - Archived: The detection that caused the signal has been resolved. From the Archived state, you can move the signal back to Open if it's within 30 days of when the signal was originally detected.

## Create a case{% #create-a-case %}

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com



{% alert level="danger" %}
Case Management is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md) ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}


{% /callout %}

Use [Case Management](https://docs.datadoghq.com/incident_response/case_management.md) to track, triage, and investigate security signals.

1. On the [Signals Explorer](https://app.datadoghq.com/security/workload-protection/signals), select a security signal.
1. On the signal side panel, click the Escalate Investigation dropdown menu and select Create a case. Alternatively, select Add to an existing case to add the signal to an existing case.
1. Enter a title and optional description.
1. Click Create Case.

## Declare an incident{% #declare-an-incident %}

Use [Incident Management](https://docs.datadoghq.com/incident_response/incident_management.md) to create an incident for a security signal.

1. On the [Signals Explorer](https://app.datadoghq.com/security/workload-protection/signals), select a security signal.
1. On the signal side panel under *Next Steps*, click the Show all actions dropdown menu and select Declare incident.
1. Alternatively, select Add to incident to add the signal to an existing incident.
1. On the incident creation modal, configure the incident by specifying details such as the severity level and incident commander.
1. Click Declare Incident.

## Run a workflow{% #run-a-workflow %}

Use [Workflow Automation](https://docs.datadoghq.com/actions/workflows.md) to manually trigger a workflow for a security signal. See [Trigger a Workflow from a Security Signal](https://docs.datadoghq.com/security/cloud_security_management/workflows.md) for more information.

1. On the [Signals Explorer](https://app.datadoghq.com/security/workload-protection/signals), select a security signal.
1. On the signal side panel, click the Workflows tab.
1. Click Run Workflow.
1. On the workflow modal, select the workflow you want to run. The workflow must have a security trigger to appear in the list. Depending on the workflow, you may be required to enter additional input parameters.
1. Click Run.
