---
title: Investigate Security Signals
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > Workload Protection > Investigate Security Signals
---

# Investigate Security Signals

[Workload Protection](https://docs.datadoghq.com/security/workload_protection.md) security signals are created when Datadog detects a threat based on a security rule. View, search, filter, and investigate security signals in the [Signals Explorer](https://app.datadoghq.com/security/workload-protection/signals), or configure [Notification Rules](https://docs.datadoghq.com/security/notifications/rules.md) to send signals to third-party tools.

To modify security signals, you must have the `security_monitoring_signals_write` permission. See [Role Based Access Control](https://docs.datadoghq.com/account_management/rbac/permissions.md#cloud-security-platform) for more information about Datadog's default roles and granular role-based access control permissions available for Cloud Security.

## Filter security signals{% #filter-security-signals %}

To filter the security signals in the [Signals Explorer](https://app.datadoghq.com/security/workload-protection/signals), use the search query `@workflow.triage.state:<status>`, where `<status>` is the state you want to filter on (`open`, `under_review`, or `archived`). You can also use the **Signal State** facet on the facet panel.

## Triage a signal{% #triage-a-signal %}

You can triage a signal by assigning it to a user for further investigation. The assigned user can then track their review by updating the signal's status.

1. On the [Signals Explorer](https://app.datadoghq.com/security/workload-protection/signals), select a security signal.
1. On the signal side panel, click the user profile icon and select a user.
1. To update the status of the security signal, click the triage status dropdown menu and select a status. The default status is **Open**.
   - **Open**: The signal has not yet been resolved.
   - **Under Review**: The signal is actively being investigated. From the **Under Review** state, you can move the signal to **Archived** or **Open** as needed.
   - **Archived**: The detection that caused the signal has been resolved. From the **Archived** state, you can move the signal back to **Open** if it's within 30 days of when the signal was originally detected.

## Create a case{% #create-a-case %}

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com



{% alert level="danger" %}
Case Management is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md) ().
{% /alert %}


{% /callout %}

Use [Case Management](https://docs.datadoghq.com/incident_response/case_management.md) to track, triage, and investigate security signals.

1. On the [Signals Explorer](https://app.datadoghq.com/security/workload-protection/signals), select a security signal.
1. On the signal side panel, click the **Escalate Investigation** dropdown menu and select **Create a case**. Alternatively, select **Add to an existing case** to add the signal to an existing case.
1. Enter a title and optional description.
1. Click **Create Case**.

## Declare an incident{% #declare-an-incident %}

Use [Incident Management](https://docs.datadoghq.com/incident_response/incident_management.md) to create an incident for a security signal.

1. On the [Signals Explorer](https://app.datadoghq.com/security/workload-protection/signals), select a security signal.
1. On the signal side panel under *Next Steps*, click the **Show all actions** dropdown menu and select **Declare incident**.
1. Alternatively, select **Add to incident** to add the signal to an existing incident.
1. On the incident creation modal, configure the incident by specifying details such as the severity level and incident commander.
1. Click **Declare Incident**.

## Run a workflow{% #run-a-workflow %}

Use [Workflow Automation](https://docs.datadoghq.com/service_management/workflows.md) to manually trigger a workflow for a security signal. See [Trigger a Workflow from a Security Signal](https://docs.datadoghq.com/security/cloud_security_management/workflows.md) for more information.

1. On the [Signals Explorer](https://app.datadoghq.com/security/workload-protection/signals), select a security signal.
1. On the signal side panel, click the **Workflows** tab.
1. Click **Run Workflow**.
1. On the workflow modal, select the workflow you want to run. The workflow must have a security trigger to appear in the list. Depending on the workflow, you may be required to enter additional input parameters.
1. Click **Run**.