Security Signals Explorer

Security Signals Explorer

Overview

From the Security Signals Explorer, correlate and triage security signals. You can also access Security Monitoring dashboards from this page.

In this view, you can:

Explore your Security Signals

The Security Signals search results are displayed in the Security Signals Table.

Filter the contents of the table with the list of available facets. Configure the content of your Security Signals Table according to your needs and preferences with the Options button in the upper right.

Inspect a Security Signal

Click on any Security Signal to open the Security Signal Panel and see more details about it.

The details you need first when triaging an issue can be found in the top portion of the Security Signal Panel. From here, you can determine the severity of the signal, when it was generated, access the rule settings, and quickly share this signal to a teammate.

The first seen and last seen date are updated, if new data is made available from the past or the attack continues. In addition, any configured group bys on the rule are displayed in this section. This example rule is configured with a group by of usr.name. Finally, any tags which are set on the rule are displayed below the group bys.

To better understand activity, the Security Signal Panel summarizes tags and attributes from all logs that trigger a signal so you can troubleshoot without having to pivot to Log Explorer. For example, you can determine at a glance the list of IPs attempting to log into a user account, or the AWS accounts and availability zones running the authentication service.

Below the overview of the signal are tabs with detailed information related to the signal:

  • Message displays the text configured in the rule to help the person reviewing the signal understand the purpose of the signal and how to respond.

  • Event Attributes are helpful when triaging and filtering security signals. For example, you may determine that a user or entity triggered a security rule as part of their benign behavior, or that a compliance control shouldn’t apply across all of your environments. Click on any attribute in Event Attributes tab to generate the dropdown menu and select Never trigger signals for <value> to fine-tune what is visible within the Security Signals Explorer. You can also filter by or view logs related to an attribute from this menu.

  • Samples includes a list of log samples to provide context on why the signal triggered. Click on any of the samples to see the full log.

  • Related Issues includes a list of other signals which contain the same group by values to assist with triaging the signal.

Visualize your security signals analytics

Switch between the Security Signals Table and the Security Signals Analytics modes by clicking on the Signal Mode button in the upper left corner of the page:

After Security Signals are generated by the Security Rules Engine, you can graph Security Signal queries and see maximums, minimums, percentiles, unique counts, and more.

Follow the log graphing guide to learn more about all the graphing options.

Further Reading

Additional helpful documentation, links, and articles: