Security Signals Explorer

Security Signals Explorer

Overview

From the Security Signals Explorer, correlate and triage security signals. You can also access Security Monitoring dashboards from this page.

In this view, you can:

Explore your Security Signals

The Security Signals search results are displayed in the Security Signals Table.

Filter the contents of the table with the list of available facets. Configure the content of your Security Signals Table according to your needs and preferences with the Options button in the upper right.

Inspect a Security Signal

Click on any Security Signal to open the Security Signal Panel and see more details about it.

The details you need first when triaging an issue can be found in the top portion of the Security Signal Panel. From here, you can determine the severity of the signal, when it was generated, access the rule settings, and quickly share this signal to a teammate.

The first seen and last seen date are updated, if new data is made available from the past or the attack continues. In addition, any configured group bys on the rule are displayed in this section. This example rule is configured with a group by of usr.name. Finally, any tags which are set on the rule are displayed below the group bys.

To better understand activity, the Security Signal Panel summarizes tags and attributes from all logs that trigger a signal so you can troubleshoot without having to pivot to Log Explorer. For example, you can determine at a glance the list of IPs attempting to log into a user account, or the AWS accounts and availability zones running the authentication service.

Below the overview of the signal are tabs with detailed information related to the signal:

  • Message displays the text configured in the rule to help the person reviewing the signal understand the purpose of the signal and how to respond.

  • Event Attributes are helpful when triaging and filtering security signals. For example, you may determine that a user or entity triggered a security rule as part of their benign behavior, or that a compliance control shouldn’t apply across all of your environments. Click on any attribute in Event Attributes tab to generate the dropdown menu and select Never trigger signals for <value> to fine-tune what is visible within the Security Signals Explorer. You can also filter by or view logs related to an attribute from this menu.

  • Samples includes a list of log samples to provide context on why the signal triggered. Click on any of the samples to see the full log.

  • Related Issues includes a list of other signals which contain the same group by values to assist with triaging the signal.

Threat Intelligence

Datadog Security Monitoring offers threat intelligence feeds curated by threat intelligence partners. These feeds are constantly updated to include data about known suspicious activity (for example, IOCs), so you can quickly identify which potential threats to address.

Datadog automatically operationalizes threat intelligence by analyzing all ingested logs that have relevant attributes. If a log contains a compromise indication, such as an anonymized IP tied to a VPN, proxy, or Tor exit node, a threat_intel attribute is append to the log event to provide additional insights based on available intelligence.

The query to see all threat intelligence matches in the Security Signals Explorer is @threat_intel.indicators_matched:*. The following are additional attributes to query for threat intelligence:

  • @threat_intel.results.category “anonymizer”, “scanner”
  • @threat_intel.results.intention “malicious”, “unknown”
  • @threat_intel.results.subcategory options "proxy", "tor", "vpn" Note: Proxy, Tor, and VPN subcategory attributes are provided only by threat intelligence partner IPinfo.

Anomaly detection

If the Security Signal you are reviewing is generated by the Anomaly Detection method, a graph visualizes the anomaly. A bounding box on the right hand side of the graph shows where the anomaly is detected.

Visualize your security signals analytics

Switch between the Security Signals Table and the Security Signals Analytics modes by clicking on the Signal Mode button in the upper left corner of the page:

After Security Signals are generated by the Security Rules Engine, you can graph Security Signal queries and see maximums, minimums, percentiles, unique counts, and more.

Follow the log graphing guide to learn more about all the graphing options.

Further Reading