[DOCS-7851] Update Cloud SIEM Investigate Security Signals for new panel design #23984
+82
−27
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -12,11 +12,11 @@ | |
|
|
||
| ## Overview | ||
|
|
||
| A Cloud SIEM security signal is created when Datadog detects a threat while analyzing logs against detection rules. View, search, filter, and correlate security signals in the Signals Explorer without needing to learn a dedicated query language. You can also assign security signals to yourself or another user in the Datadog platform. In addition to the Signals Explorer, you can configure [Notification Rules][1] to send signals to specific individuals or teams to keep them informed of issues. | ||
|
|
||
| You must have the `Security Signals Write` permission to modify a security signal, such as change the state and view signal action history in [Audit Trail][2]. See [Role Based Access Control][3] for more information about Datadog's default roles and granular role-based access control permissions available for Datadog Security in the Cloud Security. | ||
|
|
||
| ## Signals explorer | ||
|
|
||
| In the Signals Explorer, use the facet panel or search bar to group and filter your signals. For example, you can view signals by [their severity](#view-signals-by-severity), [detection rules](#view-signals-by-detection-rules), and [MITRE ATT&CK](#view-signals-by-mitre-attck). After you have filtered your signals to your use case, create a [saved view][4] so that you can reload your query later. | ||
|
|
||
|
|
@@ -37,7 +37,7 @@ | |
| - **Table** to see signals by the specified tag key (for example, `source`, `technique`, and so on). | ||
| - **Pie Chart** to see the relative volume of each of the detection rules. | ||
|
|
||
| {{< img src="security/security_monitoring/investigate_security_signals/signal_list2.png" alt="The Signals Explorer showing signals categorized by detection rules" style="width:100%;" >}} | ||
|
|
||
| ### View signals by detection rules | ||
|
|
||
|
|
@@ -50,36 +50,93 @@ | |
| 1. Click the plus icon next to the first group `by` to add a second group `by`, and select **Technique** for it. | ||
| 1. In the table, click one of the tactics or techniques to see options to further investigate and filter the signals. For example, you can view signals related to the tactic and technique and search for or exclude specific tactics and techniques. | ||
|
|
||
| {{< img src="security/security_monitoring/investigate_security_signals/tactics_techniques.png" alt="The Signals Explorer table showing a list of tactics and techniques" style="width:100%;" >}} | ||
|
|
||
| ### Triage a single signal | ||
|
|
||
| 1. Navigate to [Cloud SIEM][5]. | ||
| 1. Click the **Signals** tab at the top of the page. | ||
| 1. Click on a security signal from the table. | ||
| 1. In the **What Happened** section, see the logs that matched the query. Hover over the query to see the query details. | ||
| - You can also see specific information like username or network IP. In **Rule Details**, click the funnel icon to create a suppression rule or add the information to an existing suppression. See [Create suppression rule][11] for more details. | ||
| 1. In the **Next Steps** section: | ||
| a. Under **Triage**, click the dropdown to change the triage status of the signal. The default status is `OPEN`. | ||
| - `Open`: Datadog Security triggered a detection based on a rule, and the resulting signal is not yet resolved. | ||
| - `Under Review`: During an active investigation, change the triage status to `Under Review`. From the `Under Review` state, you can move the status to `Archived` or `Open` as needed. | ||
| - `Archived`: When the detection that caused the signal has been resolved, update the status to `Archived`. When a signal is archived, you can give a reason and description for future reference. If an archived issue resurfaces, or if further investigation is necessary, the status can be changed back to `Open`. All signals are locked 30 days after they have been created.</ul> | ||
| b. Click **Assign Signal** to assign a signal to yourself or another Datadog user. | ||
| c. Under **Take Action**, you can create a case, declare an incident, edit suppressions, or run workflows. Creating a case automatically assigns the signal to you and sets the triage status to `Under Review`. | ||
maycmlee marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| {{< img src="security/security_monitoring/investigate_security_signals/signal_side_panel.png" alt="The signal side panel of a compromised AWS IAM user access key showing two IP addresses and their locations" style="width:90%;" >}} | ||
|
|
||
| ### Triage multiple signals | ||
|
|
||
| Use bulk actions to triage multiple signals. To use bulk actions, first search and filter your signals in the Signals Explorer, then: | ||
|
|
||
| 1. Click on the checkbox to the left of the signals that you want to take a bulk action on. To select all signals in the Signals Explorer list, select the checkbox next to the **Status** column header. | ||
| 1. Click on the **Bulk Actions** dropdown menu above the signals table and select the action you want to take. | ||
|
|
||
| **Note**: The Signals Explorer stops dynamically updating when performing a bulk action. | ||
|
|
||
| {{< img src="security/security_monitoring/investigate_security_signals/bulk_actions2.png" alt="The Signal Explorers showing the bulk action option" style="width:55%;" >}} | ||
|
|
||
| ### Run Workflow automation | ||
|
There was a problem hiding this comment. The product is called Workflow Automation. If this heading refers to the product, it should say "Run Workflow Automation." If you're talking about a workflow as a concept instead of the product name, it should be "Run workflow automation" There was a problem hiding this comment. Thanks @urseberry for pointing this out! I was following what's in the UI, which is calling it Datadog Workflows. I'll let the PM know that it's actually Workflow Automation. For the docs, I updated the header and committed your suggestions so it's referred to as Workflow Automation.
maycmlee marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| Use Workflow Automations to carry out actions to help you investigate and remediate a signal. These actions can include: | ||
maycmlee marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| - Blocking an IP address from your environment. | ||
| - Disabling a user account. | ||
| - Looking up an IP address with a third-party threat intelligence provider. | ||
| - Sending slack messages to your colleagues to get help with your investigation. | ||
maycmlee marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| To run a workflow from the signal side panel, select **Run Workflows** in the **Next Steps** section. In the workflow browser, search and select a workflow to run. Click the **Workflows** tab in the signal side panel to see which workflows were triggered for the signal. | ||
|
|
||
| To trigger a Workflow automatically for any Security Signal, see [Trigger a Workflow from a Security Signal][8] and [Automate Security Workflows with Workflow Automation][9] for more information. | ||
maycmlee marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| ## Investigate | ||
|
|
||
| A signal contains important information to determine whether a signal is malicious or not. Additionally, you can add a signal to a case in Case Management for further investigation. | ||
|
There was a problem hiding this comment. Can you reword the first sentence to avoid repeating the word "signal?" There was a problem hiding this comment. Yes, reworded to say "..whether the threat detected is malicious.."
maycmlee marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| ### Logs | ||
|
|
||
| Click the **Logs** tab to view the logs related to the signal. Click **View All Related Logs** to see the related logs in Log Explorer. | ||
|
|
||
| ### Entities | ||
|
|
||
| To investigate entities: | ||
|
|
||
| 1. Click the **Entities** tab to see entities related to the signal, such as users or IP addresses. | ||
| 1. Click the down arrow next to **View Related Logs** and: | ||
| - Select **View IP Dashboard** to see more information about the IP address in the IP Investigation dashboard. | ||
| - Select **View Related Signals** to open Signals Explorer and see the other signals associated with the IP address. | ||
| 1. For cloud environment entities, such as an assumed role or IAM user, view the activity graph to see what other actions the user took. Click **View in Investigator** to go to the Investigator to see more details. | ||
|
|
||
| ### Related signals | ||
|
|
||
| Click the **Related Signals** tab to see the related signals and information, such as fields and attributes, that the signals share. Click **View All Related Activity** to see the signals in the Signals Explorer. | ||
|
|
||
| ### Suppressions | ||
|
|
||
| To view the suppression rules for the detection rule that generated the signal, do one of the following: | ||
|
|
||
| - In the **What Happened** section, hover your mouse over the funnel icon, then click **Add Suppression**. | ||
| - In the **Next Steps** section, click **Edit Suppressions** to see the suppression section of that rule in the detection rule editor. | ||
| - Click the **Suppressions** tab to see a list of suppressions, if there are any. Click **Edit Suppressions** to go to the detection rule editor to see the suppression section of that rule. | ||
|
|
||
| ## Collaborate | ||
|
|
||
| ### Case Management | ||
|
|
||
| Sometimes you need more information than what is available in a single signal to investigate the signal. Use [Case Management][6] to collect multiple signals, create timelines, discuss with colleagues, and keep a notebook of the analysis and findings. | ||
|
|
||
| To create a case from a security signal: | ||
|
|
||
| 1. Click **Create Case** in the **Next Steps** section to create a new case. If you want to add the signal to an existing case, click the down arrow next to **Create Case**, then select **Add to an existing case**. | ||
| 1. Fill in the information for the case. | ||
| 1. Click **Create Case**. | ||
|
|
||
| The signal is automatically assigned to the user who created the case and the triage status is also changed to `Under Review`. | ||
|
|
||
| After a case is created, hover over the **Case** button to see the case associated with the signal. | ||
|
|
||
| **Note**: If a case is determined to be critical after further investigation, click **Declare Incident** in the case to escalate it to an incident. | ||
|
|
||
|
|
@@ -89,26 +146,23 @@ | |
|
|
||
| To declare an incident in the signal panel: | ||
|
|
||
| 1. Click **Declare Incident** in the **Next Steps** section. | ||
| 1. Fill out the incident template. | ||
|
|
||
| If you want to add the signal to an incident, click the down arrow next to **Declare Incident** and select the incident you want to add the signal to. Click **Confirm**. | ||
|
|
||
| ### Threat intelligence | ||
|
|
||
| Datadog Cloud SIEM offers integrated threat intelligence provided by our threat intelligence partners. These feeds are constantly updated to include data about known suspicious activity (for example, IP addresses known to be used by malicious actors), so that you can quickly identify which potential threats to address. | ||
|
|
||
| Datadog automatically enriches all ingested logs for indicators of compromise (IOCs) from our threat intelligence feeds. If a log contains a match to a known IOC, a `threat_intel` attribute is appended to the log event to provide additional insights based on available intelligence. | ||
|
Check warning on line 158 in content/en/security/cloud_siem/investigate_security_signals.md
|
||
maycmlee marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| The query to see all threat intelligence matches in the Security Signals Explorer is `@threat_intel.indicators_matched:*`. The following are additional attributes to query for threat intelligence: | ||
|
|
||
| - For `@threat_intel.results.category`: attack, corp_vpn, cryptomining, malware, residential_proxy, tor, scanner | ||
| - For `@threat_intel.results.intention`: malicious, suspicious, benign, unknown | ||
|
|
||
| {{< img src="security/security_monitoring/investigate_security_signals/threat_intel_results_categories.png" alt="The Signals Explorer showing a bar graph of signals broken down by the threat intel categories of residential proxy, corp_vpn, cryptomining, and malware" style="width:80%;" >}} | ||
|
|
||
| See the [Threat Intelligence][10] documentation for more information on threat intelligence feeds. | ||
|
|
||
|
|
@@ -136,3 +190,4 @@ | |
| [8]: /service_management/workflows/trigger/#trigger-a-workflow-from-a-security-signal | ||
| [9]: /security/cloud_security_management/workflows/ | ||
| [10]: /security/threat_intelligence | ||
| [11]: /security/suppressions/#create-a-suppression-rule | ||
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Something is wrong with the formatting of this item. It appears inline after b. instead of on its own line.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for catching that! Fixed it.