Monitor Threat Signals
  • 6 Minutes to read
  • Contributors
  • Dark
    Light
  • PDF

Monitor Threat Signals

  • Dark
    Light
  • PDF

Traditionally, Signals consisted of multiple rules and logics to detect patterns and incidents were created on every single deviation. This led to generating a lot of volume making it difficult to address every single incident. Today signals have been modified to gathering intelligence on events. Signal is an individual event that would be indicating any suspicious or malicious event, but by itself it is not an incident. A Collection of signals or a single signal with the highest severity is considered as an incident. Analysts do not have to investigate every single alert, the alerts generated are delegated to signal. Each signal has a name indicating the gist of the incident

Benefits of Signals

  • Automatically track and analyse the incidents that been identified
    All the context around an incident is captured in detail and can be taken into account at multiple levels.

  • Analysts can visualize the relationship between who, how and where of the whole attack process.

  • Signals can be mapped to the MiTRE Att&CK paging where each signal needs to have a detection tactic, and a detection technique which corresponds to the Mitre framework.

  • The concept of connected graph which connects the signals for you and presents a larger picture.

  • Connected graphs would help in reducing the number of alerts to be investigated, Analysts will have to investigate the graphs instead of investigating all the individual signals.

What are Signals?

A signal is a possibility to a potential threat, its not an incident by itself depending on different confidence levels, you could easily identify it to be an actual incident or not. We would also have the ability to link together different signals and search through patterns against them to figure out if an actual incident happened. We have this real-time correlation happening because of which the signal is listed,

Signals that are raised from the workbook are automatically displayed here. On refreshing the page, it will be updated . You have real - time correlation which lets you know what is happening. Once you see this signal, you can click on the workbook to find out what caused it to execute this signal.

How to view Signals?

  • Click the Signals icon on the left navigation bar of the Home screen, the following screen will be displayed.
    image.png

  • The Threat Signals screen displays all the signals that were raised from the workbook. The signal listing displays severity by color code and risk score.
    You can click refresh to update the page, with real- time correlation you will know what is happening.

The Threat Signals screen displays the following details:

Field Description
New Signals Lists the total count of signals raised during the selected duration.
Unique suspects Lists the total count of unique suspects during the selected duration
Unique targets Lists the total count of unique targets during the selected duration
Unique detections Lists the total count of unique detections during the selected duration
Top Suspects Lists the top unique suspects during the selected duration
Top Targets Lists the top unique targets during the selected duration
Top Detections Lists the top unique detections during the selected duration
Duration It will allow you to select a time range based on your requirement.
  1. Quick Select: In this category you can enter any number and set to retrieve the data for that many minutes/hours or days.
  2. Presets: Lists all the available preset options.
  3. Date Range: Select a custom date and time range from the calender.
  4. The following are list of available options under Quick Select and Preset.
    • Last 5 minutes: Displays the signals raised during the last 5 minutes
    • Last 30 minute: Displays the signals raised during the last thirty minutes
    • Last one hour: Displays the signals raised during the last one hour.
    • Last one day (default value): Displays the signals raised during last one day.
    • Last one week: Displays the signals raised during the last week
    • Last one month: Displays the signals raised during the last one month.
Global Signals Displays global view of all the signals raised across all Clusters
View Graph Displays the graphical view for the signals raised.

The Threat Signals screen displays the details of each signal raised. Click the dropdown above the grid to filter the signals as follows:

  • Pending Review: Lists signals that are not assigned to any Case or User.
  • Triaged Signals: Lists signals that are assigned to a Case or User.
  • All Signals: Lists all signals that are either assigned or unassigned to a Case or User.

image.png

Field Description
Signal Displays the name of the signal, date and time when the signal was raised, tactic and the technique used in the anomaly.
Target/Suspect Displays the target/ suspect of the anomaly raised
Source Stream Displays the Source Stream from where the anomaly was detected
Confidence Displays the confidence level i.e. the certainty of the raised signal
Signal Workbook Displays the Workbook name from where the signal was raised
image.png Add Multiple Signals to Case Click this to add / assign signals to case.
image.png Used to include or exclude entities based on your requirement.
  • You can click on the workbook to find out what caused it to execute this signal.

image.png

  • Check the time travel, you will understand when this signal was executed. For Example: If a signal was executed in the last five minutes, It will allow you to go back and investigate what happened in the last five minutes that triggered the signal. So you can actually see the list of events that caused the signal to rise.

Adding Mutliple Signals to Case

  • Signals generally coalesce within a rolling window of three hours if all the fields match, including suspects and target list.
  • In case if there is a time difference of more than three hours but all the other values match you can select the checkbox to move all those signals into the case.

To add multiple signals to a case follow the steps mentioned below.

  • Selct the icon Add Multiple signals to case, a checkbox will be added next to each signal.

image.png

  • Select the signals that you want to add to a case.

image.png

  • Click Add to Case after selecting the signals, the following screen will be displayed.

image.png

  • Select/ unseelct the checkbox Include similar signals from last 1d as per your requirement, this checkbox is selected by default.
  • You can search for a recent case and click save to add the selected signals to an exisiting case or click on the plus sign to create a new case.

image.png

Field Description
Name Enter a name for the new case
Severity Select a severity level for these signals and case
image.png Click this icon to search for existing cases
image.png Click this icon to create a new case
image.png Click this icon save the Case
image.png Handler Assign a handler to this case
Introduced in v9.2.0

How to Tag/Untag a signal as False Positive?

False positives are security alerts indicating there is a threat but actually these are non malicious and are not threats.

Refer this video to tag/untag a signal as False Positive:

tag false positive.mov

You can also tag/untag an already raised signal as false positive, following are the steps:

  • On this same signal listing page, select the particular signal that you want to tag/untag as false positive.

  • Click on the circle with minus sign icon displayed next to the confidence column on the right against the signal and select Tag as False Postive/Untag as False Positive.

Icon Description
image.png Use this icon to tag as false positive
image.png Use this icon to untag as false positive
  • Once tagged as false positive, signals will not be raised from this particular source.
  • All signals tagged as false positive can be viewed under Triaged Signals on the signals list page.
  • Signals that are untagged as False Positive can be viewed under Pending Review signals list page.
  • You can also tag/untag multiple signals at a time.

Was this article helpful?

What's Next