Traditionally, Signals consisted of multiple rules and logics to detect patterns and incidents were created on every single deviation. This led to generating a lot of volume making it difficult to address every single incident. Today signals have been modified to gathering intelligence on events. Signal is an individual event that would be indicating any suspicious or malicious event, but by itself it is not an incident. A Collection of signals or a single signal with the highest severity is considered as an incident. Analysts do not have to investigate every single alert, the alerts generated are delegated to signal. Each signal has a name indicating the gist of the incident
Benefits of Signals
Automatically track and analyse the incidents that been identified
All the context around an incident is captured in detail and can be taken into account at multiple levels.
Analysts can visualize the relationship between who, how and where of the whole attack process.
Signals can be mapped to the MiTRE Att&CK paging where each signal needs to have a detection tactic, and a detection technique which corresponds to the Mitre framework.
The concept of connected graph which connects the signals for you and presents a larger picture.
Connected graphs would help in reducing the number of alerts to be investigated, Analysts will have to investigate the graphs instead of investigating all the individual signals.
What are Signals?
A signal is a possibility to a potential threat, its not an incident by itself depending on different confidence levels, you could easily identify it to be an actual incident or not. We would also have the ability to link together different signals and search through patterns against them to figure out if an actual incident happened. We have this real-time correlation happening because of which the signal is listed,
Signals that are raised from the workbook are automatically displayed here. On refreshing the page, it will be updated . You have real - time correlation which lets you know what is happening. Once you see this signal, you can click on the workbook to find out what caused it to execute this signal.
How to view Signals?
Click the Signals icon on the left navigation bar of the Home screen, the following screen will be displayed.
The Threat Signals screen displays all the signals that were raised from the workbook. The signal listing displays severity by color code and risk score.
You can click refresh to update the page, with real- time correlation you will know what is happening.
The Threat Signals screen displays the following details:
|New Signals||Lists the total count of signals raised during the selected duration.|
|Unique suspects||Lists the total count of unique suspects during the selected duration|
|Unique targets||Lists the total count of unique targets during the selected duration|
|Unique detections||Lists the total count of unique detections during the selected duration|
|Top Suspects||Lists the top unique suspects during the selected duration|
|Top Targets||Lists the top unique targets during the selected duration|
|Top Detections||Lists the top unique detections during the selected duration|
|Duration||It will allow you to select a time range based on your requirement.
|Global Signals||Displays global view of all the signals raised across all Clusters|
|View Graph||Displays the graphical view for the signals raised.|
The Threat Signals screen displays the details of each signal raised. Click the dropdown above the grid to filter the signals as follows:
- Pending Review: Lists signals that are not assigned to any Case or User.
- Triaged Signals: Lists signals that are assigned to a Case or User.
- All Signals: Lists all signals that are either assigned or unassigned to a Case or User.
|Signal||Displays the name of the signal, date and time when the signal was raised, tactic and the technique used in the anomaly.|
|Target/Suspect||Displays the target/ suspect of the anomaly raised|
|Source Stream||Displays the Source Stream from where the anomaly was detected|
|Confidence||Displays the confidence level i.e. the certainty of the raised signal|
|Signal Workbook||Displays the Workbook name from where the signal was raised|
|Add Multiple Signals to Case||Click this to add / assign signals to case.|
|Used to include or exclude entities based on your requirement.|
- You can click on the workbook to find out what caused it to execute this signal.
- Check the time travel, you will understand when this signal was executed. For Example: If a signal was executed in the last five minutes, It will allow you to go back and investigate what happened in the last five minutes that triggered the signal. So you can actually see the list of events that caused the signal to rise.
Adding Mutliple Signals to Case
- Signals generally coalesce within a rolling window of three hours if all the fields match, including suspects and target list.
- In case if there is a time difference of more than three hours but all the other values match you can select the checkbox to move all those signals into the case.
To add multiple signals to a case follow the steps mentioned below.
- Selct the icon Add Multiple signals to case, a checkbox will be added next to each signal.
- Select the signals that you want to add to a case.
- Click Add to Case after selecting the signals, the following screen will be displayed.
- Select/ unseelct the checkbox Include similar signals from last 1d as per your requirement, this checkbox is selected by default.
- You can search for a recent case and click save to add the selected signals to an exisiting case or click on the plus sign to create a new case.
|Name||Enter a name for the new case|
|Severity||Select a severity level for these signals and case|
|Click this icon to search for existing cases|
|Click this icon to create a new case|
|Click this icon save the Case|
|Handler||Assign a handler to this case|
How to Tag/Untag a signal as False Positive?
False positives are security alerts indicating there is a threat but actually these are non malicious and are not threats.
Refer this video to tag/untag a signal as False Positive:
You can also tag/untag an already raised signal as false positive, following are the steps:
On this same signal listing page, select the particular signal that you want to tag/untag as false positive.
Click on the circle with minus sign icon displayed next to the confidence column on the right against the signal and select Tag as False Postive/Untag as False Positive.
|Use this icon to tag as false positive|
|Use this icon to untag as false positive|
- Once tagged as false positive, signals will not be raised from this particular source.
- All signals tagged as false positive can be viewed under Triaged Signals on the signals list page.
- Signals that are untagged as False Positive can be viewed under Pending Review signals list page.
- You can also tag/untag multiple signals at a time.