Signals¶
When security detection rules are enabled and effectively detect anomalies, corresponding event records are generated. Signals provide you with a centralized entry point, making it convenient for you to conduct specific analysis and response operations in subsequent real-world scenarios.
"Signals" can be generated from various data sources, such as:
-
A firewall detecting an access attempt from a known malicious IP
-
Endpoint detection and response software discovering a process attempting to modify critical system files
-
Cloud platform audit logs recording a user performing high-privilege operations during non-working hours
-
An identity authentication system detecting multiple failed login attempts
-
......
A single type of signal may not constitute a threat, but in the Explorer, when multiple related signals are correlated and analyzed, it may sound an alarm.
Data Display¶
The Signal Explorer provides various professional analysis views based on lists and charts.
Displays abnormal data collected within the current workspace in the last two days.
Presents data in the form of Top Lists, Time Series, Pie Charts, Treemaps, and Grouped Table Charts, based on count, last, first, count_distinct operation modes, and filters data under by conditions.
Signal Details¶
Click on specific data in the Explorer to slide out the corresponding details page.
You can view the basic attributes, extended fields, anomaly records, related signals, and associated views of this data.
Anomaly Records¶
Displays SIEM event data with the same dimension_tags within three days before and after the current event occurred.
Note
If there are no data records with the same dimension_tags, the system will display event data with the same df_monitor_checker_id.