From 61a566f05cd3718770ab513025a509cc1afd140c Mon Sep 17 00:00:00 2001 From: Michael Cretzman Date: Wed, 19 Feb 2025 14:29:07 -0800 Subject: [PATCH 1/4] updated with new column titles also covered Bulk Actions --- .../threats/security_signals.md | 115 ++++++++++++++---- 1 file changed, 91 insertions(+), 24 deletions(-) diff --git a/content/en/security/application_security/threats/security_signals.md b/content/en/security/application_security/threats/security_signals.md index 9a6c11fa5d551..ea9d987eac52d 100644 --- a/content/en/security/application_security/threats/security_signals.md +++ b/content/en/security/application_security/threats/security_signals.md @@ -16,10 +16,30 @@ further_reading: ASM security signals are created when Datadog detects a threat based on a detection rule. View, search, filter, and investigate security signals in the [Signals Explorer][2], or configure [Notification Rules][8] to send signals to third-party tools. -In the [Signals Explorer][2], filter by attributes and facets to find critical threats. Click on a signal to see details about it, including the service owner and attack details. Attack details include the authenticated user and their IP address, what rule they triggered, attack flow, related traces, and other security signals. From this page, you can block IP addresses and users, and also click to create a case and declare an incident. - {{< img src="security/application_security/threats/security_signals/appsec-threat-signals.png" alt="Overview of investigating threats in signals explorer with details side panel">}} +## Signals Explorer columns + +The Signals Explorer displays the following columns. + +Severity +: There are five severity states: **Info**, **Low**, **Medium**, **High**, and **Critical**. **High** and **Critical** indicate a major impact to service availability or active compromise. + +Title +: The name of the signal. Titles might update when new data correlates and changes the impact of the attack. + +Service/Env +: The service and environment identified in the attack. Hover over the service name to link to the service page and code repo, and to see who is on-call for the service. + +Entities +: The attackers and the victims of an attack. Attackers are indentified by IP addresses. Victims are identified as authenticated users. Hover over the IP list and then click an IP to see details such as **Threat Intelligence** and **Security Activity**. + +Triage State +: You can assign a responder and set a triage state for the signal. Available states are **Open**, **Under Review**, and **Archived**. + +Creation Date +: The date when the signal was first created. Signals are sorted by date by default. + ## Filter security signals To filter the security signals in the [Signals Explorer][2], use the search query `@workflow.triage.state:`, where `` is the state you want to filter on (`open`, `under_review`, or `archived`). You can also use the **Signal State** facet on the facet panel. @@ -28,8 +48,8 @@ To filter the security signals in the [Signals Explorer][2], use the search quer You can triage a signal by assigning it to a user for further investigation. The assigned user can then track their review by updating the signal's status. -1. On the [Signals Explorer][2] page, select a security signal. -2. On the signal side panel, click the user profile icon and select a user. +1. On the [Signals Explorer][2] page, click the user profile icon in the **Triage State** column. +2. Select a user to assign the signal. 3. To update the status of the security signal, click the triage status dropdown menu and select a status. The default status is **Open**. - **Open**: The signal has not yet been resolved. - **Under Review**: The signal is actively being investigated. From the **Under Review** state, you can move the signal to **Archived** or **Open** as needed. @@ -37,22 +57,21 @@ You can triage a signal by assigning it to a user for further investigation. The **Note**: To modify security signals, you must have the `security_monitoring_signals_write` permission. See [Role Based Access Control][9] for more information about Datadog's default roles and granular role-based access control permissions available for Application Security Management. -## Create a case - -Use [Case Management][6] to track, triage, and investigate security signals. - -1. On the [Signals Explorer][2] page, select a security signal. -2. On the signal side panel, select the **Create a case** dropdown. Select **Create a new case**, or **Add to an existing case** to add the signal to an existing case. -3. Enter a title and optional description. -4. Click **Create Case**. - ## Declare an incident Use [Incident Management][4] to create an incident for a security signal. -1. On the [Signals Explorer][2] page, select a security signal. -2. On the signal side panel, click the **Declare Indident** dropdown menu and select **Create an incident**, or **Add to an existing incident**. -3. On the incident creation modal, configure the incident by specifying details such as the severity level and incident commander. +Declare an incident if: + +- An issue is or might be impacting customers. +- You believe an issue (including an internal one) needs to be addressed as an emergency. + +If you don't know whether you should call an incident, notify other users and increase severity appropriately. + +1. On the [Signals Explorer][2] page, select a security signal to open its details panel. +2. On the signal panel, click **Declare Indident** or select the dropdown arrow and select **Add to an existing incident**. +3. When you declare a new incident, in the **Declare Incident** settings, configure the incident by specifying details such as the severity level and incident commander. + 1. Estimate impact. Severity levels go from SEV-1 (critical) to SEV-5 (minor impact). When in doubt, always choose the higher severity. 4. Click **Declare Incident**. ## Run a workflow @@ -60,21 +79,69 @@ Use [Incident Management][4] to create an incident for a security signal. Use [Workflow Automation][5] to manually trigger a workflow for a security signal. 1. Make sure the workflow you want to run has a security trigger. -2. On the [Signals Explorer][2] page, select a security signal. -3. Scroll down to the **What is Workflow Automation** section. -4. Click **Run Workflow**. -5. On the workflow modal, select the workflow you want to run. Depending on the workflow, you may be required to enter additional input parameters. +2. On the [Signals Explorer][2] page, open a security signal. +3. In the **Respond** section, click **Run Workflow**. +5. In **Run a workflow**, select the workflow you want to run or click **New Workflow**. + - Depending on the workflow you select, you might be required to enter additional input parameters. + - If you selected **New Workflow**, Run a Security Workflow opens. To learn more about workflows, see [Workflow Automation][5]. 6. Click **Run**. ## Review and remediate -1. On the [Signals Explorer][2] page, select a security signal. -2. On the signal side panel, click each of the tabs, such as **Attack Flow**, **Activity Summary**, and **Rule Details**, to review the information. -3. Review the **Suggested Next Steps**, and take action: +1. On the [Signals Explorer][2] page, open a security signal. +2. In the signal details, view each of the sections, such as **What Happened**, **Activity Summary**, and **Rule Details**. +3. Review the **Next Steps** and take action: - Click **Block all Attacking IPs** (by specific duration or permanently). - - Click **Automated Attacker Blocking** (based on [detection][10] rules). + - Click **Automated Attacker Blocking** (based on [detection][10] rules). This setting requires the Application Security Management **Protect Write** permission. - Click **[Block with Edge WAF][11]**. +## Bulk actions + +When you select one or more signals, you can use **Bulk Actions** to perform the following. + +### Set state + +Set the signal(s) state to **Open**, **Under Review**, or **Archived**. + +### Assign the signal to users + +Select **Assign selection** and then select the user(s) to assign to the signal. + +Select **Remove all assignments** to reset the signal assignment to none. + +### Case management + +Datadog [Case Management][6] offers a centralized place to triage, track, and remediate issues detected by Datadog and third-party integrations. + +1. On the [Signals Explorer][2] page, select a security signal. +2. In **Bulk Actions**, select **Create a case**. +3. Select **Create a case** or **Add to an existing case** to add the signal to an existing case. +4. Enter a title and optional description. +5. Click **Create Case**. + +When you click **Create case** you are directed the Case Management and the project you selected. + +## Saved views + +You can save different configurations of the Signals Explorer as views. For example, you could filter the explorer to show all unassigned signals and then save that as a view. + +When a configuration is saved as a view, you and your teammates can reuse it later. + +A view contains the explorer's current selections for: + +- Time and query +- Displayed columns and sorting +- Analytics aggregation settings +- Timeline visibility +- Displayed facets +- Aggregate by detection rule + +1. To save a view, configure the explorer to display the view you want and then click **Save**. +2. Enter a name for the view, and then select the teams you want to share the view with. +3. Click **Save**. + +To see all of the saved views, click **Views** next to the **Signals Explorer** page title. + ## Further Reading {{< partial name="whats-next/whats-next.html" >}} From f7404d0b29e3f47112689a4abceb09acaf2e6699 Mon Sep 17 00:00:00 2001 From: Michael Cretzman <58786311+michaelcretzman@users.noreply.github.com> Date: Thu, 20 Feb 2025 19:41:38 -0800 Subject: [PATCH 2/4] Apply suggestions from code review Incorporating peer edit Co-authored-by: Janine Chan <64388808+janine-c@users.noreply.github.com> --- .../application_security/threats/security_signals.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/content/en/security/application_security/threats/security_signals.md b/content/en/security/application_security/threats/security_signals.md index ea9d987eac52d..3d57ccc1e46fb 100644 --- a/content/en/security/application_security/threats/security_signals.md +++ b/content/en/security/application_security/threats/security_signals.md @@ -32,7 +32,7 @@ Service/Env : The service and environment identified in the attack. Hover over the service name to link to the service page and code repo, and to see who is on-call for the service. Entities -: The attackers and the victims of an attack. Attackers are indentified by IP addresses. Victims are identified as authenticated users. Hover over the IP list and then click an IP to see details such as **Threat Intelligence** and **Security Activity**. +: The attackers and the victims of an attack. Attackers are identified by IP addresses. Victims are identified as authenticated users. Hover over the IP list and then click an IP to see details such as **Threat Intelligence** and **Security Activity**. Triage State : You can assign a responder and set a triage state for the signal. Available states are **Open**, **Under Review**, and **Archived**. @@ -64,12 +64,12 @@ Use [Incident Management][4] to create an incident for a security signal. Declare an incident if: - An issue is or might be impacting customers. -- You believe an issue (including an internal one) needs to be addressed as an emergency. +- You believe an issue (even if it's internal) needs to be addressed as an emergency. If you don't know whether you should call an incident, notify other users and increase severity appropriately. 1. On the [Signals Explorer][2] page, select a security signal to open its details panel. -2. On the signal panel, click **Declare Indident** or select the dropdown arrow and select **Add to an existing incident**. +2. On the signal panel, click **Declare Incident** or select the dropdown arrow and select **Add to an existing incident**. 3. When you declare a new incident, in the **Declare Incident** settings, configure the incident by specifying details such as the severity level and incident commander. 1. Estimate impact. Severity levels go from SEV-1 (critical) to SEV-5 (minor impact). When in doubt, always choose the higher severity. 4. Click **Declare Incident**. @@ -81,10 +81,10 @@ Use [Workflow Automation][5] to manually trigger a workflow for a security signa 1. Make sure the workflow you want to run has a security trigger. 2. On the [Signals Explorer][2] page, open a security signal. 3. In the **Respond** section, click **Run Workflow**. -5. In **Run a workflow**, select the workflow you want to run or click **New Workflow**. +4. In **Run a workflow**, select the workflow you want to run or click **New Workflow**. - Depending on the workflow you select, you might be required to enter additional input parameters. - If you selected **New Workflow**, Run a Security Workflow opens. To learn more about workflows, see [Workflow Automation][5]. -6. Click **Run**. +5. Click **Run**. ## Review and remediate @@ -101,7 +101,7 @@ When you select one or more signals, you can use **Bulk Actions** to perform the ### Set state -Set the signal(s) state to **Open**, **Under Review**, or **Archived**. +Set the triage state to **Open**, **Under Review**, or **Archived**. ### Assign the signal to users From a16bd4675593e5a93f6eec7dfc17a78eafd2cd29 Mon Sep 17 00:00:00 2001 From: Michael Cretzman <58786311+michaelcretzman@users.noreply.github.com> Date: Thu, 20 Feb 2025 19:46:48 -0800 Subject: [PATCH 3/4] Apply suggestions from code review more peer review suggestions --- .../application_security/threats/security_signals.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/content/en/security/application_security/threats/security_signals.md b/content/en/security/application_security/threats/security_signals.md index 3d57ccc1e46fb..832b4e7caad04 100644 --- a/content/en/security/application_security/threats/security_signals.md +++ b/content/en/security/application_security/threats/security_signals.md @@ -26,7 +26,7 @@ Severity : There are five severity states: **Info**, **Low**, **Medium**, **High**, and **Critical**. **High** and **Critical** indicate a major impact to service availability or active compromise. Title -: The name of the signal. Titles might update when new data correlates and changes the impact of the attack. +: The name of the signal. Titles might update when new data is correlated, altering the assessed impact of the attack. Service/Env : The service and environment identified in the attack. Hover over the service name to link to the service page and code repo, and to see who is on-call for the service. @@ -66,7 +66,7 @@ Declare an incident if: - An issue is or might be impacting customers. - You believe an issue (even if it's internal) needs to be addressed as an emergency. -If you don't know whether you should call an incident, notify other users and increase severity appropriately. +If you don't know whether you should declare an incident, notify other users and increase severity appropriately. 1. On the [Signals Explorer][2] page, select a security signal to open its details panel. 2. On the signal panel, click **Declare Incident** or select the dropdown arrow and select **Add to an existing incident**. @@ -89,7 +89,7 @@ Use [Workflow Automation][5] to manually trigger a workflow for a security signa ## Review and remediate 1. On the [Signals Explorer][2] page, open a security signal. -2. In the signal details, view each of the sections, such as **What Happened**, **Activity Summary**, and **Rule Details**. +2. In the signal details, view each of the sections, such as **What Happened**, **Activity Summary**, and **Detection Rule**. 3. Review the **Next Steps** and take action: - Click **Block all Attacking IPs** (by specific duration or permanently). - Click **Automated Attacker Blocking** (based on [detection][10] rules). This setting requires the Application Security Management **Protect Write** permission. @@ -125,7 +125,7 @@ When you click **Create case** you are directed the Case Management and the proj You can save different configurations of the Signals Explorer as views. For example, you could filter the explorer to show all unassigned signals and then save that as a view. -When a configuration is saved as a view, you and your teammates can reuse it later. +When a configuration is saved as a view, you and your teammates can use it later. A view contains the explorer's current selections for: From 73ed1ec8bbf6c9cccc64d85d5d150a585c38d703 Mon Sep 17 00:00:00 2001 From: Michael Cretzman <58786311+michaelcretzman@users.noreply.github.com> Date: Thu, 20 Feb 2025 19:48:05 -0800 Subject: [PATCH 4/4] Update content/en/security/application_security/threats/security_signals.md Co-authored-by: Janine Chan <64388808+janine-c@users.noreply.github.com> --- .../security/application_security/threats/security_signals.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/security/application_security/threats/security_signals.md b/content/en/security/application_security/threats/security_signals.md index 832b4e7caad04..86445e7a1b662 100644 --- a/content/en/security/application_security/threats/security_signals.md +++ b/content/en/security/application_security/threats/security_signals.md @@ -119,7 +119,7 @@ Datadog [Case Management][6] offers a centralized place to triage, track, and re 4. Enter a title and optional description. 5. Click **Create Case**. -When you click **Create case** you are directed the Case Management and the project you selected. +When you click **Create Case**, you are directed to Case Management and the project you selected. ## Saved views