Cloud Security Management Threats (CSM Threats) security signals are created when Datadog detects a threat based on a security rule. View, search, filter, and investigate security signals in the Signals Explorer, or configure Notification Rules to send signals to third-party tools.

To modify security signals, you must have the security_monitoring_signals_write permission. See Role Based Access Control for more information about Datadog’s default roles and granular role-based access control permissions available for Cloud Security Management.

CSM Signals Explorer page

Filter security signals

To filter the security signals in the Signals Explorer, use the search query @workflow.triage.state:<status>, where <status> is the state you want to filter on (open, under_review, or archived). You can also use the Signal State facet on the facet panel.

Triage a signal

You can triage a signal by assigning it to a user for further investigation. The assigned user can then track their review by updating the signal’s status.

  1. On the Signals Explorer, select a security signal.
  2. On the signal side panel, click the user profile icon and select a user.
  3. To update the status of the security signal, click the triage status dropdown menu and select a status. The default status is Open.
    • Open: The signal has not yet been resolved.
    • Under Review: The signal is actively being investigated. From the Under Review state, you can move the signal to Archived or Open as needed.
    • Archived: The detection that caused the signal has been resolved. From the Archived state, you can move the signal back to Open if it’s within 30 days of when the signal was originally detected.

Create a case

Case Management is not supported for your selected Datadog site ().

Use Case Management to track, triage, and investigate security signals.

  1. On the Signals Explorer, select a security signal.
  2. On the signal side panel, click the Escalate Investigation dropdown menu and select Create a case. Alternatively, select Add to an existing case to add the signal to an existing case.
  3. Enter a title and optional description.
  4. Click Create Case.

Declare an incident

Use Incident Management to create an incident for a security signal.

  1. On the Signals Explorer, select a security signal.
  2. On the signal side panel under Next Steps, click the Show all actions dropdown menu and select Declare incident.
  3. Alternatively, select Add to incident to add the signal to an existing incident.
  4. On the incident creation modal, configure the incident by specifying details such as the severity level and incident commander.
  5. Click Declare Incident.

Run a workflow

Use Workflow Automation to manually trigger a workflow for a security signal. See Trigger a Workflow from a Security Signal for more information.

  1. On the Signals Explorer, select a security signal.
  2. On the signal side panel, click the Workflows tab.
  3. Click Run Workflow.
  4. On the workflow modal, select the workflow you want to run. The workflow must have a security trigger to appear in the list. Depending on the workflow, you may be required to enter additional input parameters.
  5. Click Run.

Further Reading

PREVIEWING: may/unit-testing