Signals

A signal is created when there's a match on a rule, scheduled rule, or correlation rule

Overview

Correlation rules are in open beta starting with Panther version 1.108, and are available to all customers. Please share any bug reports and feature requests with your Panther support team.

A signal is generated when there is a match on a rule, scheduled rule, or correlation rule. Signals are not generated for policy failures.

A signal represents an action (or a group or series of actions) taking place in your environment that you want to know about, but is not—at least on its own—worthy of generating an alert. Signals are often referred to as "security-relevant events."

Signals are different from rule matches, which are only created when alerting is enabled on a detection. Learn more about the difference between signals, rule matches, and alerts here.

Signal use cases

Signals are a building block of correlation rules. In a correlation rule, you specify certain rules, scheduled rules, and correlation rules for which one or more signals must have been generated (or not generated) in a certain time period (amongst other optional criteria) to qualify as a match.
- See these correlation rule examples, which reference both rules that have alerting enabled and rules that have alerting disabled.
You may also want to search for signals in the panther_signals.public database in Search and Data Explorer.

How to create a rule that only produces signals

To create a rule that only produces signals, not rule matches (or alerts), create a rule and configure it to disable alerting.

To create a rule in the Panther Console that only produces signals (not rule matches):

Create a rule, scheduled rule, or correlation rule in the Panther Console.
Set the Create Alert toggle to OFF.
- This will remove alert fields from the detection editor (including Severity, Runbook, Deduplication Period, etc.).

To create a rule in the CLI workflow that only produces signals (not rule matches):

Create a rule, scheduled rule, or correlation rule locally.
Add the CreateAlert field, and set its value to false.
- The default value for CreateAlert, if not set, is true.

Example:

AnalysisType: rule
RuleID: 'GitHub.Repo.Archived'
DisplayName: 'GitHub.Repo.Archived'
Enabled: true
CreateAlert: false
AlertContext:
  - KeyName: repo
    KeyValue:
      KeyPath: repo
Detection:
  - KeyPath: action
    Condition: Equals
    Value: repo.archived

How to view signals

How to view signals for a detection

To view signals for a certain detection, use the View Signals in Search button on its details page. It's also possible to view signals by constructing your own query in Search or Data Explorer.

In the left-hand navigation bar of your Panther Console, click Build > Detections.
Click the name of the detection for which you'd like to view signals.
Towards the upper-right corner of the detection's details page, click View Signals in Search.
- The Search page will be opened with a pre-populated filter expression for the panther_signals.public database. Click Search.

How to view all signals

You can view signals in Search or Data Explorer.

View signals in Search

In the left-hand navigation bar of your Panther Console, click Investigate > Search.
In the database filter, select Signals.
In the table filter, select Correlation Signals.
- Optionally create additional key/value filter expressions to narrow your search results.
Click Search.

View signals in Data Explorer

In the left-hand navigation bar of your Panther Console, click Investigate > Data Explorer.
Write a SQL query that selects the columns you are interested in from the panther_signals.public.correlation_signals table.
- For example:
  SELECT tag FROM panther_signals.public.correlation_signals LIMIT 10;
Click Run Search.

PreviousCorrelation Rules (Beta)NextCorrelation Rule Reference

Last updated 25 days ago