Signals

A signal is created when there's a match on a rule, scheduled rule, or correlation rule

Overview

Correlation rules are in open beta starting with Panther version 1.108, and are available to all customers. Please share any bug reports and feature requests with your Panther support team.

A signal is generated when there is a match on a rule, scheduled rule, or correlation rule. Signals are not generated for policy failures.

A signal represents an action (or a group or series of actions) taking place in your environment that you want to know about, but is not—at least on its own—worthy of generating an alert. Signals are often referred to as "security-relevant events."

Signals are different from rule matches, which are only created when alerting is enabled on a detection. Learn more about the difference between signals, rule matches, and alerts here.

Noisy rules that generate significant Signal volume (i.e. more than 1,000 in an hour) may increase your Snowflake compute costs. To learn how to make Signals more cost-efficient, see the guidelines in Making Signals More Efficient, below.

Signal use cases

Signals are a building block of correlation rules. In a correlation rule, you specify certain rules, scheduled rules, and correlation rules for which one or more signals must have been generated (or not generated) in a certain time period (amongst other optional criteria) to qualify as a match.
- See these correlation rule examples, which reference both rules that have alerting enabled and rules that have alerting disabled.
You may also want to search for signals in the panther_signals.public database in Search and Data Explorer.

How to create a rule that only produces signals

To create a rule that only produces signals, not rule matches (or alerts), create a rule and configure it to disable alerting.

To create a rule in the Panther Console that only produces signals (not rule matches):

Create a rule, scheduled rule, or correlation rule in the Panther Console.
Set the Create Alert toggle to OFF.
- This will remove alert fields from the detection editor (including Severity, Runbook, Deduplication Period, etc.).

To create a rule in the CLI workflow that only produces signals (not rule matches):

Create a rule, scheduled rule, or correlation rule locally.
Add the CreateAlert field, and set its value to false.
- The default value for CreateAlert, if not set, is true.

Example:

AnalysisType: rule
RuleID: 'GitHub.Repo.Archived'
DisplayName: 'GitHub.Repo.Archived'
Enabled: true
CreateAlert: false
AlertContext:
  - KeyName: repo
    KeyValue:
      KeyPath: repo
Detection:
  - KeyPath: action
    Condition: Equals
    Value: repo.archived

How to view signals

How to view signals for a detection

To view signals for a certain detection, use the View Signals in Search button on its details page. It's also possible to view signals by constructing your own query in Search or Data Explorer.

In the left-hand navigation bar of your Panther Console, click Detections.
Click the name of the detection for which you'd like to view signals.
Towards the upper-right corner of the detection's details page, click View Signals in Search.
- The Search page will be opened with a pre-populated filter expression for the panther_signals.public database. Click Search.

How to view all signals

You can view signals in Search or Data Explorer.

View signals in Search

In the left-hand navigation bar of your Panther Console, click Investigate > Search.
In the database filter, select Signals.
In the table filter, select Correlation Signals.
- Optionally create additional key/value filter expressions to narrow your search results.
Click Search.

View signals in Data Explorer

In the left-hand navigation bar of your Panther Console, click Investigate > Data Explorer.
Write a SQL query that selects the columns you are interested in from the panther_signals.public.correlation_signals table.
- For example:
  SELECT tag FROM panther_signals.public.correlation_signals LIMIT 10;
Click Run Search.

Making signals more efficient

A signal is generated whenever there is a match on a detection. Making signals more efficient, then, means making the detection itself more efficient, or narrowing its scope.

Step 1: Identify the detections generating the most signals

Follow the steps above to view all signals in Search.
Click Visualizations to view the summary chart for Rule ID.
- Ensure the chart is sorted descending.
Take note of the rule IDs at the top of the chart—these are the detections producing the most signals (within the configured time period).

Step 2: Tune the detections generating the most signals

After you have identified the detections producing the most signals in Step 1, you can tune them by narrowing their scope. Below are some common approaches to narrowing detection scope:

Add trusted IPs to an allowlist: Explicitly exclude known "good" IP addresses, such as your organization's proxy servers or cloud service providers.
Tune thresholds: Adjust frequency and volume thresholds for events like failed logins or data transfers to reduce false positives without missing real threats.
Leverage context: Incorporate additional context such as time of day, user roles, or geolocation to improve rule accuracy and reduce false positives.
Implement multi-factor rules: Combine multiple indicators or conditions in a single rule to increase precision and reduce false positives.

PreviousCorrelation Rules (Beta)NextCorrelation Rule Reference

Last updated 2 months ago

How to create a rule that only produces signals

To create a rule that only produces signals, not rule matches (or alerts), create a rule and configure it to disable alerting.

To create a rule in the Panther Console that only produces signals (not rule matches):

Create a rule, scheduled rule, or correlation rule in the Panther Console.
Set the Create Alert toggle to OFF.
- This will remove alert fields from the detection editor (including Severity, Runbook, Deduplication Period, etc.).

To create a rule in the CLI workflow that only produces signals (not rule matches):

Create a rule, scheduled rule, or correlation rule locally.
Add the CreateAlert field, and set its value to false.
- The default value for CreateAlert, if not set, is true.

Example:

AnalysisType: rule
RuleID: 'GitHub.Repo.Archived'
DisplayName: 'GitHub.Repo.Archived'
Enabled: true
CreateAlert: false
AlertContext:
  - KeyName: repo
    KeyValue:
      KeyPath: repo
Detection:
  - KeyPath: action
    Condition: Equals
    Value: repo.archived

How to view signals

How to view signals for a detection

To view signals for a certain detection, use the View Signals in Search button on its details page. It's also possible to view signals by constructing your own query in Search or Data Explorer.

In the left-hand navigation bar of your Panther Console, click Detections.

Click the name of the detection for which you'd like to view signals.

Towards the upper-right corner of the detection's details page, click View Signals in Search.

The Search page will be opened with a pre-populated filter expression for the panther_signals.public database. Click Search.

How to view all signals

You can view signals in Search or Data Explorer.

View signals in Search

In the left-hand navigation bar of your Panther Console, click Investigate > Search.
In the database filter, select Signals.
In the table filter, select Correlation Signals.
- Optionally create additional key/value filter expressions to narrow your search results.
Click Search.

View signals in Data Explorer

In the left-hand navigation bar of your Panther Console, click Investigate > Data Explorer.
Write a SQL query that selects the columns you are interested in from the panther_signals.public.correlation_signals table.
- For example:
  SELECT tag FROM panther_signals.public.correlation_signals LIMIT 10;
Click Run Search.

Making signals more efficient

A signal is generated whenever there is a match on a detection. Making signals more efficient, then, means making the detection itself more efficient, or narrowing its scope.

Step 1: Identify the detections generating the most signals

Follow the steps above to view all signals in Search.

Add the p_rule_id field as a column in the results table by following the instructions in How to add a column in the Search results table.

Click Visualizations to view the summary chart for Rule ID.

Ensure the chart is sorted descending.

Take note of the rule IDs at the top of the chart—these are the detections producing the most signals (within the configured time period).

Step 2: Tune the detections generating the most signals

After you have identified the detections producing the most signals in Step 1, you can tune them by narrowing their scope. Below are some common approaches to narrowing detection scope:

Add trusted IPs to an allowlist: Explicitly exclude known "good" IP addresses, such as your organization's proxy servers or cloud service providers.

Tune thresholds: Adjust frequency and volume thresholds for events like failed logins or data transfers to reduce false positives without missing real threats.

Leverage context: Incorporate additional context such as time of day, user roles, or geolocation to improve rule accuracy and reduce false positives.

Implement multi-factor rules: Combine multiple indicators or conditions in a single rule to increase precision and reduce false positives.