Signals
A signal is created when there's a match on a rule, scheduled rule, or correlation rule
Last updated
Was this helpful?
A signal is created when there's a match on a rule, scheduled rule, or correlation rule
Last updated
Was this helpful?
Overview
A signal is generated when there is a match on a rule, scheduled rule, or correlation rule. Signals are not generated for policy failures.
A signal represents an action (or a group or series of actions) taking place in your environment that you want to know about, but is not—at least on its own—worthy of generating an alert. Signals are often referred to as "security-relevant events."
Signals are different from alerts. Learn more about the .
Noisy rules that generate significant signal volume (i.e., more than 1,000 per hour) may increase your Snowflake compute costs. Learn how to make Signals more cost-efficient in , below.
Signals are a building block of correlation rules. In a correlation rule, you specify certain rules, scheduled rules, and correlation rules for which one or more signals must have been generated (or not generated) in a certain time period (amongst other optional criteria) to qualify as a match.
See , which reference both rules that have alerting enabled and rules that have alerting disabled.
You may also want to search for signals in the panther_signals.public database in Search and Data Explorer.
To create a rule that only produces signals (and not alerts) create a rule and configure it to disable alerting.
To create a rule in the Panther Console that only produces signals (not alerts):
Create a rule, scheduled rule, or correlation rule in the Panther Console.
See , and .
See .
See .
Set the Create Alert toggle to OFF.
This will remove alert fields from the detection editor (including Severity, Runbook, Deduplication Period, etc.).
To view signals for a certain detection, use the View Signals in Search button on its details page. It's also possible to view signals by constructing your own query in Search or Data Explorer.
In the left-hand navigation bar of your Panther Console, click Detections.
Click the name of the detection for which you'd like to view signals.
Towards the upper-right corner of the detection's details page, click View Signals in Search.
The Search page will be opened with a pre-populated filter expression for the panther_signals.public database. Click Search.
You can view signals in Search or Data Explorer.
A signal is generated whenever there is a match on a detection. Making signals more efficient, then, means making the detection itself more efficient, or narrowing its scope.
Ensure the chart is sorted descending.
Take note of the rule IDs at the top of the chart—these are the detections producing the most signals (within the configured time period).
After you have identified the detections producing the most signals in Step 1, you can tune them by narrowing their scope. Below are some common approaches to narrowing detection scope:
Add trusted IPs to an allowlist: Explicitly exclude known "good" IP addresses, such as your organization's proxy servers or cloud service providers.
Tune thresholds: Adjust frequency and volume thresholds for events like failed logins or data transfers to reduce false positives without missing real threats.
Leverage context: Incorporate additional context such as time of day, user roles, or geolocation to improve rule accuracy and reduce false positives.
Implement multi-factor rules: Combine multiple indicators or conditions in a single rule to increase precision and reduce false positives.
In the , select Signals.
In the , select Signals.
Optionally create additional to narrow your search results.
Follow the steps above to .
Add the p_rule_id field as a column in the results table by following the instructions in .
Click Visualizations to for Rule ID.
