# Signals

**Overview**

{% hint style="info" %}
Correlation rules are in open beta starting with Panther version 1.108, and are available to all customers. Please share any bug reports and feature requests with your Panther support team.
{% endhint %}

A signal is generated when there is a match on a rule, scheduled rule, or correlation rule. Signals are not generated for policy failures.

A signal represents an action (or a group or series of actions) taking place in your environment that you want to know about, but is not—at least on its own—worthy of generating an alert. Signals are often referred to as "security-relevant events."

Signals are different from alerts. Learn more about the [difference between signals and alerts here](https://docs.panther.com/detections/..#signals-vs.-alerts).

{% hint style="warning" %}
Noisy rules that generate significant signal volume (i.e., more than 1,000 per hour) may increase your Snowflake compute costs. Learn how to make Signals more cost-efficient in [Making signals more efficient](#making-signals-more-efficient), below.
{% endhint %}

### Signal use cases

* Signals are a building block of [correlation rules](https://docs.panther.com/detections/correlation-rules). In a correlation rule, you specify certain rules, scheduled rules, and correlation rules for which one or more signals must have been generated (or *not* generated) in a certain time period (amongst other optional criteria) to qualify as a match.
  * See [these correlation rule examples](https://docs.panther.com/correlation-rules#correlation-rule-full-examples), which reference both rules that have alerting enabled and rules that have alerting disabled.
* You may also want to search for signals in the `panther_signals.public` database in [Search](https://docs.panther.com/search/search-tool) and [Data Explorer](https://docs.panther.com/search/data-explorer).

## How to create a rule that only produces signals

To create a rule that only produces signals (and not alerts) create a rule and configure it to disable alerting.

{% tabs %}
{% tab title="Console" %}
To create a rule in the Panther Console that only produces signals (not alerts):

1. Create a rule, scheduled rule, or correlation rule in the Panther Console.
   * See [these instructions for creating a Python rule in the Console](https://docs.panther.com/rules/python#how-to-create-a-rule-in-python), and [these instructions for creating a Simple Detection in the Console](https://docs.panther.com/rules/simple-detection-builder#how-to-create-a-rule-in-the-simple-detection-builder).
   * See [these instructions for creating a scheduled rule in the Console](https://docs.panther.com/rules/python#how-to-create-a-scheduled-rule-in-python).
   * See [these instructions for creating a correlation rule in the Console](https://docs.panther.com/correlation-rules#how-to-create-a-correlation-rule).
2. Set the **Create Alert** toggle to `OFF`.\
   ![](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-39088506fd140280cb0f282dc1c07da9a6ad3e05%2Fimage%20\(3\)%20\(9\).png?alt=media)
   * This will remove alert fields from the detection editor (including **Severity**, **Runbook**, **Deduplication Period**, etc.).\
     ![](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-2075c1107c3e7a5cee38f5212068e019cd134ba2%2Fimage.png?alt=media)
     {% endtab %}

{% tab title="CLI workflow" %}
To create a rule in the CLI workflow that only produces signals (not alerts):

1. Create a rule, scheduled rule, or correlation rule locally.
   * See [these instructions for creating a Python rule in the CLI workflow](https://docs.panther.com/rules/python#how-to-create-a-rule-in-python), and [these instructions for creating a YAML detection in the CLI workflow](https://docs.panther.com/rules/writing-simple-detections#how-to-create-a-rule-in-yaml).
   * See [these instructions for creating a scheduled rule in the CLI workflow](https://docs.panther.com/rules/python#how-to-create-a-scheduled-rule-in-python).
   * See [these instructions for creating a correlation rule in the CLI workflow](https://docs.panther.com/correlation-rules#how-to-create-a-correlation-rule).
2. Add the `CreateAlert` field, and set its value to `false`.
   * The default value for `CreateAlert`, if not set, is `true`.

Example:

```yaml
AnalysisType: rule
RuleID: 'GitHub.Repo.Archived'
DisplayName: 'GitHub.Repo.Archived'
Enabled: true
CreateAlert: false
AlertContext:
  - KeyName: repo
    KeyValue:
      KeyPath: repo
Detection:
  - KeyPath: action
    Condition: Equals
    Value: repo.archived
```

{% endtab %}
{% endtabs %}

## How to view signals

### How to view signals for a detection

To view signals for a certain detection, use the **View Signals in Search** button on its details page. It's also possible to view signals by constructing your own query in [Search](https://docs.panther.com/search/search-tool) or [Data Explorer](https://docs.panther.com/search/data-explorer).

1. In the left-hand navigation bar of your Panther Console, click **Detections**.
2. Click the name of the detection for which you'd like to view signals.
3. Towards the upper-right corner of the detection's details page, click **View Signals in Search**.

   * The [Search](https://docs.panther.com/search/search-tool) page will be opened with a pre-populated filter expression for the `panther_signals.public` database. Click **Search**.

   <figure><img src="https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-762b3072880da24dd5079e581fe422c878f4c86e%2FScreenshot%202024-02-26%20at%201.39.52%20PM.png?alt=media" alt="A &#x22;Dropbox.External.Share&#x22; detection details page is shown. A &#x22;View Signals in Search&#x22; button is circled." width="563"><figcaption></figcaption></figure>

### How to view all signals

You can view signals in [Search](https://docs.panther.com/search/search-tool) or [Data Explorer](https://docs.panther.com/search/data-explorer).

{% tabs %}
{% tab title="Search" %}
**View signals in Search**

1. In the left-hand navigation bar of your Panther Console, click **Investigate** > **Search**.
2. In the [database filter](https://docs.panther.com/search/search-tool#database-filter), select **Signals**.
3. In the [table filter](https://docs.panther.com/search/search-tool#table-filter), select **Signals**.
   * Optionally create additional [key/value filter expressions](https://docs.panther.com/search/search-tool#key-value-filter-expression) to narrow your search results.
4. Click **Search**.
   {% endtab %}

{% tab title="Data Explorer" %}
**View signals in Data Explorer**

1. In the left-hand navigation bar of your Panther Console, click **Investigate** > **Data Explorer**.
2. Write a SQL query that selects the columns you are interested in from the `panther_signals.public.correlation_signals` table.
   * For example:

     ```sql
     SELECT tag FROM panther_signals.public.correlation_signals LIMIT 10;
     ```
3. Click **Run Search**.
   {% endtab %}
   {% endtabs %}

## Making signals more efficient

A signal is generated whenever there is a match on a detection. Making signals more efficient, then, means making the detection itself more efficient, or narrowing its scope.

### Step 1: Identify the detections generating the most signals

1. Follow the steps above to [view all signals in Search](#view-signals-in-search).
2. Add the `p_rule_id` field as a column in the results table by following the instructions in [How to add a column in the Search results table](https://docs.panther.com/search/search-tool#how-to-add-a-column-in-the-search-results-table).\
   ![Various event fields (like p\_event\_time and p\_parse\_time) and their values are shown.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-684bc66e3aa7275086e3f1443e880c9057d7e606%2FScreenshot%202024-09-04%20at%204.43.16%20PM.png?alt=media)
3. Click **Visualizations** to [view the summary chart](https://docs.panther.com/search/search-tool#search-results-summary-charts) for **Rule ID**.
   * Ensure the chart is sorted descending.
4. Take note of the rule IDs at the top of the chart—these are the detections producing the most signals (within the configured time period).

### Step 2: Tune the detections generating the most signals

After you have identified the detections producing the most signals in Step 1, you can tune them by narrowing their scope. Below are some common approaches to narrowing detection scope:

* **Add trusted IPs to an allowlist**: Explicitly exclude known "good" IP addresses, such as your organization's proxy servers or cloud service providers.
* **Tune thresholds**: Adjust frequency and volume thresholds for events like failed logins or data transfers to reduce false positives without missing real threats.
* **Leverage context**: Incorporate additional context such as time of day, user roles, or geolocation to improve rule accuracy and reduce false positives.
* **Implement multi-factor rules**: Combine multiple indicators or conditions in a single rule to increase precision and reduce false positives.