Getting Started with Signal Anatlytics

Search Bar

The search bar allows you to quickly find specific signals based on various attributes such as signal type, severity, source (Google Chronicle, ASE), and time. Simply enter the desired signal attribute and press Enter to filter the results.

Note: Advanced Search enables you to filter signals using any signal attribute for more precise results.

Performing and saving signal analysis 

Use this procedure to perform and save an analysis after adding the required dimensions and values in the desired view.

Steps to Start an Analysis:

1. Navigate to Security → Signal Analytics to open the Signal Analytics page.
2. Select a date range to filter signals received in Resolution Intelligence Cloud within this time frame to perform analysis. 
3. Choose a format to display the signals. Possible options:
   • Time-Series Analysis – View the number of signals generated daily, weekly, monthly, quarterly, or yearly across different entities.
   • MITRE View – Analyze signals mapped to different phases of the MITRE ATT&CK framework to understand attacker behavior.
   • List View – Display a detailed list of signals generated for the selected dimension(s).
4. Click Start Analysis to navigate to the insights page. This will display data in the selected view.
5. Click Save Analysis to save your findings in the desired format.
   • If needed, use the Notes option to key details about your analysis.
   • All saved analyses will be accessible on the Stacks tab in the Findings Hub section. 

Findings hub

The Findings Hub is a centralized location where you can view AI-generated findings from the Signal analytics agent and manually saved findings for easy access.

• Agent Findings
• Stacks

Viewing Saved Analyses in Stacks

To view signal analysis performed by different users within a tenant:

1. Navigate to Security → Signal Analytics to open the Signal Analytics page.
2. Review the list of saved analyses under the Findings Hub section.
   • Analysis Name – The name given to the analysis.
   • Created By – The user who created the analysis.
   • Modified By – The user who last updated the analysis.
3. Click on any analysis to revisit and explore it further.

Other Options:

• You can delete any analysis you no longer need from the stack using the Delete icon.
• You can search for a specific analysis by entering search terms in the search box.

Viewing Agent Findings

Agent Findings display AI-generated insights and categorize them into four key areas: Data Engineering, Detection Engineering, Control Engineering, and Response Engineering, using the Signal Analytics agent. This agent is integrated with Signal Analytics to enhance investigations with AI-driven insights. It analyzes thousands of data points to identify critical threats, pinpoint key signals, map contextual relationships, and formulate a threat hypothesis. If no substantial or actionable hypothesis is found, irrelevant signals are removed from the insights list, reducing clutter and ensuring focus on significant anomalies.

The agent operates across two key time frames:

• Emerging Trends (48H): Analyzes the last 48 hours of data to detect and highlight critical observations. 
• Sustained Trends (7-Day): Analyzes the last seven days of signal data to generate deeper insights into long-term patterns. The AI organizes these insights into four categories. Each insight includes observations, next steps, and the associated dimensions and values. Clicking on a result takes you to the charts page, where you can view the signals generated for the selected dimensions over the past week

Viewing and Analyzing Agent Findings

Follow this procedure to explore the security pattern identified in an agent finding detected within the past 2 or 7 days, based on the selected trend type.

1. Go to Signal Analytics:
   Navigate to Security → Signal Analytics to open the Signal Analytics page.
2. Open Agent Findings:
   Click the Agent Findings tab to view insights categorized under Emerging Trends and Sustained Trends.
3. Select an Insight:
   Click on a specific insight you want to explore in detail. This will take you to the Signal Trends page, where the relevant filters are automatically applied.
4. Analyze Trends:
   Review the trend chart to see the total number of signals generated on each day for this detected security pattern or insight within the selected 2-day or 7-day range, depending on the trend type.
5. Review Details and Next Steps:
   Examine the observations, associated ActOn ID or Situation ID (if an ActOn has been created), and the recommended next steps to proceed with investigation or remediation.

Filtering Agent Findings by Category

Use this procedure to filter AI findings based on a specific category.

1. Navigate to Security → Signal Analytics to open the Signal Analytics page.

2. Click the Agent Findings tab to view both Emerging Trends and Sustained Trends. A count is displayed next to each, showing the total number of trends generated in the last 48 hours and 7 days, respectively. 

3. Click the filter icon to refine insights generated by the signal analytics agent for the last two or seven days.

4. In the Filters side panel, select the check boxes for the categories you want to filter. The results will be narrowed down based on your selection. You will only see the categories that have insights. If there are no insights under a category, it won’t be shown. Possible categories include:

• • • Control Engineering
    • Data Engineering
    • Detection Engineering
    • Response Engineering

5. Click Apply to filter the insights based on the selected categories and the trend type you are focusing on—Emerging Trends or Sustained Trends.

Copying and sharing agent insights link

Use this procedure to copy and share a link with users in the same tenant or across different scopes.
Note: Users in a different scope must switch to the specified tenant to view the shared insights.

1. Navigate to Security → Signal Analytics to open the Signal Analytics page.

2. Select the Agent Findings tab to view both Emerging Trends and Sustained Trends.

3. Click the copy link icon to copy and share the link.

Viewing Archived Insights

Past insights generated by the signal analytics agent are archived and can be accessed at any time. Users can filter archived insights by date range or category, such as Control Engineering, Detection Engineering, Data Engineering, and Response Engineering.

To view archived insights:

1. Navigate to Security → Signal Analytics to open the Signal Analytics page.

2. Click View Archive in the Findings Hub section. This opens the Archived Insights page.

3. Select a date range and/or click the filter icon to choose a category. Available categories include:

• • Control Engineering
  • Data Engineering
  • Detection Engineering
  • Response Engineering

The past insights will be displayed based on the selected date range and/or category.

Providing Feedback on Agent Insights

You can provide feedback on agent generated insights using the thumbs-up and thumbs-down icons. This feature helps improve the quality and relevance of insights generated in Signal Analytics by capturing user input on what is helpful and what needs improvement.

To submit feedback:

1. Navigate to Security → Signal Analytics to access the Signal Analytics page.

2. Go to the AI Findings tab. Select one of the following trend views:

   • Emerging Trends (48H) – Displays new and notable activity from the last 48 hours.
   • Sustained Trends (72H) – Highlights consistent patterns over the last 72 hours.
3. Click on a trend to view the Agent generated insights.
4. Provide feedback:
   • If you find the insight helpful, click the thumbs-up icon.
   • If the insight needs improvement, click the thumbs-down icon. A feedback window appears.
5. Enter your comments and click Submit. Your input helps refine the Agent’s future findings and ensures that the AI models evolve to deliver more accurate and valuable insights.

Explore Instantly with Predefined Views

Jump right into exploration: Skip the initial search with pre-built views located below the search bar. These views offer essential signal sets tailored to common analysis needs, helping you get started quickly.

Time Series Analysis

See beyond the static:

Uncover hidden insights by juxtaposing signals across time. This powerful feature reveals hidden trends, patterns, and potential threats that might not be evident in standalone observations.

Analysis by MITRE ATT&CK® framework

Unmask the attacker's playbook: Gain deeper insights into attacker behavior by aligning signals with the MITRE ATT&CK® framework. This view reveals the specific tactics, techniques, and procedures (TTPs) utilized, empowering you to make informed decisions regarding your security posture.

Enhanced List View

Gain complete situational awareness: Get a comprehensive overview of triggered signals with the clear and concise list format. This view allows for efficient threat response and analysis by enabling easy identification and prioritization of critical signals.