Table of Contents:
When you perform the analysis, you are redirected to the Signal Trends page. This page includes a search box that allows you to find specific signals by using attributes such as signal name, files, and processes. You can adjust the date range at any time to view signals generated within the selected period.
To narrow down the results, a variety of filters are available. These filters are based on dimensions and values—where dimensions refer to the fields, and values refer to the corresponding field values.
To filter the signals by dimensions and its values:
- Navigate to Security → Signal Analytics to open the Signal Analytics page.
- Select a date range to filter signals received in Resolution Intelligence Cloud within this time frame to start analysis.
- Click Start analysis. This takes you to the signal trends page.
- Select one or more dimensions and corresponding values from the available list.
– Once selected, the values appear under Applied Filters, and the signals are filtered accordingly.
| Field | Description | |
|---|---|---|
| Functions | Filters the signals by the selected Functions. | |
| Metadata.eventType | Filters the signals by the eventType from metadata. | |
| Metadata.producteventtype | Filters the signals by the producteventtype from metadata. | |
| metadata.vendorName | Filters the signals by the vendorName from metadata. | |
| ATT&CK Techniques | Filters the signals by the selected ATT&CK techniques. | |
| ATT&CK Tactics | Filters the signals by the selected ATT&CK tactics. | |
| Signal Source | Filters the signals by the selected Signal Source. | |
| principal.hostname | Filters the signals by the hostname of the principal. | |
| target.hostname | Filters the signals by the hostname of the target. | |
| observer.hostname | Filters the signals by the hostname of the observer. | |
| principal.ip | Filters the signals by the ip of the principal. | |
| target.ip | Filters the signals by the ip of the target. | |
| target.application | Filters the signals by the application of the target. | |
| target.url | Filters the signals by the url of the target. | |
| network.dnsDomain | Filters the signals by the dnsDomain in the network data. | |
| target.user.userid | Filters the signals by the userid of the target user. | |
| principal.user.userid | Filters the signals by the userid of the principal user. | |
| target.user.title | Filters the signals by the title of the target user. | |
| principal.user.title | Filters the signals by the title of the principal user. | |
| target.user.department | Filters the signals by the department of the target user. | |
| principal.user.department | Filters the signals by the department of the principal user. | |
| network.email.from | Filters the signals by the sender address in email data. | |
| network.email.to | Filters the signals by the recipient address in email data. | |
| principal.process.commandLine | Filters the signals by the command line of the principal process. | |
| principal.process.file.sha256 | Filters the signals by the SHA-256 hash of the principal process file. | |
| principal.process.file.fullPath | Filters the signals by the full path of the principal process file. | |
| principal.process.file.names | Filters the signals by the file names of the principal process. | |
| principal.processAncestors.commandLine | Filters the signals by the command line of the ancestor processes of principal. | |
| principal.processAncestors.file.sha256 | Filters the signals by the SHA-256 hash of ancestor process files of principal. | |
| principal.processAncestors.file.fullPath | Filters the signals by the full path of ancestor process files of principal. | |
| principal.processAncestors.file.names | Filters the signals by the file names of ancestor processes of principal. | |
| target.process.command_line | Filters the signals by the command line of the target process. | |
| target.process.file.sha256 | Filters the signals by the SHA-256 hash of the target process file. | |
| target.process.file.fullPath | Filters the signals by the full path of the target process file. | |
| target.process.file.names | Filters the signals by the file names of the target process. | |
| principal.asset.hostname | Filters the signals by the hostname of the principal asset. | |
| target.asset.hostname | Filters the signals by the hostname of the target asset. | |
| target.resource.resourceType | Filters the signals by the resource type of the target. | |
| target.resource.name | Filters the signals by the resource name of the target. | |
| principal.resource.resourceType | Filters the signals by the resource type of the principal. | |
| principal.resource.name | Filters the signals by the resource name of the principal. | |
| securityResult.threatName | Filters the signals based on the threat name from the security result. | |
| securityResult.category | Filters the signals based on the category from the security result. | |
| target.file.sha256 | Filters the signals by the SHA-256 hash of the target file. | |
| target.file.names | Filters the signals by the file names of the target. | |
| target.file.fullPath | Filters the signals by the full path of the target file. | |
| securityResult.summary | Filters the signals based on the summary from the security result. | |
| metadata.productName | Filters the signals by the product name from metadata. | |
| metadata.logType | Filters the signals by the log type from metadata. | |
| metadata.productEventType | Filters the signals by the product event type from metadata. | |
| target.port | Filters the signals by the target port. | |
| securityResult.action | Filters the signals based on the action from the security result. | |
| Detection Rule Name | Filters the signals by the detection rule name. | |
| Log Source | Filters the signals by the log source. | |
| principal.port | Filters the signals by the principal port. | |
| target.cloud.project.name | Filters the signals by the name of the target cloud project. | |
| metadata.description | Filters the signals by the description from metadata. | |
| extensions.auth.mechanism | Filters the signals by the authentication mechanism used. | |
| principal.user.emailAddresses | Filters the signals by the email addresses of the principal user. | |
| target.user.emailAddresses | Filters the signals by the email addresses of the target user. | |
| network.http.userAgent | Filters the signals by the user agent in HTTP data. | |
| principal.ipGeoArtifact.location.countryOrRegion | Filters the signals by the geographic location of the principal's IP. | |
| Organization | Filters the signals by the selected organization. | |
| Tenant | Filters the signals by the selected tenant. | |
| securityResult.securityCategory | Filters the signals based on the security category from the security result. | |
| securityResult.productSeverity | Filters the signals based on the product severity from the security result. | |
| securityResult.threatStatus | Filters the signals based on the threat status from the security result. | |
| securityResult.actionDetails | Filters the signals based on action details from the security result. | |
| target.user.accountType | Filters the signals by the account type of the target user. | |
| principal.user.accountType | Filters the signals by the account type of the principal user. | |
| principal.asset.platformSoftware.platform | Filters the signals by the platform of the principal asset software. | |
| target.asset.platformSoftware.platform | Filters the signals by the platform of the target asset software. | |
| network.direction | Filters the signals by the direction of network traffic. | |
| target.asset.type | Filters the signals by the type of the target asset. | |
| principal.asset.type | Filters the signals by the type of the principal asset. | |
| network.dns.question.name | Filters the signals by the DNS question name in network traffic. | |
| network.dns.responseCode | Filters the signals by the DNS response code in network traffic. | |
| ActOn ID | Filters the signals by the ActOn ID. | |
| Situation ID | Filters the signals by the Situation ID. | |
| associatedEntities.name | Filters the signals by the name of the associated entities. | |
| associatedEntities.entityGroups.name | Filters the signals by the entity group name of associated entities. | |
| associatedEntities.attributes.OU | Filters the signals by the organizational unit (OU) of associated entities. | |
| principal.cloud.project.id | Filters the signals by the ID of the principal cloud project. | |
| principal.cloud.project.name | Filters the signals by the name of the principal cloud project. | |
| metadata.product_deployment_id | Filters the signals by the product deployment ID from metadata. | |
| network.email.subject | Filters the signals by the subject of the email in network data. | |
5. Analyze the filtered signals using the following views:
-
Time Series Analysis: Displays signal trends in a graphical format for the selected time range.
-
Interactive Graph:
Click a data point in the graph to view the signals generated on that specific day, along with the matching filter values. -
Time Interval Options:
You can view signal trends by hour, day, week, month, quarter, or year. The graph automatically updates based on the selected time interval. -
Axes Plot:
The axes display the selected dimension and its corresponding values.- If only a dimension is selected, the bubble chart on the axes plot shows signals that match that dimension.
- When you hover over the dimension added to the axes plot, a Remove Dimension option appears, allowing you to remove it from the plot.
- If a specific value is selected under the dimension, the bubble chart filters and displays signals corresponding to that value. You can also view the signal data in this view. Clicking a specific signal redirects you to the Signals page for further analysis. For more information about Signals, see this article.
-
Interactive Graph:
-
MITRE View: Shows signals aligned with the MITRE ATT&CK framework for better threat context. Click the count of tactics under each technique to view the total number of signals that exhibited the respective tactic behavior. Review the signal data:
- Signal ID: The unique identifier assigned to the signal.
- Subject: The subject or title of the signal.
- Current State: The current status of the signal.
- Source: The source from which the signal was triggered.
- Priority: The priority level assigned to the signal.
- Created Time: The timestamp when the signal was generated.
- Category: The category the signal belongs to.
- Sub-category: The sub-category the signal falls under.
- List View: Presents a detailed list of signals that match the applied filters. You can also view the signal data in this view.
Comments
0 comments
Please sign in to leave a comment.