View Records for a Signal
Cloud SIEM uses rules to evaluate incoming records, and when the conditions of a rule are met, generates a signal. This topic explains how to view records associated with a signal in Cloud SIEM. Â
View record details​
- Classic UI. To view signals, click Signals at the top of the screen.
New UI. To view signals, in the main Sumo Logic menu select Cloud SIEM > Signals. You can also click the Go To... menu at the top of the screen and select Signals. - Select a signal. The signal's details display.
When you view the details page for a signal that was triggered by a threshold, aggregation, or chain rule, you’ll see a section that displays records that matched the rules conditions. These records will continue to be associated with the signal as long as the signal is available. - Click the plus sign (+) for a record to view its details.
- Use the following to work with the records:
- Timestamp. Sort records by their timestamp.
- Open in Log Search. Select one of the the following options to run a query for the signal's records in log search:
- Distinct Aggregated Records. Exact records evaluated by the rule.
- All Related Records. All records related to the signal.
- Export. Export the records to a comma-separated value (CSV) or JSON file.
noteOnly a single record is attached to the signal itself. Any other involved records are retrieved via log search. If the records are past their retention period, they no longer appear in the UI. In the API and
sec_signal
index, only the single attached record is included, along with a list of any other entities that were seen on the involved records (ininvolvedEntities
). You must select Open in Log Search to find the other involved records.
Select favorite fields​
Favorite fields let you show the most important fields in the summary view of a record so you don't have to open the record's details to see them.
To select favorite fields:
- Open a signal to view the first record associated with it.
- Click the + on the record. The record's details are displayed.
- In the record's details, favorite fields have a bright star next to them.
Notice how the favorite fields appear in the record's summary information. In the following screen image, a few favorite fields are highlighted to show how they appear in the record's summary information. - To select a favorite field, hover your mouse over a dimmed star until it says Enable Favorite Field and then click it.
- To deselect a favorite field, hover your mouse over a bright star until it says Disable Favorite Field and then click it.