This page has information about creating a scheduled search that will trigger a Cloud SIEM Enterprise (CSE) Signal. Before you start using scheduled searches to create CSE Signals, it is helpful to understand what Signals are, and how they relate to the generation of CSE Insights. For information about how it all works see Insight Generation Process.
For a more detailed description of the options you can configure for a scheduled search, see Schedule a Search.
Requirements for the search query
This section describes the requirements for your scheduled search, which include a minimum set of fields to be returned, and renaming message fields as necessary to match attribute names in the selected CSE Record type schema.
There are several fields that your scheduled search must return to enable Signal generation:
normalizedseverity. This field must contain a value between (and including) 0 and 10. Signals generated by the scheduled search will have this severity value. SIgnal severity values are used by CSE’s Insight generation algorithm, as described above.
stage. This field must contain a Tactic in the MITRE ATT&CK framework, one of the following:
Command and Control
stagefield contains a Tactic that isn't in the MITRE ATT&CK framework, a Signal will not be generated.
At least one entity field:
Renaming message fields
When you configure a Scheduled Search to create CSE Signals, you are prompted to select a CSE Record type. The fields returned by your search must match an attribute in the Record type you select. A field whose name does not match a CSE attribute will not be populated in the Record created from the Schedule Search results. For more about CSE attribute names, see Attributes You Can Map to Records.
Scheduling the search
After creating and saving your search, click Save As below the search query area.
The Save Item popup appears.
Click Schedule this search.
The Save Item popup prompts you to select a run frequency.
Select a frequency from the pull-down list and click Save. Scheduling a run frequency that matches your query time range will reduce overlapping searches and duplicate alerts. When you have a search scheduled to run over the same results as a previously scheduled search you would trigger an alert on the same data.
The popup refreshes.
Timezone for scheduled search. Select the time zone you would like your scheduled search to use. The schedule's time is based on this time zone. This time zone is not related to the time zone of your data. If you don't make a selection, the scheduled search will use the time zone from your browser, which is the default selection
Send notification. Select If the following condition is met, and enter an alert condition and the number of results that should trigger the alert.
Alert Type. Select CSE Signal.
The popup refreshes.
Record Type. Select a Record Type.
View Signals in CSE
To view Signals that were created from a scheduled search, run a keyword search on “CIP Scheduled Search” on the Signals page in the CSE UI.
Below is a screenshot of a Signal that was created from a scheduled search. Note that:
- The Mapping section at the bottom of the page shows that the Signal was the result of a scheduled search.
- If the Signal is not part of an Insight, there’s a Create Insight link you can use to create an Insight for the Signal. For more information, see Create an Insight from Signal.
- You can click the Full Details link for more information about the Signal. See View Signal details below for a screenshot.
View Signal details
The Full Details tab displays details about the Signal.
Create an Insight from Signal
To create an Insight from a Signal generated from a scheduled search:
Navigate to a Signal that was generated from a scheduled search.
Click Create Insight.
Click Yes, Create Insight when prompted whether you want to proceed.
The new Insight is created and appears as a Related Insight.