What's the difference between Signals, Transactions, and Indicators?
Clarifying on some vague terminology
It's common for cybersecurity marketing material to reference absolutely MASSIVE statistics. Sometimes though, the terms can blur together. In today's article, I want to take a moment to differentiate between three related terms: Signals, Transactions, and Indicators.
- Signal - This is an individual data point (typically in a very raw or basic form). It could be virtually ANYthing. In geeky engineering speak, we can think of it as being physical or interrupt-based. Common examples include:
- A single log event
- A network packet
- A device being connected/disconnected
- The beginning of a query/operation (before any results or response comes back)
- Transaction - This encompasses more of a complete activity or action. It could be a collection of multiple steps that need to happen for the transaction to be considered successful. We can think of it as being atomic and purposeful in nature. It has a clearly defined beginning and end. Examples of transactions include:
- Visiting a web page
- Uploading a file
- Receiving an email
- Indicator - This is basically a piece of data that provides meaning, interest, or significance to a signal (or group of signals). The idea here is that SOMEthing about the signal warrants attention. Examples of indicators include:
- Network packets sent to (or from) known malicious IP addresses
- An unusual/unexpected protocol request
- A normal action happening at an unusual time of day (e.g. Bob's laptop trying to connect to corporate resources at 3 AM in the morning).
For more information, check out the following resources:

