---
title: Bits AI Security Analyst
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Bits AI > Bits AI Security Analyst
---

# Bits AI Security Analyst

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). ().
{% /alert %}

{% /callout %}

## Overview{% #overview %}

Bits AI Security Analyst is an autonomous AI agent that investigates Cloud SIEM signals end to end. It queries security signals and logs, and uses data-based reasoning to help security engineers investigate threat alerts and make a recommendation on the verdict of each alert signal. By reducing manual effort and analyst fatigue, Bits AI Security Analyst makes security operations smoother and more efficient.

### Key capabilities{% #key-capabilities %}

Bits AI Security Analyst investigations are autonomous. If a detection rule is enabled, Bits AI autonomously investigates signals associated with it.

In the [Cloud SIEM Signals Explorer](https://app.datadoghq.com/security/siem/signals), you can click the **Bits AI Security Analyst** tab to only show signals that Bits AI investigated. In the Severity column, a Bits AI status displays as Investigating, until marking the signal as either Benign or Suspicious.

{% image
   source="https://datadog-docs.imgix.net/images/bits_ai/bits_ai_security_analyst_signals_explorer.92a19d7a7bac35bd07c4e094177c29bc.png?auto=format"
   alt="The Cloud SIEM signals explorer, on the Bits AI Security Analyst tab" /%}

When you click a row with a Bits AI investigation, the Bits AI Investigation side panel opens:

{% image
   source="https://datadog-docs.imgix.net/images/bits_ai/bits_ai_security_analyst_example.eefae77a4a10e96ed04938aa455ffa1d.png?auto=format"
   alt="Bits AI Security Analyst example detection, titled 'Okta phishing detection with FastPass origin check'." /%}

In the side panel, you can see Bits AI's investigative findings, including:

- Overall conclusion
- Key evidence used to come to that conclusion
- Investigative steps showing Bits AI's data queries, including embedded results and links to full queries
- Analysis on each investigative step

You can also take additional steps directly from the side panel:

- Create a case with pre-populated Bits AI investigation results
- Run a workflow with a SOAR blueprint
- Declare an incident
- Add a rule suppression
- Archive the signal, or view the signal with the usual Cloud SIEM interface
- Give Bits AI feedback on its analysis

Additionally, when you use Cloud SIEM notifications to send new signal alerts to Slack or Jira, Bits AI automatically updates those notifications. It includes replies showing the Bits AI investigative conclusion, with a link to the full investigation.

### Supported sources{% #supported-sources %}

Bits AI can run investigations on the following Security log sources:

- AWS CloudTrail
- Azure
- GCP
- Kubernetes
- Microsoft Entra ID
- Okta
- Google Workspace
- Microsoft 365
- GitHub
- Snowflake
- SentinelOne
- Email phishing

## Set up Bits AI Security Analyst{% #set-up-bits-ai-security-analyst %}

### Prerequisites{% #prerequisites %}

To use Bits AI Security Analyst:

- Ensure your organization is using a non-legacy version of Cloud SIEM. If you need assistance, contact [Datadog support](https://docs.datadoghq.com/help).
- To set up Bits AI Security Analyst, you need the **Bits AI Security Analyst Config Write** [permission](https://docs.datadoghq.com/account_management/rbac/permissions/#cloud-security-platform).
- To view investigations, you must have **14 days or more** of log history. If you have a shorter log history, you can still set up Bits AI Security Analyst, but won't see any investigations until you have that much history.

### Setup{% #setup %}

When you enable Bits AI Security Analyst, Datadog analyzes your rules, including custom rules, to determine whether it can confidently investigate signals associated with them. For all eligible rules above medium severity, it starts autonomously investigating signals.

Rule eligibility depends on whether Datadog has built the investigation capability for the log source, and whether the Agent is able to investigate the specific rule. If you have new custom rules to evaluate, or want to ask about a rule that wasn't made eligible, contact [Datadog support](https://docs.datadoghq.com/help).

1. In Datadog, go to **Security** > **Settings** > **[Bits AI Security Analyst](https://app.datadoghq.com/security/configuration/bits-ai-security-analyst)**.
1. Turn on the toggle to enable Bits AI Security Analyst. Additional settings appear.
1. (Optional) Configure which rules and which severities you want Bits AI Security Analyst to automatically investigate signals for. There are two ways to do so:
   - Click **Rule Settings** to configure investigations for individual rules. You can change the minimum severity for signals to be investigated, and enable or disable individual rules for investigation.
   - Click **Query Filter** to write a signal query filter, so Bits AI Security Analyst only investigates signals that match your filter.
1. Some log sources require credentials to run or enhance investigations by accessing logs, telemetry, or other data that isn't in Datadog. To add credentials, click **Edit credentials**. In the **Select or Add Connection** window that opens, follow the prompts to select an [existing connection](https://docs.datadoghq.com/actions/connections/) from Actions Catalog, or add a connection. Datadog securely stores and restricts all credentials using Actions Catalog.
   - Some log sources require additional setup so you can create HTTP connections. Here's an example:
     {% collapsible-section #sentinelone %}
     Configure SentinelOne: 
     1. In SentinelOne, ensure you have permission to create an API token. Create an S1 API service user, then assign the **Viewer** role to that user.
     1. In Datadog, in the **Select or Add Connection** window, in the dropdown, select **New Connection**, then click the **HTTP** tile.
     1. Add the following information:
        - In the **Description** field, Datadog recommends adding your token expiry date, to make it easily accessible.
        - In the **Base URL** field, enter your SentinelOne Management Console URL.
        - Under **Token Auth**, enter a name for your token in the **Token Name** field, and your API token in the **Token Value** field.
     1. Click **Next, Confirm Access** to verify your connection.

          {% /collapsible-section %}

## Disable Bits AI Security Analyst{% #disable-bits-ai-security-analyst %}

1. In Datadog, go to **Security** > **Settings** > **[Bits AI Security Analyst](https://app.datadoghq.com/security/configuration/bits-ai-security-analyst)**.
1. Scroll to the bottom of the page. Under **Disable Bits AI Security Analyst**, turn off the **Enabled** toggle.Important alert (level: warning): Disabling Bits AI Security Analyst permanently resets all configuration settings.

## Further reading{% #further-reading %}

- [Automate Cloud SIEM investigations with Bits AI Security Analyst](https://www.datadoghq.com/blog/bits-ai-security-analyst/)