Getting Started with Cloud SIEM

Overview

Datadog Cloud SIEM detects real-time threats to your application and infrastructure. These threats can include a targeted attack, a threat intel listed IP communicating with your systems, or an insecure configuration. Once detected, a signal is generated and a notification can be sent out to your team.

This guide walks you through best practices for getting started with Cloud SIEM.

Phase 1: Setup

1. Configure log ingestion to collect logs from your sources. Review Best Practices for Log Management.

   You can use out-of-the-box integration pipelines to collect logs for more than 650 integrations, or create custom log pipelines to send:

   • Cloud Audit logs
   • Identity Provider logs
   • SaaS and Workspace logs
   • Third-party security integrations (for example, Amazon GuardDuty)

2. Enable Cloud SIEM.

3. Select and configure Content Packs, which provide out-of-the-box content for critical security log sources.

4. Select and configure additional log sources you want Cloud SIEM to analyze.

5. Click Activate. A custom Cloud SIEM log index (cloud-siem-xxxx) is created.

6. Navigate to the Logs Indexes configuration page.

7. Move the Cloud SIEM index to the top of the index list. Cloud SIEM analyzes all logs going into the Cloud SIEM index. You can configure the index to filter for specific log events. See the Log Index documentation for more information.

Phase 2: Signal exploration

1. Review the out-of-the-box detection rules that begin detecting threats in your environment immediately. Detection rules apply to all processed logs to maximize detection coverage. See the detection rules documentation for more information.

2. Explore security signals. When a threat is detected with a detection rule, a security signal is generated. See the security signals documentation for more information.

   • Set up notification rules to alert when signals are generated. You can alert using Slack, Jira, email, webhooks, and other integrations. See the notification rules documentation for more information.

Phase 3: Investigation

1. Explore the Investigator for faster remediation. See the Investigator documentation for more information.
2. Use out-of-the-box-dashboards or create your own dashboards for investigations, reporting, and monitoring.

Phase 4: Customization

1. Set up suppression rules to reduce noise.
2. Create custom detection rules. Review Best Practices for Creating Detection Rules.

Further Reading

Documentation, liens et articles supplémentaires utiles:

Introduction to Cloud SIEM courseLEARNING CENTER Automate common security tasks and stay ahead of threats with Datadog Workflows and Cloud SIEMBLOG Automate responses with Workflows security blueprintsAPP AWS configuration guide for Cloud SIEMDOCUMENTATION Google Cloud configuration guide for Cloud SIEMDOCUMENTATION Azure configuration guide for Cloud SIEMDOCUMENTATION Learn more about notification variables to customize notificationsDOCUMENTATION Join an interactive session to elevate your security and threat detectionFOUNDATION ENABLEMENT Read about security-related topics on Datadog's Security LabsSECURITY LABS Easily ingest and monitor security logs with Cloud SIEM Content PacksBLOG