Getting Started with Cloud SIEM

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Overview

Datadog Cloud SIEM detects real-time threats to your application and infrastructure. These threats can include a targeted attack, a threat intel listed IP communicating with your systems, or an insecure configuration. Once detected, a signal is generated and a notification can be sent out to your team.

This guide walks you through best practices for getting started with Cloud SIEM.

Phase 1: Setup

  1. Configure log ingestion to collect logs from your sources. Review Best Practices for Log Management.

    You can use out-of-the-box integration pipelines to collect logs for more than 650 integrations, or create custom log pipelines to send:

  2. Enable Cloud SIEM.

  3. Select and configure Content Packs, which provide out-of-the-box content for critical security log sources.

  4. Select and configure additional log sources you want Cloud SIEM to analyze.

  5. Click Activate. A custom Cloud SIEM log index (cloud-siem-xxxx) is created.

  6. Navigate to the Logs Indexes configuration page.

  7. Move the Cloud SIEM index to the top of the index list. Cloud SIEM analyzes all logs going into the Cloud SIEM index. You can configure the index to filter for specific log events. See the Log Index documentation for more information.

Phase 2: Signal exploration

  1. Review the out-of-the-box detection rules that begin detecting threats in your environment immediately. Detection rules apply to all processed logs to maximize detection coverage. See the detection rules documentation for more information.

  2. Explore security signals. When a threat is detected with a detection rule, a security signal is generated. See the security signals documentation for more information.

Phase 3: Investigation

  1. Explore the Investigator for faster remediation. See the Investigator documentation for more information.
  2. Use out-of-the-box-dashboards or create your own dashboards for investigations, reporting, and monitoring.

Phase 4: Customization

  1. Set up suppression rules to reduce noise.
  2. Create custom detection rules. Review Best Practices for Creating Detection Rules.

Further Reading