Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter
Detection Rules define conditional logic that is applied to all ingested logs and cloud configurations. When at least one case defined in a rule that is matched over a given period of time, Datadog generates a Security Signal.
For each monitoring option, there are default detection rules that work out-of-the-box with integration configuration.
Creating and managing detection rules
The Detection Rules page lets you search all detection rules by rule type. Quickly enable, disable, edit, delete, and clone rules. To create a custom detection rule, click on the New Rule button in the top right corner of the page.
Finding detection rules
The free text search filters Detection Rules by text in the rule name or query. Query results update in real-time when the query is edited—there is no “Search” button to click.
Filter by facet
Use facets in the left panel to scope a search query by value. For example, if you have several rule types, such as
log detection or
cloud configuration, filter by
only to see rules by rule type.
You can also filter by facets such as
severity to help when investigating and triaging incoming issues. To include all facets within a category in search again, hover your mouse over a value in the panel and click all.
Note: By default, all facets are selected.
Rules are displayed in the detection rules table. You can sort the table by clicking on the Sort by option in the top right corner of the table. For example, sort by Highest Severity to triage high-impact misconfigurations and threats.
Enabling or disabling a rule
Enable or disable a rule using the toggle switch to the right of the rule.
Rule and generated signal options
Click on the three dot menu, next to the rule toggle, and select any of the provided options: Edit, Clone, Delete, or View generated signals.
- Click Edit to update queries, adjust triggers, manage notifications, or adjust rule configuration.
- Note: You can only edit an out-of-the-box (OOTB) rule by first cloning the rule, and then modifying the rule. To edit a default rule, click Edit and scroll to the bottom of the rule configuration page. Click Clone, and then modify the rule.
- Cloning a rule is helpful if you wish to duplicate an existing rule and lightly modify settings to cover other areas of detection. For example, you could duplicate a log detection rule and modify it from Threshold to Anomaly to add new dimension to threat detection using the same queries and triggers.
- The delete option is only available for custom rules. You cannot delete an out-of-the-box (OOTB) rule as they are native to the platform. To permanently delete a custom rule, click Delete. To disable an OOTB rule, click the disable toggle.
- Click View generated signals to pivot to the Signals Explorer and query by a rule’s ID. This is useful when correlating signals across multiple sources by rule, or when completing an audit of rules.
Limit edit access
By default, all users have full access to security rules.
Use granular access controls to limit the roles that may edit a single rule:
- Click on the three dot menu for the rule.
- Select Permissions.
- Click Restrict Access.
- The dialog box updates to show that members of your organization have Viewer access by default.
- Use the drop-down to select one or more roles that may edit the security rule.
- Click Add.
- The dialog box updates to show that the role you selected has the Editor permission.
- Click Save
Note: To maintain your edit access to the rule, the system requires you to include at least one role that you are a member of before saving.
To restore general access to a rule with restricted access, follow the steps below:
- Click on the three dot menu on the right of the rule.
- Select Permissions.
- Click Restore Full Access.
- Click Save.
Documentation, liens et articles supplémentaires utiles: