Detection Rules define conditional logic that is applied to all ingested logs and cloud configurations. When at least one case defined in a rule that is matched over a given period of time, Datadog generates a Security Signal.
For each of monitoring option, there are default detection rules that work out-of-the-box with integration configuration.
Cloud Security Posture Management uses cloud configuration and infrastructure configuration rules to scan the state of your cloud environment.
With Cloud Workload Security, the Datadog Agent actively monitors system activity and evaluates it against a set of rules.
The Security Rules page lets you search all Detection Rules. Quickly enable, disable, edit, delete, clone, or view signals generated by any of these rules. To create a custom security rule, click on the New Rule button in the top right corner of the page.
Note: Custom rules are only available for Security Monitoring.
The free text search filters Detection Rules by text in the rule name or query. Query results update in real-time when the query is edited—there is no “Search” button to click.
Use facets in the left panel to scope a search query by value. For example, if you have several rule sources and need to troubleshoot on rules provided by one source, hover over a source value in the panel, such as
kubernetes, and click only to narrow the search to that source.
By default, all facets are selected. To remove a facet from search, deselect the checkbox.
Rules are displayed in the rules table.
Columns can be added or removed with the options menu.
Rules are sorted alphabetically—ascending by default (A-Z). The rules can be inverse-sorted by name, query name, creation date, or rule ID.
Enable or disable a rule using the toggle switch to the right of the rule.
Edit a rule by hovering over the rule and clicking the Edit button.
Search for signals generated by a rule by hovering over the rule and clicking the View Generated Signals button.
Clone a rule by hovering over the rule and clicking the Clone button.
Delete a rule by hovering over the rule and clicking the Delete button.