Getting Started with Cloud SIEM

Overview

Datadog Cloud SIEM detects real-time threats to your application and infrastructure. These threats can include a targeted attack, a threat intel listed IP communicating with your systems, or an insecure configuration. Once detected, a signal is generated and a notification can be sent out to your team.

This guide walks you through best practices for getting started with Cloud SIEM.

Phase 1: Setup

Configure log ingestion to collect logs from your sources. Review Best Practices for Log Management.
You can use out-of-the-box integration pipelines to collect logs for more than 600 integrations, or create custom log pipelines to send:
- Cloud Audit logs
- Identity Provider logs
- SaaS and Workspace logs
- Third-party security integrations (for example, AWS GuardDuty)
Enable Cloud SIEM.

Phase 2: Signal exploration

Review the out-of-the-box detection rules that begin detecting threats in your environment immediately. Detection rules apply to all processed logs to maximize detection coverage. See the detection rules documentation for more information.
Explore security signals. When a threat is detected with a detection rule, a security signal is generated. See the security signals documentation for more information.
- Set up notification rules to alert when signals are generated. You can alert using Slack, Jira, email, webhooks, and other integrations. See the notification rules documentation for more information.

Phase 3: Investigation

Explore the Investigator for faster remediation. See the Investigator documentation for more information.
Use out-of-the-box-dashboards or create your own dashboards for investigations, reporting, and monitoring.