Getting Started with Cloud SIEM


Datadog Cloud SIEM detects real-time threats to your application and infrastructure. These threats can include a targeted attack, a threat intel listed IP communicating with your systems, or an insecure configuration. Once detected, a signal is generated and a notification can be sent out to your team.

This guide walks you through best practices for getting started with Cloud SIEM.

Phase 1: Setup

  1. Configure log ingestion to collect logs from your sources. Review Best Practices for Log Management.

    You can use out-of-the-box integration pipelines to collect logs for more than 650 integrations, or create custom log pipelines to send:

  2. Enable Cloud SIEM.

Phase 2: Signal exploration

  1. Review the out-of-the-box detection rules that begin detecting threats in your environment immediately. Detection rules apply to all processed logs to maximize detection coverage. See the detection rules documentation for more information.

  2. Explore security signals. When a threat is detected with a detection rule, a security signal is generated. See the security signals documentation for more information.

Phase 3: Investigation

  1. Explore the Investigator for faster remediation. See the Investigator documentation for more information.
  2. Use out-of-the-box-dashboards or create your own dashboards for investigations, reporting, and monitoring.

Phase 4: Customization

  1. Set up suppression rules to reduce noise.
  2. Create custom detection rules. Review Best Practices for Creating Detection Rules.

Further Reading