Getting Started with Cloud SIEM

Overview

Datadog Cloud SIEM detects real-time threats to your application and infrastructure. These threats can include a targeted attack, a threat intel listed IP communicating with your systems, or an insecure configuration. Once detected, a signal is generated and a notification can be sent out to your team.

This guide walks you through best practices for getting started with Cloud SIEM.

Phase 1: Setup

  1. Configure log ingestion to collect logs from your sources. Review Best Practices for Log Management.

    You can use out-of-the-box integration pipelines to collect logs for more than 700 integrations, or create custom log pipelines to send:

  2. Enable Cloud SIEM.

  3. Select and configure Content Packs, which provide out-of-the-box content for critical security log sources.

  4. Select and configure additional log sources you want Cloud SIEM to analyze.

  5. Click Activate. A custom Cloud SIEM log index (cloud-siem-xxxx) is created.

  6. If the Cloud SIEM setup page shows the warning “The Cloud SIEM index is not in the first position”, follow the steps in the Reorder the Cloud SIEM index section.

Reorder the Cloud SIEM index

A yellow warning box saying that the index configuration needs attention
  1. Click Reorder index in Logs Configuration.

  2. Confirm the modal title says “Move cloud-siem-xxxx to…” and that the cloud-siem-xxxx text in the index column is light purple.

The Move cloud-siem-xxxx modal showing the list of indexes with cloud-siem-xxxx index as the last index
  1. To select the new placement of your index, click the top line of the index where you want cloud-siem-xxxx to go. For example, if you want to make the cloud-siem-xxxx index the first index, click on the line above the current first index. The new position is highlighted with a thick blue line.
The Move cloud-siem-xxxx modal showing a blue line at the top of the first index
  1. The text confirms the position selected: “Select the new placement of your index: Position 1”. Click Move.

  2. Review the warning text. If you are satisfied with the change, click Reorder.

  3. Review the index order and confirm that the cloud-siem-xxxx index is where you want it. If you want to move the index, click the Move to icon and follow steps 3 to 5.

  4. Navigate back to the Cloud SIEM setup page.

The Cloud SIEM index should be in the first index position now. If the setup page still displays a warning about the index position, wait a few minutes and refresh the browser.

After the index is moved to the first index position, review the settings and statuses for the Content Packs and other log sources. For each integration that shows a warning or an error, click on the integration and follow the instructions to fix it.

Phase 2: Signal exploration

  1. Review the out-of-the-box detection rules that begin detecting threats in your environment immediately. Detection rules apply to all processed logs to maximize detection coverage. See the detection rules documentation for more information.

  2. Explore security signals. When a threat is detected with a detection rule, a security signal is generated. See the security signals documentation for more information.

    • Set up notification rules to alert when signals are generated. You can alert using Slack, Jira, email, webhooks, and other integrations. See the notification rules documentation for more information.
    • Subscribe to the weekly threat digest reports to begin investigation and remediation of the most important security threats discovered in the last seven days.

Phase 3: Investigation

  1. Explore the Investigator for faster remediation. See the Investigator documentation for more information.
  2. Use out-of-the-box-dashboards or create your own dashboards for investigations, reporting, and monitoring.

Phase 4: Customization

  1. Set up suppression rules to reduce noise.
  2. Create custom detection rules. Review Best Practices for Creating Detection Rules.

Further Reading