--- title: Getting Started with Cloud SIEM description: >- Learn to set up Datadog Cloud SIEM for real-time threat detection. Configure log ingestion, enable detection rules, and explore security signals for comprehensive monitoring. breadcrumbs: >- Docs > Getting Started > Getting Started with Security > Getting Started with Cloud SIEM --- # Getting Started with Cloud SIEM ## Overview{% #overview %} [Datadog Cloud SIEM](https://docs.datadoghq.com/security/cloud_siem/) detects real-time threats to your application and infrastructure. These threats can include a targeted attack, a threat intel listed IP communicating with your systems, or an insecure configuration. Once detected, a signal is generated and a notification can be sent out to your team. This guide walks you through best practices for getting started with Cloud SIEM. ## Phase 1: Setup{% #phase-1-setup %} 1. Configure [log ingestion](https://app.datadoghq.com/security/configuration/siem/log-sources) to collect logs from your sources. Review [Best Practices for Log Management](https://docs.datadoghq.com/logs/guide/best-practices-for-log-management/). You can use [out-of-the-box integration pipelines](https://docs.datadoghq.com/integrations/) to collect logs for more than 1,000 integrations, or [create custom log pipelines](https://docs.datadoghq.com/logs/log_configuration/pipelines/) to send: - [Cloud Audit logs](https://www.datadoghq.com/blog/monitoring-cloudtrail-logs/) - [Identity Provider logs](https://www.datadoghq.com/blog/how-to-monitor-authentication-logs/) - SaaS and Workspace logs - Third-party security integrations (for example, Amazon GuardDuty) 1. Enable [Cloud SIEM](https://app.datadoghq.com/security/landing). 1. Select and configure [Content Packs](https://app.datadoghq.com/security/siem/content-packs), which provide out-of-the-box content for critical security log sources. 1. Select and configure [additional log sources](https://app.datadoghq.com/security/configuration/siem/log-sources) you want Cloud SIEM to analyze. 1. Click **Activate**. A custom Cloud SIEM log index (`cloud-siem-xxxx`) is created. 1. If the Cloud SIEM setup page shows the warning "The Cloud SIEM index is not in the first position", follow the steps in the Reorder the Cloud SIEM index section. ### Reorder the Cloud SIEM index{% #reorder-the-cloud-siem-index %} {% image source="https://datadog-docs.imgix.net/images/getting_started/cloud_siem/cloud-siem-setup-warning.e8fbf8f8f545fcd29dffad55ce6d345e.png?auto=format" alt="A yellow warning box saying that the index configuration needs attention" /%} 1. Click **Reorder index in Logs Configuration**. 1. Confirm the modal title says "Move cloud-siem-xxxx to…" and that the `cloud-siem-xxxx` text in the index column is light purple. {% image source="https://datadog-docs.imgix.net/images/getting_started/cloud_siem/move-index-modal.8b3da22430a26a847b2c7a66f1256093.png?auto=format" alt="The Move cloud-siem-xxxx modal showing the list of indexes with cloud-siem-xxxx index as the last index" /%} To select the new placement of your index, click the top line of the index where you want `cloud-siem-xxxx` to go. For example, if you want to make the `cloud-siem-xxxx` index the first index, click on the line *above* the current first index. The new position is highlighted with a thick blue line. {% image source="https://datadog-docs.imgix.net/images/getting_started/cloud_siem/move-index-highlight.24984c24d36898ec724919dbedf581ca.png?auto=format" alt="The Move cloud-siem-xxxx modal showing a blue line at the top of the first index" /%} The text confirms the position selected: "Select the new placement of your index: Position 1". Click **Move**. Review the warning text. If you are satisfied with the change, click **Reorder**. Review the index order and confirm that the `cloud-siem-xxxx` index is where you want it. If you want to move the index, click the **Move to** icon and follow steps 3 to 5. Navigate back to the [Cloud SIEM setup page](https://app.datadoghq.com/security/configuration/siem/setup). The Cloud SIEM index should be in the first index position now. If the setup page still displays a warning about the index position, wait a few minutes and refresh the browser. After the index is moved to the first index position, review the settings and statuses for the [Content Packs](https://app.datadoghq.com/security/configuration/siem/setup) and [other log sources](https://app.datadoghq.com/security/configuration/siem/setup). For each integration that shows a warning or an error, click on the integration and follow the instructions to fix it. ## Phase 2: Signal exploration{% #phase-2-signal-exploration %} 1. Review the [out-of-the-box detection rules](https://docs.datadoghq.com/security/default_rules/#cat-cloud-siem-log-detection) that begin detecting threats in your environment immediately. Detection rules apply to all processed logs to maximize detection coverage. See the [detection rules](https://docs.datadoghq.com/security/detection_rules/) documentation for more information. 1. Explore [security signals](https://app.datadoghq.com/security/siem/signals?query=%40workflow.rule.type%3A%28%22Log%20Detection%22%20OR%20%22Signal%20Correlation%22%29&column=time&order=desc&view=signal&viz=stream&start=1676321431953&end=1676407831953&paused=false). When a threat is detected with a detection rule, a security signal is generated. See the [security signals](https://docs.datadoghq.com/security/cloud_siem/triage_and_investigate/investigate_security_signals) documentation for more information. - [Set up notification rules](https://app.datadoghq.com/security/configuration/notification-rules) to alert when signals are generated. You can alert using Slack, Jira, email, webhooks, and other integrations. See the [notification rules](https://docs.datadoghq.com/security/notifications/rules/) documentation for more information. - Subscribe to the weekly [threat digest](https://app.datadoghq.com/security/configuration/reports) reports to begin investigation and remediation of the most important security threats discovered in the last seven days. ## Phase 3: Investigation{% #phase-3-investigation %} 1. Explore the [Investigator](https://app.datadoghq.com/security/siem/investigator/) for faster remediation. See the [Investigator](https://docs.datadoghq.com/security/cloud_siem/triage_and_investigate/investigator) documentation for more information. 1. Use [out-of-the-box-dashboards](https://app.datadoghq.com/dashboard/lists/preset/100) or [create your own dashboards](https://docs.datadoghq.com/dashboards/#overview) for investigations, reporting, and monitoring. ## Phase 4: Customization{% #phase-4-customization %} 1. Set up [suppression rules](https://docs.datadoghq.com/security/suppressions/) to reduce noise. 1. Create [custom detection rules](https://docs.datadoghq.com/security/cloud_siem/detect_and_monitor/custom_detection_rules/). Review [Best Practices for Creating Detection Rules](https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/). ## Disable Cloud SIEM{% #disable-cloud-siem %} Contact [support](https://docs.datadoghq.com/help/) to disable Cloud SIEM. ## Further Reading{% #further-reading %} - [Introduction to Cloud SIEM course](https://learn.datadoghq.com/courses/intro-to-cloud-siem) - [Automate common security tasks and stay ahead of threats with Datadog Workflows and Cloud SIEM](https://www.datadoghq.com/blog/automate-security-tasks-with-workflows-and-cloud-siem/) - [Automate responses with Workflows security blueprints](https://app.datadoghq.com/workflow/blueprints?selected_category=SECURITY) - [AWS configuration guide for Cloud SIEM](https://docs.datadoghq.com/security/cloud_siem/guide/aws-config-guide-for-cloud-siem/) - [Google Cloud configuration guide for Cloud SIEM](https://docs.datadoghq.com/security/cloud_siem/guide/google-cloud-config-guide-for-cloud-siem/) - [Azure configuration guide for Cloud SIEM](https://docs.datadoghq.com/security/cloud_siem/guide/azure-config-guide-for-cloud-siem/) - [Learn more about notification variables to customize notifications](https://docs.datadoghq.com/security/notifications/variables/) - [Join an interactive session to elevate your security and threat detection](https://dtdg.co/fe) - [Read about security-related topics on Datadog's Security Labs](https://securitylabs.datadoghq.com/) - [Easily ingest and monitor security logs with Cloud SIEM Content Packs](https://www.datadoghq.com/blog/content-packs/)