- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
Datadog Cloud SIEM (Security Information and Event Management) unifies developer, operation, and security teams through one platform. Datadog provides a set of out-of-the-box detection rules for many features and integrations. View these rules in your SIEM Detection Rules list.
Create an out-of-the-box detection rule to help users find security insights through your Datadog integration. This guide provides steps for creating an Cloud SIEM detection rule and best practices to follow during the creation process.
To create a Datadog integration, see Create a New Integration.
From Detection Rules, create a new rule.
Follow the best practices in this guide to configure your detection rule.
Click Export to JSON.
Save the JSON file and name it according to your detection rule title. For example, your_integration_name_rule_name.json
.
In the detection rule JSON file, add and fill out the partnerRuleId
, and remove the isEnabled
attribute. For more information, see Configuration best practices.
Save the detection rule JSON file to your integration’s assets/security
folder.
Open a pull request (PR) to update the corresponding integration folder in either the integrations-extras
GitHub repository or Marketplace
Github repository. The PR should include your detection rule JSON file, along with any new integration files.
Datadog approves and merges the PR, and your integration-recommended monitor is pushed to production.
To see the out-of-the-box detection rule, the relevant integration tile must be Installed
in Datadog, and Cloud SIEM must be enabled.
In addition to the detection rule definition, the partnerRuleId
field is required for partner contributed detection rules. The isEnabled
field should be removed as it does not apply to partner contributed detection rules.
Description | Examples | |
---|---|---|
partnerRuleId | Unique identifier for the rule, following the format ext-00*-*** where * could be any alphanumeric characters. | ext-003-bzd |
Selecting a rule type and defining search queries:
Setting rule cases and writing the notification message:
For more information, see the documentation on configuring a detection rule.
File=<FILE_PATH> in collection=<COLLECTION> is an invalid JSON: error=<ERROR>
This error means that the JSON located at <FILE_PATH>
is considered invalid JSON
partnerRuleId is empty for rule name="<RULE_NAME>" - partnerRuleId=<NEW_RULE_ID> is available
A partnerRuleId
is required for each rule and is missing. Use the generated <NEW_RULE_ID>
.
partnerRuleId=<RULE_ID> is in the incorrect format for rule name="<RULE_NAME>", it must follow the format=^[a-z0-9]{3}-[a-z0-9]{3}-[a-z0-9]{3}$ - partnerRuleId=<NEW_RULE_ID> is available
The rule name is not in the correct format. Use the generated partnerRuleId: <NEW_RULE_ID>
to fix the issue.
Duplicate partnerRuleId=<RULE_ID> for rule name="<RULE_NAME>" - <RULE_ID_KEY> must be unique and it is already used in rule_ids="<RULE_IDS>" - <RULE_ID_KEY>=<NEW_RULE_ID> is available
Each partnerRuleId
must be unique. The current ID is already being used. The newly generated partnerRuleId
is available.
Duplicate name="<RULE_NAME>" for <RULE_ID_KEY>=<RULE_ID> - name must be unique.
Each rule name must be unique. The current name is already being used. Update the rule name to be unique.
The rule with partnerRuleId=<RULE_ID> contains a MITRE tag tactic but it does not contain the tag `security:attack`, please add it
When a rule contains a MITRE tag tactic:<TAG_VALUE>
, the tag security:attack
must be added to the list of tags.
The MITRE tactic/technique tag=<TAG> for partnerRuleId=<RULE_ID> appears to be incorrect (i.e. it does not exist in the MITRE framework).
The listed tactic/technique tag <TAG>
does not follow the MITRE framework. Please select a valid MITRE tag.
The case status <CASE_STATUS> for <RULE_ID_KEY>=<RULE_ID> is incorrect, it should be one of <STATUS_LIST>.
The case status must be either CRITICAL
, HIGH
, MEDIUM
, LOW
, or INFO
.
The case ordering for partnerRuleId=<RULE_ID> is incorrect, please modify to order cases from the highest severity to the lowest.
Each rule definition must be ordered by decreasing severity. Please reorder the cases into CRITICAL
, HIGH
, MEDIUM
, LOW
, and INFO
.
source=<SOURCE> in the tags of the rule with partnerRule=<RULE_ID> is not supported by Datadog documentation.
Reach out to Datadog to address the issue.
<RULE_ID_KEY>=<RULE_ID> name="<RULE_NAME>" - error=<ERROR>
Reach out to Datadog to address the issue.
Internal failure for <RULE_ID_KEY>=<RULE_ID> name="<RULE_NAME>"- Contact Datadog Team
Reach out to Datadog to address the issue.
추가 유용한 문서, 링크 및 기사: