Overview

Cloud SIEM detection rules analyze logs and security data to generate security signals when threats are detected. After you have enabled Cloud SIEM, configure Datadog to ingest and enrich logs from sources that you want to monitor.

Ingest security data

The easiest way to send data to Datadog is by using Content Packs, which are integrations specifically designed for Cloud SIEM. Each content pack contains instructions on how to configure the integration to ingest those logs and provides information on what is included, such as:

• Detections rules
• Out-of-the-box interactive dashboards
• Parsers
• SOAR workflows

Content packs are available for many popular security technologies.

If you have custom logs or have a data source not listed on Cloud SIEM’s Content Pack page, check whether the integration is available in Datadog’s extensive integration library. If it isn’t available, you can send those logs as custom logs to Cloud SIEM for analysis.

Enrich logs

Threat intelligence

Datadog provides built-in Threat Intelligence for Cloud SIEM logs and also supports enriching and searching using threat intelligence indicators of compromise (IoCs) stored in Datadog reference tables. See Bring Your Own Threat Intelligence for more information.

Open Cybersecurity Framework (OCSF)

Open Cybersecurity Framework (OCSF) is integrated directly into Cloud SIEM, so incoming security logs are automatically enriched with OCSF-compliant attributes through out-of-the-box pipelines.

Further reading

추가 유용한 문서, 링크 및 기사:

Getting Started with Cloud SIEMDOCUMENTATION Best practices for monitoring AWS CloudTrail logsBLOG Best practices for monitoring authentication logsBLOG Normalize your data with the OCSF Common Data Model in Datadog Cloud SIEMBLOG