For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/cloud_siem/detect_and_monitor/critical_assets.md. A documentation index is available at /llms.txt.

Critical Assets

Available for:

Cloud SIEM | Workload Protection | App and API Protection

Overview

Critical Assets lets you adjust the severity of security signals based on the assets they affect. This helps analysts prioritize signals according to the business importance of the impacted asset by increasing, decreasing, or maintaining the default severity. For each asset, you can adjust severity levels, apply custom tags, and isolate changes to specific rules.

How it works

  • If multiple critical assets are set to adjust a security signal’s severity levels, the signal automatically takes the higher severity level. For example, if one critical asset sets the severity to MEDIUM and another sets it to HIGH, the severity is HIGH.
  • If multiple critical assets are set to perform the same action on a security signal’s severity levels, the action only applies once. For example, if two separate critical assets are set to increase the severity level of a signal that’s set to MEDIUM, it only increases once to HIGH, not again to CRITICAL.

Create a critical asset

  1. In Datadog, go to Security > Settings > Critical Assets, then click Create Critical Asset. The Create Critical Asset window opens.
  2. Under Define Asset, enter a query to define the asset.
  3. Under Choose Severity Adjustment, choose how you want to adjust the severity for security signals associated with the asset.
    • Choose Increase or Decrease to start with the default severity level, then increase or decrease the severity by one level.
    • Choose Maintain to retain the default severity level.
    • Choose a specific severity level to always apply that severity level, regardless of the initial severity associated with the signal.
  4. (Optional) Under Details, add a description, tags, and teams to apply to the critical asset.
  5. Under Select Detection Rules, enter specific detection rules to narrow down the severity changes to. To apply the changes to all detection rules, set the query to *.
  6. Click Save. The Create Critical Asset window closes and your critical asset appears in the table, where you can enable or disable it, or export the critical asset configuration as Terraform or JSON files.

View the signals a critical asset affected

  1. In Datadog, go to Security > Settings > Critical Assets.
  2. Beside a critical asset, click the More Options icon , then click Signals affected. The Signals Explorer, prepopulated with a query to show the affected signals, opens in a new tab.

View critical asset data in security signals

In every security signal that a critical asset has modified, an Adjusted Severity pill indicates both the original and adjusted severity levels. You can hover over that pill to see what adjustment the critical asset applied:

Adjusted Severity pill and pop-up, indicating that a CloudTrail signal's severity was increased from Low to Medium

On the JSON tab of a security signal, you can also find the critical_assets_data object, which includes information about the critical assets associated with it, and how they affected the signal’s severity.

If a critical asset's severity level was overridden by a higher severity level, it may not appear in the critical_assets_data object.

Further reading

Additional helpful documentation, links, and articles:

SuppressionsDOCUMENTATION more more