Getting Started with Cloud SIEM

To get started with Datadog Cloud SIEM (Security Information and Event Management), follow these steps:

For step-by-step instructions on how to start detecting threats in your AWS CloudTrail logs, see the AWS Configuration Guide for Cloud SIEM.

Ingest logs

If you already have a logging source, follow the in-app onboarding to begin collecting logs from that source.

Datadog’s Log Collection documentation provides detailed information on collecting logs from many different sources into Datadog. All ingested logs are first parsed and enriched. In real time, Detection Rules apply to all processed logs to maximize detection coverage without any of the traditionally associated performance or cost concerns of indexing all of your log data. Read more about Datadog’s Logging without Limits™.

Ingest Logs

Review Detection Rules

Datadog provides out-of-the-box Detection Rules, which begin detecting threats in your environment immediately. The default enabled Detection Rules detect threats according to known best practices. More mature security organizations may wish to enable more detection rules to begin detecting more advanced threats. Additionally, more advanced templates are included to provide guidance on how to detect threats in your custom applications. Refer to the Detection Rules documentation for further details.

Explore Security Signals

When a threat is detected with a Detection Rule, a Security Signal is generated. The Security Signals can be correlated and triaged in the Security Signals Explorer. Refer to the Security Signals Explorer documentation for further details.

Further reading