Historical Jobs

Historical Jobs allows you to backtest detections by running them against historical logs stored in Datadog Cloud SIEM.

Unlike a real-time rule, a Historical Job does not run continuously. Historical Jobs are one-time executable queries that analyze a specified period of historical data.

The results of Historical Jobs are lightweight versions of signals, providing essential insights into potential threats or anomalies identified within the historical logs.

If immediate action is needed after reviewing the results generated by the Historical Job, you can confidently promote a subset of those results to signals. When converting a result to a signal, you can manually set the signal severity and the notification target, as well as the signal playbook.

Run a Historical Job

Create the job

  1. Navigate to the Cloud SIEM Detection Rules page.
  2. Click the three-dot menu next to the rule you want to test, and choose Run as Historical Job.
  3. Complete the form by choosing the log index, time range, rule case, and notification recipient(s).
    The Historical Job creation form
  4. Click Run Historical Job.

Review the job results

  1. Navigate to the Historial Jobs list.
  2. Click on the Historical Job you created to open a panel that includes the detected results, matched logs, and more.
    The results panel for a Historical Job

Convert a result to a signal

  1. In the Results section of a Historical Job panel, click one of the results in the list to open a details panel for that result.
  2. Click Convert to Signal.
  3. Set the signal severity, notification recipients, and description message.
    The results panel for a Historical Job
  4. Click Convert to Signals.

Further Reading

Additional helpful documentation, links, and articles: