Custom Detection Rules

Overview

Out-of-the-box detection rules help you cover the majority of threat scenarios, but you can also create custom detection rules for your specific use cases. See Create Rule for instructions on how to create a custom rule.

Rule types

You can create the following types of custom detection rules:

  • Real-time rule: Continuously monitors and analyzes incoming logs.
  • Scheduled rule: Runs at pre-scheduled intervals to analyze log data.
  • Historical job: Backtest detections by running detections against historical logs.

Detection methods

The following detection methods are available when you create a custom detection rule or historical job:

  • Threshold: Detects when events exceed a user-defined threshold.
  • New value: Detects when an attributes changes to a brand new value.
  • Anomaly: Detects when a behavior deviates from its historical baseline.
  • Content anomaly: Detects when an event’s content is an anomaly compared to the historical baseline
  • Impossible travel: Detects if impossible speed is detected in user activity logs.
  • Third party: Maps third-party security logs to signals, setting the severity based on log attributes.
  • Signal correlation: Combines multiple signals together to generate a new signal so you can alert on more complex use cases and reduce alert fatigue.

Filter logs based on Reference Tables

Reference Tables containing over 1,000,000 rows cannot be used to filter events. See Add Custom Metadata with Reference Tables for more information on how to create and manage Reference Tables.

Reference Tables allow you to combine metadata with logs, providing more information to resolve application issues. When you define a query for a rule, you can add a query filter based on a Reference Table to perform lookup queries. For more information on creating and managing this feature, see the Reference Tables guide.

In the following example, a Reference Table containing product information is used to filter and enrich logs:

The log detection rule query editor with the reference table search options highlighted

Unit testing

Use unit testing to test your rules against sample logs and make sure the detection rule is working as expected. This can be helpful when you are creating a detection rule for an event that hasn’t happened yet, so you don’t have actual logs for the event. For example: You have logs with a login_attempt field and want to detect logs with login_attempt:failed, but you only have logs with login_attempt:success. To test the rule, you can construct a sample log by copying a log with login_attempt:success and changing the login_attempt field to failed.

Further Reading

Additional helpful documentation, links, and articles:

Create a custom detection ruleDOCUMENTATION more more Configure default Cloud SIEM detection rulesDOCUMENTATION more more Learn about the Security Signals ExplorerDOCUMENTATION more more Detect unauthorized third parties in your AWS accountBLOG more more Detect security threats with anomaly detection rulesBLOG more more Learn more about Security notification variablesDOCUMENTATION more more Monitor Cloudflare Zero Trust with Datadog Cloud SIEMBLOG more more Monitor 1Password with Datadog Cloud SIEMBLOG more more Detect anomalies beyond spikes and new values with Content Anomaly Detection in Cloud SIEMBLOG more more