Managing CSPM Detection Rules

Cloud Security Posture Management is not currently available in this site.

Cloud Security Posture Management (CSPM) out-of-the-box detection rules evaluate the configuration of your cloud resources and identify potential misconfigurations so you can immediately take steps to remediate.

The detection rules follow the same conditional logic as all Datadog Security detection rules. For CSPM, each rule maps to controls within one or more compliance frameworks or industry benchmarks.

CSPM uses the following rule types to validate the configuration of your cloud infrastructure:

Customize how your environment is scanned by each rule

Customization of a cloud configuration query directly is not supported at this time, but you can customize how your environment is scanned by each rule.

On the Rules page, select a rule to open its details page. Under Exclude benign activity with suppression queries, set the filtering logic for how the rule scans your environment.

For example, you can exclude resources tagged with env:staging using the This rule will not generate a finding if there is a match with any of the following suppression queries function. You can also limit the scope for a certain rule to resources tagged with compliance:pci using the Only generate a finding if there is a match with any of the following queries function.

After you customize a rule, click Update Rule at the bottom of the page to apply your changes.

Customize how your environment is scanned by selecting tags to include or exclude from a rule's scope

Set notification targets for detection rules

You can send real-time notifications when a new misconfiguration is detected in your environment by adding notification targets. The available notification options are:

On the Rules page, select a rule to open its details page. In the Set severity and notifications section, configure zero or more notification targets for each rule case. You cannot edit the preset severity. See Notifications for detailed instructions on configuring notifications for detection rules.

Alternatively, create notification rules that span across multiple detection rules based on parameters such as severities, rule types, rule tags, signal attributes, and signal tags. This allows you to avoid having to manually edit notification preferences for individual detection rules.

The Set severity and notifications section of the rule details page

Create custom rules

You can create custom rules to extend the rules being applied to your environment to evaluate your security posture. You can also clone the default detection rules and edit the copies (GCP only). See Custom Rules for more information.

Creating and using custom CSPM rules is a beta feature, available for select Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) cloud resources.

Further Reading