Detection Rules

Overview

Detection Rules define conditional logic that is applied to all ingested logs and cloud configurations. When at least one case defined in a rule that is matched over a given period of time, Datadog generates a Security Signal.

For each monitoring option, there are default detection rules that work out-of-the-box with integration configuration.

• Cloud SIEM uses log detection to analyze ingested logs in real-time. You can also create custom detection rules to tailor to your environment.

• Cloud Security Posture Management uses cloud configuration and infrastructure configuration detection rules to scan the state of your cloud environment.

• With Cloud Workload Security, the Datadog Agent actively monitors system activity and evaluates it against a set of detection rules.

• Application Security Management (ASM) leverages Datadog APM, the Datadog Agent, and detection rules to detect threats in your application environment.

Creating and managing detection rules

The Detection Rules page lets you search all detection rules by rule type. Quickly enable, disable, edit, delete, and clone rules. To create a custom detection rule, click on the New Rule button in the top right corner of the page.

Finding detection rules

The free text search filters Detection Rules by text in the rule name or query. Query results update in real-time when the query is edited—there is no “Search” button to click.

Filter by facet

Use facets in the left panel to scope a search query by value. For example, if you have several rule types, such as log detection or cloud configuration, filter by only to see rules by rule type.

You can also filter by facets such as source and severity to help when investigating and triaging incoming issues. To include all facets within a category in search again, hover your mouse over a value in the panel and click all.

Note: By default, all facets are selected.

Rules table

Rules are displayed in the detection rules table. You can sort the table by clicking on the Sort by option in the top right corner of the table. For example, sort by Highest Severity to triage high-impact misconfigurations and threats.

Enable or disable rules

To enable or disable a single rule, toggle the switch to the right of the rule.

You can also bulk enable or disable rules:

1. Click Select Rules.
2. Select the rules you want to enable or disable.
3. Click the Edit Rules dropdown.
4. Select Enable Rules or Disable Rules.

Rule and generated signal options

Click on the three dot menu, next to the rule toggle, and select any of the provided options: Edit, Clone, Delete, or View generated signals.

• Click Edit to update queries, adjust triggers, manage notifications, or adjust rule configuration.
  • Note: You can only edit an out-of-the-box (OOTB) rule by first cloning the rule, and then modifying the rule. To edit a default rule, click Edit and scroll to the bottom of the rule configuration page. Click Clone, and then modify the rule.
• Cloning a rule is helpful if you wish to duplicate an existing rule and lightly modify settings to cover other areas of detection. For example, you could duplicate a log detection rule and modify it from Threshold to Anomaly to add new dimension to threat detection using the same queries and triggers.
• The delete option is only available for custom rules. You cannot delete an out-of-the-box (OOTB) rule as they are native to the platform. To permanently delete a custom rule, click Delete. To disable an OOTB rule, click the disable toggle.
• Click View generated signals to pivot to the Signals Explorer and query by a rule’s ID. This is useful when correlating signals across multiple sources by rule, or when completing an audit of rules.

Limit edit access

By default, all users have full access to security rules.

Use granular access controls to limit the roles that may edit a single rule:

1. Click on the three dot menu for the rule.
2. Select Permissions.
3. Click Restrict Access.
4. The dialog box updates to show that members of your organization have Viewer access by default.
5. Use the dropdown to select one or more roles that may edit the security rule.
6. Click Add.
7. The dialog box updates to show that the role you selected has the Editor permission.
8. Click Save Note: To maintain your edit access to the rule, the system requires you to include at least one role that you are a member of before saving.

To restore general access to a rule with restricted access, follow the steps below:

1. Click on the three dot menu on the right of the rule.
2. Select Permissions.
3. Click Restore Full Access.
4. Click Save.

Rule deprecation

Regular audits of all detection rules are performed to maintain high fidelity signal quality. Deprecated rules are replaced with an improved rule.

The rule deprecation process is as follows:

1. There is a warning with the deprecation date on the rule. In the UI, the warning is shown in the:
   • Signal side panel’s Rule Details > Playbook section
   • Findings side panel (CSPM only)
   • Rule editor for that specific rule
2. Once the rule is deprecated, there is a 15 month period before the rule is deleted. This is due to the signal retention period of 15 months. During this time, you can re-enable the rule by cloning the rule in the UI.
3. Once the rule is deleted, you can no longer clone and re-enable it.

Further Reading

Additional helpful documentation, links, and articles:

Explore default detection rulesDOCUMENTATION Learn more about Security notificationsDOCUMENTATION Detect Abuse of Functionality with DatadogBLOG Detect suspicious login activity with impossible travel detection rulesBLOG