When activity matches a Cloud Security Management Threats (CSM Threats) Agent expression, a CSM Threats event will be collected from the system containing all the relevant context about the activity.

This event is sent to Datadog, where it is analyzed. Based on analysis, CSM Threats events can trigger Security Signals or they can be stored as events for audit, threat investigation purposes.

CSM Threats events have the following JSON schema depending on the platform: