In addition to reviewing and fixing cloud misconfigurations directly in the findings page, you can set notifications for failed findings, and configure signals to correlate and triage misconfigurations in the same place as real-time threats that are generated by Security Monitoring and Cloud Workload Security.
Signals are security alerts that Datadog generates and displays in the Signals Explorer. Security posture signals trigger when Datadog generates
evaluation:fail findings for a cloud or infrastructure configuration rule.
A selection of rules that have a ‘high’ or ‘critical’ severity level are enabled to generate signals by default. For lower severity rules, select the Trigger a security signal toggle to begin generating signals. You can also use this toggle to disable rules from generating signals at any point in time.
In order to consume findings in logical groupings and mitigate the potential for alert fatigue, you have full flexibility to change how signals are triggered for each individual resource, such as every time a resource fails a rule in a new cloud account or each time a resource is misconfigured in a service. You can also trigger by any Datadog facet. Regardless of which grouping logic you choose for signal generation, opening a signal always displays the up-to-date list of findings that are failing for this rule.
Click on any security posture signal to open a side panel for more details:
The top portion of the finding side panel displays key information about where the misconfiguration(s) are occurring: on an individual resource, a service, or an entire cloud account.
Below is the message for the rule, including a description of misconfiguration and instructions for how to remediate the issue.
The next tab in the bottom section of the side panel displays all findings that are triggering this signal. This list always shows the current state of your infrastructure, meaning if you fixed 3 of 10 misconfigured security groups since the signal first triggered, Datadog will display 7 failed security groups rather than display findings that no longer are in violation.
Note: If using a grouping other than resource ID, the signal triggers the first time a finding meets the grouping criteria, and is not re-triggered each time a new resource in this same grouping (for example, the same service or account) fail this rule. This is done intentionally so as to avoid re-triggering signals each time a new cloud resource fails a rule. If you would like to receive an alert each time a cloud resource fails a rule, change the group by in the rule to
The related issues tab shows other rules that have triggered signals on the same logic grouping—the same resource, service, or cloud account—and resource type (for example, security group).
At the top of the side panel, you can configure the rule or send a notification to your colleagues by email, Slack, Microsoft Teams, PagerDuty, ServiceNow, Jira, webhooks, and more.
Additional helpful documentation, links, and articles: