Security Rules

Security Rules


Detection Rules define conditional logic that is applied to all ingested logs and cloud configurations. When at least one case defined in a rule that is matched over a given period of time, Datadog generates a Security Signal.

For each of monitoring option, there are default detection rules that work out-of-the-box with integration configuration.

Creating and managing rules

The Security Rules page lets you search all Detection Rules. Quickly enable, disable, edit, delete, clone, or view signals generated by any of these rules. To create a custom security rule, click on the New Rule button in the top right corner of the page.

Note: Custom rules are only available for Security Monitoring.

Finding rules

The free text search filters Detection Rules by text in the rule name or query. Query results update in real-time when the query is edited—there is no “Search” button to click.

Filter by facet

Use facets in the left panel to scope a search query by value. For example, if you have several rule sources and need to troubleshoot on rules provided by one source, hover over a source value in the panel, such as cloudtrail or kubernetes, and click only to narrow the search to that source.

By default, all facets are selected. To remove a facet from search, deselect the checkbox.

Rules table

Rules are displayed in the rules table.

Columns can be added or removed with the options menu.

Rules are sorted alphabetically—ascending by default (A-Z). The rules can be inverse-sorted by name, query name, creation date, or rule ID.

Enabling or disabling a rule

Enable or disable a rule using the toggle switch to the right of the rule.

Editing a rule

Edit a rule by hovering over the rule and clicking the Edit button.

Searching for signals generated by a rule

Search for signals generated by a rule by hovering over the rule and clicking the View Generated Signals button.

Cloning a rule

Clone a rule by hovering over the rule and clicking the Clone button.

Deleting a rule

Delete a rule by hovering over the rule and clicking the Delete button.

Further Reading