Security Rules

Security Rules

Overview

Detection Rules define conditional logic that is applied to all ingested logs and cloud configurations. When at least one case defined in a rule that is matched over a given period of time, Datadog generates a Security Signal.

Security Monitoring uses Log Detection to analyze ingested logs in real-time. Compliance Monitoring uses Cloud Configuration to scan the state of your cloud environment. For each monitoring option, there are default detection rules that work out-of-the-box with integration configuration. You can also create new rules to tailor to your environment.

Creating and Managing Rules

The Security Configuration Rules page lets you search all Detection Rules. Quickly enable, disable, edit, delete, clone, or view signals generated by any of these rules. To create a new security or compliance monitoring rule, click on the New Rule button in the top right corner of the page.

Finding rules

The free text search filters Detection Rules by text in the rule name or query. Query results update in real-time when the query is edited—there is no “Search” button to click.

Filter by facet

Use facets in the left panel to scope a search query by value. For example, if you have several rule sources and need to troubleshoot on rules provided by one source, hover over a source value in the panel, such as cloudtrail or kubernetes, and click only to narrow the search to that source.

By default, all facets are selected. To remove a facet from search, deselect the checkbox.

Rules table

Rules are displayed in the rules table.

Columns can be added or removed with the options menu.

Rules are sorted alphabetically—ascending by default (A-Z). The rules can be inverse-sorted by name, query name, creation date, or rule ID.

Enabling or disabling a rule

Enable or disable a rule using the toggle switch to the right of the rule.

Editing a rule

Edit a rule by hovering over the rule and clicking the Edit button.

Searching for signals generated by a rule

Search for signals generated by a rule by hovering over the rule and clicking the View Generated Signals button.

Cloning a rule

Clone a rule by hovering over the rule and clicking the Clone button.

Deleting a rule

Delete a rule by hovering over the rule and clicking the Delete button.

Further Reading