Detection Rules

Overview

Detection Rules define conditional logic that is applied to all ingested logs and cloud configurations. When at least one case defined in a rule that is matched over a given period of time, Datadog generates a Security Signal.

For each of monitoring option, there are default detection rules that work out-of-the-box with integration configuration.

Creating and managing detection rules

The Detection Rules page lets you search all detection rules by rule type. Quickly enable, disable, edit, delete, and clone rules. To create a custom detection rule, click on the New Rule button in the top right corner of the page.

Finding detection rules

The free text search filters Detection Rules by text in the rule name or query. Query results update in real-time when the query is edited—there is no “Search” button to click.

Filter by facet

Use facets in the left panel to scope a search query by value. For example, if you have several rule types, such as log detection or cloud configuration, filter by only to see rules by rule type.

Filtering by rule type, such as a log detection or cloud configuration, in Datadog

You can also filter by facets such as source and severity to help when investigating and triaging incoming issues. To include all facets within a category in search again, hover your mouse over a value in the panel and click all.

Note: By default, all facets are selected.

Rules table

Rules are displayed in the detection rules table. You can sort the table by clicking on the Sort by option in the top right corner of the table. For example, sort by Highest Severity to triage high-impact misconfigurations and threats.

Columns can be added or removed with the options menu.

Enabling or disabling a rule

Enable or disable a rule using the toggle switch to the right of the rule.

Rule and generated signal options

Click on the three dot menu, next to the rule toggle, and select any of the provided options: Edit, Clone, Delete, or View generated signals.

  • Click edit to update queries, adjust triggers, manage notifications or adjust rule configuration.
    • Note: You can only edit an out-of-the-box (OOTB) rule by first cloning the rule, and then modifying the rule. To edit a default rule, click Edit and scroll to the bottom of the rule configuration page. Click Clone, and then modify the rule.
  • Cloning a rule is helpful if you wish to duplicate an existing rule and lightly modify settings to cover other areas of detection. For example, you could duplicate a log detection rule and modify it from Threshold to Anomaly to add new dimension to threat detection using the same queries and triggers.
  • The delete option is only available for custom rules. You cannot delete an out-of-the-box (OOTB) rule as they are native to the platform. To permanently delete a custom rule, click Delete. To disable an OOTB rule, click the disable toggle.
  • Click View generated signals to pivot to the Signals Explorer and query by a rule’s ID. This is useful when correlating signals across multiple sources by rule, or when completeing an audit of rules.

Further Reading