Current as of June 2026.
Datadog Cloud SIEM is Datadogโs security information and event management product for collecting security telemetry, analyzing logs and events with detection rules, generating security signals, investigating suspicious activity, and automating response. Datadog describes Cloud SIEM as a security data analysis and correlation system that ingests telemetry from cloud and on-prem systems using the Datadog Agent and API-based integrations. (Datadog)
This guide is written as a full practical tutorial: concept, architecture, features, use cases, onboarding, detection engineering, investigation, SOAR, Terraform, GitHub sample projects, and advanced implementation patterns.
1. What Is SIEM?
SIEM means Security Information and Event Management.
A SIEM collects security-relevant data from many systems, normalizes it, analyzes it, detects threats, generates alerts, and helps security teams investigate and respond.
Traditional SIEM examples include Splunk Enterprise Security, IBM QRadar, Microsoft Sentinel, Elastic Security, and ArcSight.
Datadog Cloud SIEM is different because it is built directly on top of Datadogโs observability platform. That means security teams can investigate threats using logs, infrastructure metrics, Kubernetes data, cloud telemetry, application traces, user activity, service ownership, dashboards, and automation in one place.
2. Why Datadog Cloud SIEM?
Datadog Cloud SIEM is especially useful for modern environments where applications run across:
| Area | Examples |
|---|---|
| Cloud | AWS, Azure, GCP, OCI |
| Kubernetes | EKS, GKE, AKS, self-managed Kubernetes |
| Applications | APIs, microservices, backend services |
| Identity | Okta, Auth0, Google Workspace, Azure AD, Duo |
| Developer tools | GitHub, GitLab, Terraform Cloud, Confluent Cloud |
| Endpoints | Windows, Linux, macOS, EDR tools |
| Network | Firewalls, DNS, proxy, WAF, VPN |
| SaaS | Slack, Zoom, Salesforce, Zendesk |
| Security tools | CrowdStrike, Wiz, SentinelOne, Palo Alto, Suricata, Zeek |
The big advantage is correlation. A suspicious AWS IAM action can be investigated alongside Kubernetes events, application logs, service ownership, deployment history, dashboards, and incident workflows.
3. Datadog Cloud SIEM Core Architecture
flowchart LR
A[Security Data Sources] --> B[Collection Layer]
B --> C[Datadog Log Intake]
C --> D[Log Pipelines / Parsing / Enrichment]
D --> E[Cloud SIEM Analysis]
E --> F[Detection Rules]
F --> G[Security Signals]
G --> H[Investigation / Triage]
H --> I[Notification / Incident / SOAR]
I --> J[Remediation / Reporting]
A1[AWS CloudTrail] --> B
A2[GCP Audit Logs] --> B
A3[Azure Platform Logs] --> B
A4[Kubernetes Audit Logs] --> B
A5[Linux / Windows Logs] --> B
A6[GitHub / Okta / SaaS Logs] --> B
Code language: CSS (css)
Datadog Cloud SIEM continuously analyzes incoming data to detect threats, generate actionable security signals, and correlate them across sources. (Datadog)
4. Important Datadog SIEM Terms
| Term | Meaning |
|---|---|
| Log | Raw event collected from cloud, application, OS, identity, SaaS, or network source |
| Pipeline | Datadog processing logic used to parse, remap, enrich, and normalize logs |
| Facet | Indexed/searchable field used for filtering and grouping |
| Content Pack | Datadog-provided onboarding package for a security data source |
| Detection Rule | Logic that analyzes logs/events and detects suspicious activity |
| OOTB Rule | Out-of-the-box rule created by Datadog |
| Custom Rule | Rule created by your team |
| Security Signal | Alert-like object generated when a detection rule matches |
| Suppression | Logic to prevent noisy or expected activity from generating signals |
| Investigator | Graphical investigation experience for supported sources |
| Notification Rule | Routing rule for sending security signals to people or teams |
| SOAR | Security orchestration, automation, and response |
| OCSF | Open Cybersecurity Schema Framework used for normalized security data |
| Security Filter | Configuration controlling which logs Cloud SIEM analyzes |
5. Main Features of Datadog Cloud SIEM
5.1 Content Packs
Cloud SIEM Content Packs are curated security onboarding packages. Depending on the integration, a Content Pack can include detection rules, dashboards, parsers, investigators, workflow automation, and configuration guides. (Datadog)
This is now one of the most important Datadog SIEM concepts. Instead of manually building everything from zero, you enable a Content Pack for AWS CloudTrail, GCP Audit Logs, GitHub, Okta, Kubernetes Audit Logs, Windows Event Logs, and many other sources.
Examples of Content Pack categories include:
| Category | Examples |
|---|---|
| Authentication | Okta, Auth0, Duo, Keycloak, Google Workspace |
| Cloud Audit | AWS CloudTrail, Azure Security, GCP Audit Logs, Kubernetes Audit Logs |
| Developer Tools | GitHub, GitLab, Terraform Cloud, Confluent Cloud |
| Endpoint | Windows Event Logs, Microsoft Sysmon, Jamf, SentinelOne, CrowdStrike |
| Network | Cisco ASA, Fortinet, Palo Alto, Suricata, Zeek, Cloudflare |
| Web Security | NGINX, Apache, Fastly, App and API Protection |
5.2 Detection Rules
Detection rules are the brain of SIEM. They define suspicious behavior.
Datadog provides OOTB detection rules to flag attacker techniques and misconfigurations, and Datadogโs Security Research team continuously adds new default rules. (Datadog)
Detection examples:
| Rule Type | Example |
|---|---|
| Cloud identity | AWS IAM user created access key |
| Privilege escalation | Admin role attached to user |
| Data exfiltration | BigQuery export to external bucket |
| Defense evasion | CloudTrail disabled |
| Credential access | Secret parameter accessed unexpectedly |
| Kubernetes | Suspicious exec into pod |
| Network | Connection to threat-intel-listed IP |
| Developer tool | GitHub secret exposed or repo visibility changed |
5.3 Security Signals
A security signal is generated when Datadog detects a threat by analyzing logs against detection rules. Signals can be viewed, searched, filtered, assigned, and correlated in Signals Explorer. (Datadog)
A signal usually contains:
| Signal Field | Meaning |
|---|---|
| Rule name | Detection that generated the signal |
| Severity | Info, Low, Medium, High, Critical |
| Source | CloudTrail, Okta, GitHub, Kubernetes, etc. |
| Triggering logs | Events that matched the rule |
| User/resource | Identity, account, host, pod, service, IP |
| MITRE ATT&CK mapping | Tactic/technique where available |
| Triage state | Open, under review, archived, etc. |
| Timeline | Events and updates around the signal |
| Suggested response | Investigation/remediation guidance |
5.4 Custom Detection Rules
OOTB rules cover many common cases, but custom rules are required for company-specific risks. Datadog supports custom rules for specific use cases, services, accounts, or events. (Datadog)
Datadog custom detection methods include:
| Detection Method | Meaning | Example |
|---|---|---|
| Threshold | Trigger when event count exceeds threshold | More than 10 failed logins in 5 minutes |
| New Value | Trigger when unseen value appears | User logs in from new country |
| Anomaly | Trigger when behavior deviates from baseline | Unusual API call volume |
| Content Anomaly | Detect unusual content patterns | Rare command or rare user-agent |
| Impossible Travel | Detect impossible user movement | Login from Japan and Germany within minutes |
| Third Party Signal Correlation | Correlate external security signals | EDR alert + cloud activity |
| Sequence | Detect ordered chain of events | Login failure โ success โ privilege escalation |
| Scheduled Rule | Run periodic deeper analysis | Daily privileged access review |
| Historical Job | Backtest detection against historical logs | Check if new rule would have fired last month |
Real-time detection rules continuously monitor incoming logs and trigger immediate alerts when matching patterns or anomalies are detected. (Datadog) Scheduled detection rules run at intervals to analyze indexed log data using a defined time window. (Datadog) Historical jobs are one-time queries against historical logs used to backtest detections and convert interesting results into signals. (Datadog)
5.5 Suppressions
Suppressions prevent signals from being generated under specific conditions. This is critical for reducing false positives.
Datadog supports suppression rules across multiple detection rules. For example, suppress signals containing a specific trusted IP, service account, scanner, or maintenance window pattern. (Datadog)
Use suppressions for:
| Scenario | Example |
|---|---|
| Known scanner | Suppress vulnerability scanner traffic |
| Trusted automation | Suppress Terraform role changes from CI |
| Break-glass test | Suppress controlled security drill |
| Internal NAT IP | Suppress known corporate egress IP |
| Test account | Suppress lab-only user activity |
Important: prefer precise suppressions. Do not suppress broad rules like env:prod or source:cloudtrail, because that can hide real attacks.
5.6 OCSF Normalization
Datadog Cloud SIEM supports the Open Cybersecurity Schema Framework, or OCSF. Datadog says OCSF support is integrated directly into Cloud SIEM so incoming security logs are standardized and enriched with OCSF-compliant attributes through out-of-the-box pipelines. (Datadog)
Why this matters:
| Without OCSF | With OCSF |
|---|---|
| Each vendor has different field names | Common normalized schema |
| Hard to write portable rules | Easier detection logic |
| Investigation requires vendor-specific knowledge | Standardized user, IP, action, resource fields |
| Cross-source correlation is difficult | Better correlation across cloud, identity, endpoint, network |
Datadog also provides an OCSF processor for custom mappings inside Log Management pipelines. (Datadog)
5.7 Security Filters
Cloud SIEM does not always need to analyze every log. Security Filters control which ingested logs are analyzed by Cloud SIEM.
Datadog currently documents different filtering approaches depending on the Cloud SIEM product type. For most Content Pack use cases, enabling or disabling Content Packs is the easiest way to manage which logs Cloud SIEM analyzes. For more granular control, teams can configure filters directly. (Datadog)
Important detail: Datadog tags ingested logs with datadog.cloud_siem:true or datadog.cloud_siem:false depending on whether Cloud SIEM selected the log for analysis. (Datadog)
Use this query in Logs Explorer:
datadog.cloud_siem:true
Code language: CSS (css)
To check logs not analyzed:
datadog.cloud_siem:false
Code language: CSS (css)
6. Datadog Cloud SIEM Use Cases
6.1 Cloud Threat Detection
Detect suspicious cloud activity:
| Cloud Threat | Example |
|---|---|
| IAM abuse | New access key created |
| Privilege escalation | Admin policy attached |
| Defense evasion | CloudTrail disabled |
| Persistence | New user created |
| Data exfiltration | S3 bucket data accessed unexpectedly |
| Reconnaissance | ScoutSuite or unusual API enumeration |
| Insecure config change | Security group opened to world |
6.2 Kubernetes Security Monitoring
Detect Kubernetes threats:
| Kubernetes Threat | Example |
|---|---|
| Suspicious exec | kubectl exec into sensitive pod |
| Privilege escalation | Privileged pod created |
| Secret access | Kubernetes Secret read by unusual identity |
| Admission bypass | Risky admission controller change |
| Lateral movement | Service account token used unexpectedly |
| Namespace abuse | New cluster role binding created |
| Container escape indicators | Runtime events from workload protection |
6.3 Identity and Access Monitoring
Detect identity risks:
| Identity Source | Use Case |
|---|---|
| Okta/Auth0 | MFA disabled, impossible travel, admin role change |
| Google Workspace | Suspicious login, new OAuth app |
| Azure AD | Privileged role assignment |
| Duo | MFA bypass or unusual authentication |
| GitHub | Org owner added, secret pushed, repo visibility changed |
6.4 Developer Tool Security
Modern attacks often target CI/CD and developer tools.
Monitor:
| Tool | Use Case |
|---|---|
| GitHub | Repo visibility changes, deploy key added, secret scanning alert |
| GitLab | Runner token abuse, admin change |
| Terraform Cloud | Workspace variable changed, run triggered by unknown user |
| Confluent Cloud | API key created, ACL changed |
| Jira/Confluence | Admin permission or page access abuse |
6.5 Endpoint and OS Security
Monitor:
| Source | Use Case |
|---|---|
| Linux audit logs | Sudo, SSH, user creation, file changes |
| Windows Event Logs | Logon events, PowerShell, account changes |
| Sysmon | Process creation, network connection, suspicious parent-child process |
| EDR | Malware alerts, suspicious process, blocked threat |
6.6 Network Security
Monitor:
| Source | Use Case |
|---|---|
| DNS | Domain generation algorithm, suspicious lookup |
| Firewall | Denied traffic, risky country, threat IP |
| WAF | SQLi/XSS attempts |
| VPN | Impossible travel, unusual country |
| Proxy | Malware download, blocked destination |
| Zeek/Suricata | Network IDS events |
7. End-to-End Implementation Roadmap
flowchart TD
A[Step 1: Define Security Goals] --> B[Step 2: Identify Log Sources]
B --> C[Step 3: Enable Datadog Cloud SIEM]
C --> D[Step 4: Enable Content Packs]
D --> E[Step 5: Ingest Logs]
E --> F[Step 6: Parse and Normalize]
F --> G[Step 7: Validate Security Filters]
G --> H[Step 8: Enable OOTB Rules]
H --> I[Step 9: Create Custom Rules]
I --> J[Step 10: Triage Signals]
J --> K[Step 11: Configure Notifications]
K --> L[Step 12: Automate Response]
L --> M[Step 13: Measure and Improve]
Code language: CSS (css)
8. Prerequisites
Before starting, prepare:
| Requirement | Why Needed |
|---|---|
| Datadog account | Cloud SIEM runs inside Datadog |
| Cloud SIEM enabled | Required for SIEM analysis |
| Log Management | SIEM uses logs as primary input |
| API key | For log ingestion |
| Application key | For API/Terraform operations |
| Admin or Security permissions | Needed to configure SIEM |
| Cloud accounts | AWS/Azure/GCP logs |
| GitHub access | For lab projects |
| Terraform | Optional, for IaC |
| Datadog Agent | For host/Kubernetes logs |
| Datadog Forwarder | For AWS log forwarding |
| Test environment | Never start threat emulation directly in production |
9. Data Source Strategy
A world-class SIEM project should not ingest random logs blindly. Start with high-value security logs.
Phase 1: Must-have logs
| Priority | Source | Why |
|---|---|---|
| P0 | Cloud audit logs | Cloud attacks show up here first |
| P0 | Identity provider logs | Identity is the new perimeter |
| P0 | Kubernetes audit logs | Needed for container platform security |
| P0 | Datadog Audit Trail | Monitor Datadog account changes |
| P1 | GitHub/GitLab logs | CI/CD and code security |
| P1 | Linux/Windows auth logs | Host-level access monitoring |
| P1 | Firewall/DNS/proxy logs | Network threat detection |
| P1 | WAF/AppSec logs | Application attack detection |
| P2 | EDR/security tool alerts | Correlation with cloud and app behavior |
| P2 | SaaS audit logs | Collaboration/data access monitoring |
10. Datadog SIEM Data Flow by Source
| Source | Collection Method | Datadog Component |
|---|---|---|
| AWS CloudTrail | S3 + Datadog Forwarder Lambda / AWS integration | Cloud SIEM Content Pack |
| GCP Audit Logs | Pub/Sub + Dataflow Datadog template | Cloud SIEM Content Pack |
| Azure Platform Logs | Azure Event Hub / Datadog integration | Cloud SIEM Content Pack |
| Kubernetes Audit Logs | Control plane audit log export | Cloud SIEM Content Pack |
| Linux logs | Datadog Agent log collection | Log pipelines + Cloud SIEM |
| Windows logs | Datadog Agent / Windows Event Logs | Log pipelines + Cloud SIEM |
| GitHub audit logs | GitHub integration | Content Pack |
| Okta/Auth0 | SaaS integration/API | Content Pack |
| NGINX/Apache | Agent log collection | Web security Content Pack |
| Network devices | Syslog / Agent / Observability Pipelines | Network Content Pack |
11. Step-by-Step: Enable Cloud SIEM
Step 1: Enable Cloud SIEM
In Datadog:
Security โ Cloud SIEM
Enable Cloud SIEM for your organization.
Step 2: Choose Content Packs
Go to:
Security โ Cloud SIEM โ Ingest and Enrich โ Content Packs
Start with:
AWS CloudTrail
Datadog Audit Trail
Kubernetes Audit Logs
GitHub
Okta/Auth0
Windows Event Logs
Linux Audit Logs
NGINX/Apache
Cloud SIEM Content Packs are the easiest way to send security data to Datadog because they are designed specifically for SIEM onboarding. (Datadog)
Step 3: Validate Logs Are Ingested
Go to Logs Explorer and search:
source:cloudtrail
Code language: CSS (css)
or:
source:github
Code language: CSS (css)
or:
source:kubernetes.audit
Code language: CSS (css)
Step 4: Confirm Logs Are Analyzed by Cloud SIEM
Search:
source:cloudtrail datadog.cloud_siem:true
Code language: CSS (css)
If logs show:
datadog.cloud_siem:false
Code language: CSS (css)
then Cloud SIEM is ingesting the log into Datadog, but not analyzing it for SIEM.
Step 5: Check Detection Rules
Go to:
Security โ Cloud SIEM โ Detection Rules
Confirm OOTB rules are enabled.
Cloud SIEM applies OOTB detection rules after Content Packs are enabled and configured. (Datadog)
12. AWS CloudTrail SIEM Tutorial
AWS CloudTrail is one of the best first SIEM projects because it detects identity, cloud control-plane, and privilege escalation attacks.
Datadogโs AWS Cloud SIEM guide explains that Cloud SIEM applies detection rules to processed logs and surfaces threats as Security Signals in Signals Explorer. (Datadog)
Architecture
flowchart LR
A[AWS CloudTrail] --> B[S3 Bucket]
B --> C[Datadog Forwarder Lambda]
C --> D[Datadog Logs Intake]
D --> E[Cloud SIEM AWS CloudTrail Content Pack]
E --> F[Detection Rules]
F --> G[Security Signals]
Code language: CSS (css)
Step-by-step
Step 1: Enable CloudTrail
In AWS:
CloudTrail โ Trails โ Create trail
Recommended:
Management events: Read + Write
Data events: S3, Lambda, important services
Multi-region trail: Enabled
Log file validation: Enabled
Send to S3: Enabled
Step 2: Send CloudTrail logs to Datadog
Common architecture:
CloudTrail โ S3 โ Datadog Forwarder Lambda โ Datadog
Datadogโs AWS SIEM setup notes that AWS service logs are collected with a Datadog Lambda function that triggers on S3 buckets and forwards logs to Datadog. (Datadog)
Step 3: Enable AWS CloudTrail Content Pack
Enable:
AWS CloudTrail Content Pack
It provides detection rules, dashboards, investigator workflows, and configuration guidance.
Step 4: Validate ingestion
In Logs Explorer:
source:cloudtrail
Code language: CSS (css)
Useful fields:
@eventName
@eventSource
@userIdentity.arn
@userIdentity.type
@awsRegion
@sourceIPAddress
@userAgent
Code language: CSS (css)
Step 5: Validate SIEM analysis
source:cloudtrail datadog.cloud_siem:true
Code language: CSS (css)
Step 6: Watch for signals
Go to:
Security โ Cloud SIEM โ Signals
Filter:
source:cloudtrail
Code language: CSS (css)
13. AWS Threat Emulation Project Using GitHub
Project: Datadog AWS Cloud SIEM Threat Emulation
Datadog has an official GitHub project called cloud-siem-aws-threat-emulation. It uses Stratus Red Team-style AWS attack simulation to validate Datadog Cloud SIEM detections. The project README says to validate generated signals in Datadog by filtering Cloud SIEM Signals with CloudTrail source and Stratus Red Team user agent. (GitHub)
What you learn
| Topic | Skill |
|---|---|
| CloudTrail ingestion | Confirm AWS logs reach Datadog |
| OOTB rules | Validate Datadog default rules |
| Threat emulation | Simulate safe attack techniques |
| Signal triage | Investigate generated alerts |
| Cleanup | Remove created attack artifacts |
Lab steps
Step 1: Prepare isolated AWS account
Use a sandbox AWS account. Do not run threat emulation in production.
Step 2: Configure CloudTrail to Datadog
Confirm:
source:cloudtrail
Code language: CSS (css)
Step 3: Clone the GitHub project
git clone https://github.com/DataDog/cloud-siem-aws-threat-emulation.git
cd cloud-siem-aws-threat-emulation
Code language: PHP (php)
Step 4: Follow project setup
Install the required tooling as documented by the repo.
Step 5: Run a safe emulation
Example types of activities usually include:
IAM enumeration
Access key activity
CloudTrail tampering scenario
S3 public exposure scenario
Privilege escalation style activity
Code language: PHP (php)
Step 6: Validate in Datadog
Go to:
Security โ Cloud SIEM โ Signals
Search:
source:cloudtrail @http.useragent:*stratus-red-team*
Step 7: Investigate signal
For each signal, inspect:
What happened?
Which user?
Which source IP?
Which AWS account?
Which region?
Which API call?
Was this expected?
What happened before and after?
Code language: JavaScript (javascript)
Step 8: Cleanup
Run cleanup commands from the project documentation.
14. GCP Audit Logs SIEM Tutorial
Datadogโs GCP Cloud SIEM guide states that Cloud SIEM applies detection rules to processed logs, including Google Cloud audit logs, and uses Google Cloud Dataflow with the Datadog template to forward logs from Google Cloud services to Datadog. (Datadog)
Architecture
flowchart LR
A[GCP Audit Logs] --> B[Log Sink]
B --> C[Pub/Sub Topic]
C --> D[Dataflow Datadog Template]
D --> E[Datadog Logs Intake]
E --> F[Cloud SIEM]
F --> G[Security Signals]
Code language: CSS (css)
Steps
Step 1: Enable Data Access audit logs
Enable:
Admin Read
Data Read
Data Write
Datadogโs GCP guide specifically recommends enabling these Data Access audit log types. (Datadog)
Step 2: Create Pub/Sub topic and subscription
Example:
export-audit-logs-to-datadog
Code language: JavaScript (javascript)
Step 3: Create log sink
Filter:
logName:"cloudaudit.googleapis.com"
Code language: JavaScript (javascript)
Step 4: Create Dataflow worker service account
Grant required permissions.
Step 5: Run Dataflow Datadog template
Use the Datadog Dataflow template.
Important: Datadog says Pub/Sub Push subscription collection is being deprecated for this use case and recommends Pull subscription with the Datadog Dataflow template instead. (Datadog)
Step 6: Validate
Logs Explorer:
source:gcp
Code language: CSS (css)
Cloud SIEM:
source:gcp datadog.cloud_siem:true
Code language: CSS (css)
Signals:
Security โ Cloud SIEM โ Signals
15. Azure SIEM Tutorial
Datadogโs Azure Cloud SIEM guide says Cloud SIEM applies detection rules to processed Azure logs and surfaces detected threats as Security Signals in Signals Explorer. (Datadog)
Architecture
flowchart LR
A[Azure Activity Logs] --> B[Event Hub]
B --> C[Datadog Azure Integration / Forwarder]
C --> D[Datadog Logs]
D --> E[Cloud SIEM]
E --> F[Signals]
Code language: CSS (css)
Recommended Azure logs
Azure Activity Logs
Azure AD / Entra ID sign-in logs
Azure AD audit logs
Key Vault audit logs
Storage account access logs
Network security group flow logs
Defender for Cloud alerts
AKS audit logs
Example detections
| Detection | Why Important |
|---|---|
| Privileged role assigned | Possible privilege escalation |
| New service principal credential | Possible persistence |
| Key Vault secret read | Credential access |
| Security rule opened to internet | Exposure |
| Azure policy disabled | Defense evasion |
| Impossible travel | Account compromise |
16. Kubernetes Audit Logs SIEM Tutorial
Why Kubernetes audit logs matter
Kubernetes audit logs show API server activity:
create pod
exec into pod
read secret
create clusterrolebinding
delete deployment
patch daemonset
create privileged workload
Code language: JavaScript (javascript)
Recommended events to monitor
| Event | Why |
|---|---|
create pods/exec | Interactive shell into container |
get secrets | Credential access |
create clusterrolebinding | Privilege escalation |
create privileged pod | Container escape risk |
patch daemonset | Persistence |
delete audit policy | Defense evasion |
create serviceaccount token | Credential abuse |
Example Datadog query
source:kubernetes.audit @verb:create @objectRef.resource:pods
Suspicious exec:
source:kubernetes.audit @objectRef.subresource:exec
Secret access:
source:kubernetes.audit @objectRef.resource:secrets
Privileged RBAC change:
source:kubernetes.audit @objectRef.resource:(clusterrolebindings OR rolebindings)
17. Linux Audit Logs SIEM Tutorial
Useful Linux security logs
| Log | Purpose |
|---|---|
/var/log/auth.log | SSH, sudo, authentication |
/var/log/secure | RHEL/CentOS auth events |
| auditd logs | Syscall and file access auditing |
| syslog | General system security events |
| sudo logs | Privilege escalation |
| SSH logs | Remote login attempts |
Datadog Agent log collection example
logs:
- type: file
path: /var/log/auth.log
service: linux-auth
source: auth
tags:
- env:lab
- team:security
Code language: JavaScript (javascript)
Restart Agent:
sudo systemctl restart datadog-agent
Validate:
sudo datadog-agent status
sudo datadog-agent stream-logs
Datadog query:
source:auth service:linux-auth
Code language: CSS (css)
Example custom rule: SSH brute force
Query:
source:auth "Failed password"
Code language: JavaScript (javascript)
Group by:
host
@network.client.ip
@usr.name
Code language: CSS (css)
Condition:
More than 10 events in 5 minutes
Severity:
Medium
Message:
Possible SSH brute force attempt from {{@network.client.ip}} against {{host.name}}.
Investigate successful logins from this IP and check whether the username was valid.
Code language: JavaScript (javascript)
18. Windows Event Logs SIEM Tutorial
Important Windows Event IDs
| Event ID | Meaning |
|---|---|
| 4624 | Successful logon |
| 4625 | Failed logon |
| 4634 | Logoff |
| 4672 | Special privileges assigned |
| 4688 | Process creation |
| 4720 | User account created |
| 4728 | User added to privileged group |
| 4732 | User added to local group |
| 4740 | Account locked out |
| 4768 | Kerberos authentication ticket requested |
| 4769 | Kerberos service ticket requested |
| 1102 | Audit log cleared |
Example detection: Windows audit log cleared
Query:
source:windows @evt.id:1102
Severity:
High
Why:
Clearing Windows Security logs is a common defense evasion technique.
19. GitHub SIEM Tutorial
GitHub audit logs are very important because source control and CI/CD are frequent attack targets.
Events to monitor
| Event | Risk |
|---|---|
| Organization owner added | Privilege escalation |
| Repository visibility changed to public | Data exposure |
| Deploy key added | Persistence |
| Secret scanning alert | Secret leakage |
| GitHub Actions workflow modified | CI/CD compromise |
| PAT created or used suspiciously | Credential abuse |
| Branch protection disabled | Defense evasion |
| Webhook added | Data exfiltration |
Example Datadog query
source:github @action:repo.change_visibility
Example custom rule
Name:
GitHub Repository Made Public
Code language: PHP (php)
Query:
source:github @action:repo.change_visibility @visibility:public
Code language: PHP (php)
Severity:
High
Message:
A GitHub repository was made public. Validate whether this was approved.
Check repository name, actor, organization, and recent commits for sensitive data exposure.
Code language: JavaScript (javascript)
20. Okta/Auth0 Identity SIEM Tutorial
Events to monitor
| Event | Risk |
|---|---|
| MFA disabled | Account weakening |
| Admin role assigned | Privilege escalation |
| Impossible travel | Account compromise |
| New device | Suspicious login |
| Repeated failed logins | Brute force |
| Password reset | Account recovery abuse |
| New API token | Persistence |
| Suspicious OAuth app | Consent phishing |
Example rule: MFA disabled
source:okta @eventType:user.mfa.factor.deactivate
Severity:
High
Group by:
@usr.id
Code language: CSS (css)
21. Detection Engineering in Datadog SIEM
21.1 Good detection rule design
A good rule should have:
| Component | Example |
|---|---|
| Clear title | AWS CloudTrail Disabled |
| Strong query | Match exact API event |
| Severity | Based on impact |
| Group-by | User/account/IP/resource |
| Time window | 5 min, 15 min, 1 hour, etc. |
| MITRE mapping | Defense Evasion, Credential Access |
| Message | What happened and how to respond |
| Suppression | Known automation excluded |
| Owner | Security/platform team |
| Runbook | Investigation steps |
| Test method | Historical job or threat emulation |
21.2 Rule quality checklist
Before enabling a rule in production:
Does the rule detect real attacker behavior?
Does it generate too many false positives?
Can an analyst understand the signal?
Does the signal include user/IP/resource?
Is there a runbook?
Is severity correct?
Is there an owner?
Is there a safe suppression strategy?
Can we test it?
Can we backtest it?
Can it be managed as code?
Code language: PHP (php)
22. Example Custom Rules
Rule 1: AWS CloudTrail Disabled
Query:
source:cloudtrail @eventName:StopLogging
Group by:
@userIdentity.arn
@awsRegion
Code language: CSS (css)
Severity:
Critical
Message:
CloudTrail logging was stopped by {{@userIdentity.arn}} in {{@awsRegion}}.
This may indicate defense evasion. Confirm whether this was an approved change.
Check recent IAM activity, source IP, user agent, and other API calls from the same identity.
Code language: JavaScript (javascript)
Rule 2: IAM Access Key Created
Query:
source:cloudtrail @eventName:CreateAccessKey
Group by:
@userIdentity.arn
Code language: CSS (css)
Severity:
Medium
Upgrade to High if:
The actor is new
The source IP is unusual
The user is privileged
The key belongs to another user
Code language: JavaScript (javascript)
Rule 3: S3 Bucket Policy Changed
Query:
source:cloudtrail @eventName:(PutBucketPolicy OR PutBucketAcl OR PutPublicAccessBlock)
Group by:
@requestParameters.bucketName
@userIdentity.arn
Code language: CSS (css)
Severity:
High
Rule 4: Kubernetes Secret Access
Query:
source:kubernetes.audit @objectRef.resource:secrets @verb:get
Code language: JavaScript (javascript)
Group by:
@user.username
@objectRef.namespace
Code language: CSS (css)
Severity:
Medium
Escalate if:
namespace:prod
unusual user
serviceaccount outside namespace
high frequency
Code language: CSS (css)
Rule 5: GitHub Branch Protection Disabled
Query:
source:github @action:protected_branch.destroy
Severity:
High
Rule 6: Windows Audit Log Cleared
Query:
source:windows @evt.id:1102
Severity:
Critical
Rule 7: NGINX Possible SQL Injection
Query:
source:nginx @http.url_details.queryString:("*union select*" OR "*sleep(*" OR "*information_schema*")
Code language: JavaScript (javascript)
Severity:
Medium
Note: This should be tuned carefully to avoid false positives.
23. Creating a Custom Rule in Datadog UI
Go to:
Security โ Cloud SIEM โ Detection Rules โ New Rule
Code language: PHP (php)
Choose:
Real-Time Rule
Select method:
Threshold
Define query:
source:cloudtrail @eventName:StopLogging
Set condition:
count > 0 over 5 minutes
Group by:
@userIdentity.arn
Code language: CSS (css)
Add message:
CloudTrail logging stopped by {{@userIdentity.arn}}.
Investigate immediately.
Set severity:
Critical
Add tags:
team:security
source:aws
mitre:defense-evasion
env:prod
Code language: CSS (css)
Save rule.
24. Signal Investigation Workflow
Datadog Cloud SIEM Signals Explorer allows teams to view, search, filter, correlate, and assign signals without learning a dedicated query language. (Datadog)
Investigation flow
flowchart TD
A[Signal Created] --> B[Read What Happened]
B --> C[Identify User / IP / Resource]
C --> D[Check Triggering Logs]
D --> E[Check Same User Timeline]
E --> F[Check Same IP Timeline]
F --> G[Check Related Cloud / App / K8s Logs]
G --> H[Classify True Positive or False Positive]
H --> I[Contain / Remediate]
I --> J[Update Rule / Suppression / Runbook]
Code language: CSS (css)
Standard triage questions
Who performed the action?
Was the identity human or service account?
Was MFA used?
Was the source IP expected?
Was the user-agent expected?
What resource was affected?
Was this in production?
Was this change approved?
Did similar activity happen before?
Did the same identity perform other suspicious actions?
Is there related app, Kubernetes, network, or endpoint activity?
Code language: JavaScript (javascript)
25. MITRE ATT&CK Mapping
A strong SIEM program should map detections to MITRE ATT&CK.
| MITRE Tactic | Datadog SIEM Example |
|---|---|
| Initial Access | Suspicious login from threat IP |
| Execution | Kubernetes exec into pod |
| Persistence | New IAM access key created |
| Privilege Escalation | Admin role attached |
| Defense Evasion | CloudTrail stopped |
| Credential Access | Secret read from SSM/Secrets Manager |
| Discovery | Cloud API enumeration |
| Lateral Movement | Unusual service account activity |
| Collection | S3 object read spike |
| Exfiltration | BigQuery export to external bucket |
| Impact | Resource deletion or ransomware-like behavior |
26. Risk Scoring and Entity Investigation
Datadog calculates entity risk scores based on associated signals, including signal severity and how many times a signal fired over the past 14 days. (Datadog)
Use risk scoring to answer:
Which user is riskiest?
Which host has repeated suspicious behavior?
Which cloud account has the highest risk?
Which service account needs review?
Which IP appears in multiple signals?
27. Notifications and Alert Routing
Signals are only useful if they reach the right team.
Common routing:
| Signal Type | Notify |
|---|---|
| Critical cloud control-plane attack | Security on-call + cloud platform team |
| Kubernetes privilege escalation | Platform SRE + security |
| GitHub organization change | DevSecOps + repo owner |
| Okta admin change | IAM team + security |
| WAF attack spike | AppSec + application owner |
| Windows log cleared | SOC + endpoint team |
Datadog allows Notification Rules to route signals to individuals or teams, and signal modification requires Security Signals Write permission. (Datadog)
28. SOAR and Response Automation
SOAR means Security Orchestration, Automation, and Response.
Datadog Cloud SIEM can work with Workflow Automation. Content Packs may include workflow automation to accelerate investigation and remediation. (Datadog)
Example automation ideas
| Signal | Automated Action |
|---|---|
| IAM access key created by unusual user | Create Jira ticket, notify Slack, enrich user details |
| GitHub repo made public | Notify repo owner, open incident, collect repo metadata |
| Okta MFA disabled | Notify IAM, ask for approval evidence |
| Threat IP seen in firewall logs | Query related logs, enrich IP, notify SOC |
| Kubernetes secret accessed | Notify platform team, collect namespace/pod/service account details |
Do not automatically delete users, revoke production credentials, or block IPs without a clear approval process unless your organization has mature playbooks.
29. Datadog SIEM with Terraform
Terraform is useful for managing Datadog configuration as code. The official Datadog Terraform provider is used to interact with Datadog resources and requires proper credentials. (GitHub)
Useful Terraform-managed SIEM resources
| Resource Type | Use |
|---|---|
| Detection rules | Manage custom SIEM rules as code |
| Monitors | Alert on ingestion gaps or SIEM health |
| Dashboards | Security dashboards |
| Log pipelines | Parsing and normalization |
| Log indexes | Retention and cost control |
| Sensitive data scanner | Redaction controls |
| Integrations | Cloud/source integrations where supported |
| Teams/roles | Access governance |
Sample Terraform skeleton
terraform {
required_providers {
datadog = {
source = "DataDog/datadog"
version = "~> 3.0"
}
}
}
provider "datadog" {
api_key = var.datadog_api_key
app_key = var.datadog_app_key
api_url = var.datadog_api_url
}
variable "datadog_api_key" {
type = string
sensitive = true
}
variable "datadog_app_key" {
type = string
sensitive = true
}
variable "datadog_api_url" {
type = string
default = "https://api.datadoghq.com/"
}
Code language: JavaScript (javascript)
Official GitHub project: Terraform security modules
Datadog has an official GitHub repository named terraform-modules-datadog-security, which contains Terraform modules for common integrations between Datadog security products and cloud providers. (GitHub)
Use this repository as a reference for cloud security onboarding patterns.
30. Sigma to Datadog Rules
Sigma is a generic detection rule format used by detection engineers.
Datadog has an official pysigma-backend-datadog GitHub project. It supports output formats for Datadog query syntax and can convert Sigma rules into Datadog Cloud SIEM detection format. (GitHub)
Use case
You have Sigma rule:
title: Suspicious PowerShell Encoded Command
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains: "-enc"
condition: selection
level: high
Code language: JavaScript (javascript)
You convert it into Datadog-compatible query/rule format.
Why useful
| Benefit | Explanation |
|---|---|
| Detection portability | Reuse community Sigma detections |
| Faster rule creation | Convert baseline logic |
| Standard detection workflow | Detection-as-code |
| Easier migration | Move from another SIEM to Datadog |
31. Recommended GitHub Projects for Hands-On Learning
| Project | Owner | Purpose |
|---|---|---|
| cloud-siem-aws-threat-emulation | DataDog | Validate AWS Cloud SIEM detections using threat emulation |
| terraform-provider-datadog | DataDog | Manage Datadog resources with Terraform |
| terraform-modules-datadog-security | DataDog | Security-focused Terraform modules for cloud integrations |
| pysigma-backend-datadog | DataDog | Convert Sigma detections to Datadog queries/SIEM rules |
32. Complete Lab Roadmap
Lab 1: Basic SIEM with Linux auth logs
Goal:
Collect Linux SSH/sudo logs and create brute-force detection.
Skills:
Datadog Agent
Log collection
Log Explorer
Custom detection rule
Security signal triage
Lab 2: AWS CloudTrail SIEM
Goal:
Forward CloudTrail logs into Datadog and enable AWS CloudTrail Content Pack.
Skills:
CloudTrail
S3
Datadog Forwarder
Content Packs
OOTB detections
Signals Explorer
Lab 3: AWS Threat Emulation
Goal:
Use DataDog/cloud-siem-aws-threat-emulation to trigger test signals.
Code language: PHP (php)
Skills:
Threat simulation
CloudTrail detection validation
Rule testing
Triage
Cleanup
Lab 4: Kubernetes Audit Logs
Goal:
Detect suspicious Kubernetes API activity.
Skills:
Kubernetes audit policy
Control plane logs
Kubernetes SIEM detection
RBAC investigation
Lab 5: GitHub Audit Logs
Goal:
Detect repository visibility changes and privileged user changes.
Skills:
GitHub audit logs
Developer security
Custom detections
Notification routing
Lab 6: Detection-as-Code
Goal:
Manage SIEM rules and dashboards with Terraform.
Code language: JavaScript (javascript)
Skills:
Terraform provider
Rule versioning
Pull request review
Environment promotion
Lab 7: Sigma Conversion
Goal:
Convert Sigma rules into Datadog-compatible query/rule format.
Skills:
Sigma
pysigma-backend-datadog
Detection engineering
Rule portability
33. Production Reference Architecture
flowchart TB
subgraph Cloud["Cloud Accounts"]
A1[AWS CloudTrail]
A2[GCP Audit Logs]
A3[Azure Activity Logs]
end
subgraph Platform["Platform"]
B1[Kubernetes Audit Logs]
B2[Datadog Agent]
B3[Workload Protection]
end
subgraph SaaS["SaaS / Identity / Dev Tools"]
C1[Okta/Auth0]
C2[GitHub/GitLab]
C3[Google Workspace]
end
subgraph Network["Network / Edge"]
D1[Firewall]
D2[DNS]
D3[WAF]
D4[Proxy]
end
Cloud --> E[Datadog Log Intake]
Platform --> E
SaaS --> E
Network --> E
E --> F[Parsing / OCSF / Enrichment]
F --> G[Cloud SIEM Analysis]
G --> H[OOTB + Custom Rules]
H --> I[Security Signals]
I --> J[Signals Explorer / Investigators]
I --> K[Notifications]
I --> L[Workflow Automation]
I --> M[Incidents / Cases / Reports]
Code language: CSS (css)
34. Best Practices for Datadog SIEM
34.1 Start with high-value logs
Do not onboard every log first. Start with:
CloudTrail
GCP Audit Logs
Azure Activity Logs
Identity provider logs
Kubernetes audit logs
GitHub/GitLab audit logs
Datadog Audit Trail
Endpoint authentication logs
34.2 Use Content Packs first
Content Packs give you faster time to value because they include prebuilt security content.
34.3 Normalize logs
Use OOTB pipelines and OCSF where possible.
34.4 Tune detections
Every production SIEM needs tuning.
Tune:
query
threshold
group-by
severity
suppression
message
owner
notification
runbook
34.5 Avoid over-suppression
Suppress only known-good activity. Do not suppress broad categories.
34.6 Create runbooks
Every high/critical rule should have:
What happened?
Why it matters
How to validate
How to contain
How to remediate
Who owns it
How to close
34.7 Measure SIEM quality
Track:
Signal volume
False positive rate
Mean time to triage
Mean time to respond
Coverage by MITRE tactic
Top noisy rules
Top risky users
Top risky cloud accounts
Unparsed log volume
Logs not analyzed by Cloud SIEM
Code language: PHP (php)
34.8 Manage detections as code
Use Terraform, GitHub pull requests, peer reviews, and environment promotion.
34.9 Separate dev/test/prod
Use tags:
env:prod
env:stage
team:security
source:cloudtrail
cloud_provider:aws
Code language: CSS (css)
34.10 Validate continuously
Use:
Threat emulation
Historical jobs
Tabletop exercises
Purple team tests
Synthetic attack logs
35. Common Mistakes
| Mistake | Impact |
|---|---|
| Ingesting too many logs without strategy | Cost and noise |
| Not enabling cloud audit logs fully | Blind spots |
| No identity logs | Cannot detect account compromise |
| No Kubernetes audit logs | Cannot detect cluster abuse |
| Ignoring log parsing | Rules do not work correctly |
| No OCSF/normalization | Harder correlation |
| Too many critical alerts | Alert fatigue |
| No suppressions | False positives |
| Too many suppressions | Missed attacks |
| No runbooks | Slow response |
| No owner/team mapping | Nobody acts |
| No detection-as-code | Rule drift |
| No testing | Rules may not work |
| No ingestion monitoring | Silent SIEM failure |
| No cost controls | Unexpected bills |
36. Datadog SIEM Troubleshooting
Problem: No security signals
Check:
Are logs arriving?
Are logs parsed?
Are logs tagged datadog.cloud_siem:true?
Are Content Packs enabled?
Are OOTB rules enabled?
Does the activity actually match a rule?
Are suppressions hiding signals?
Is the time window correct?
Do you have permission to view signals?
Code language: JavaScript (javascript)
Problem: Logs visible but not analyzed
Search:
datadog.cloud_siem:false
Code language: CSS (css)
Fix:
Enable relevant Content Pack
Adjust Security Filter
Check index filter if using Cloud SIEM Standalone
Datadog notes that Security Filters or log index filters control which logs Cloud SIEM analyzes, depending on the Cloud SIEM product type. (Datadog)
Problem: Too many noisy signals
Fix:
Add precise suppressions
Tune thresholds
Group by user/IP/resource
Reduce low-value rules
Lower severity for expected activity
Add maintenance exclusions
Create separate rule for prod only
Problem: Rule does not trigger
Check:
Does the query return logs in Log Explorer?
Are fields parsed as expected?
Is the time window correct?
Is the group-by correct?
Is rule enabled?
Is source log selected for SIEM analysis?
Is a suppression hiding it?
Code language: JavaScript (javascript)
Problem: Wrong severity
Review:
Business impact
Asset criticality
Environment
User privilege
Data sensitivity
Attack stage
Repeat behavior
37. SIEM Governance Model
A mature Datadog SIEM implementation should define:
| Area | Owner |
|---|---|
| Cloud log onboarding | Cloud platform team |
| SIEM detection rules | Security engineering |
| Kubernetes audit logs | Platform/SRE |
| Identity logs | IAM team |
| GitHub logs | DevSecOps |
| Log pipelines | Observability/platform team |
| Incident response | SOC/security operations |
| Terraform modules | DevOps/platform |
| Access control | Security + IAM |
| Cost monitoring | FinOps + platform |
38. Access Control and Data Security
Security logs can contain sensitive data.
Control:
Who can view security signals?
Who can edit detection rules?
Who can create suppressions?
Who can view sensitive logs?
Who can manage API/app keys?
Who can trigger workflows?
Who can export logs?
Code language: JavaScript (javascript)
Datadog notes that modifying security signals requires Security Signals Write permission. (Datadog)
Use:
RBAC
Teams
Scoped application keys
Service accounts
Sensitive Data Scanner
Log index access controls
Audit Trail
39. Cost Management for Cloud SIEM
SIEM cost can grow quickly if unmanaged.
Control these:
| Area | Cost Risk | Control |
|---|---|---|
| Log ingestion | Too many logs | Source filtering |
| SIEM analyzed logs | Every log analyzed | Security Filters / Content Packs |
| Indexed logs | High retention/search volume | Index strategy |
| Custom metrics from logs | Too many generated metrics | Strict metric creation |
| Archives | Long retention | Lifecycle policies |
| Synthetics/RUM correlation | Extra telemetry | Sampling |
| Debug logs | Huge volume | Disable debug after testing |
Use:
Content Pack scoping
Security Filters
Log exclusion filters
Archive for compliance
Index only useful logs
Monitor ingestion volume
Review top sources monthly
40. Advanced Topic: Security Filters vs Detection Rules
This is very important.
| Layer | Purpose |
|---|---|
| Security Filter | Decides which logs Cloud SIEM analyzes |
| Detection Rule | Decides which analyzed logs create signals |
| Suppression | Decides which matching signals should not be generated |
| Notification Rule | Decides who gets notified |
Example:
Security Filter:
Analyze source:cloudtrail
Detection Rule:
Detect @eventName:StopLogging
Suppression:
Ignore known automation role
Notification:
Send Critical cloud alerts to security-oncall
41. Advanced Topic: Real-Time vs Scheduled vs Historical
| Type | Use Case |
|---|---|
| Real-Time Rule | Immediate threat detection |
| Scheduled Rule | Periodic deeper analysis |
| Historical Job | Backtesting and retrospective hunting |
Use real-time rules for:
CloudTrail disabled
Admin role attached
GitHub owner added
Kubernetes secret read
Windows audit log cleared
Use scheduled rules for:
Daily review of unusual admin activity
Weekly service account access review
Periodic data access analysis
Use historical jobs for:
Testing new detection rule
Incident retrospective
Threat hunting against past logs
Code language: JavaScript (javascript)
42. Advanced Topic: Threat Hunting Queries
AWS suspicious user-agent
source:cloudtrail @userAgent:(*kali* OR *nmap* OR *scoutsuite* OR *stratus-red-team*)
AWS IAM changes
source:cloudtrail @eventSource:iam.amazonaws.com
CloudTrail stopped
source:cloudtrail @eventName:(StopLogging OR DeleteTrail OR UpdateTrail)
S3 public access changes
source:cloudtrail @eventName:(PutBucketPolicy OR PutBucketAcl OR PutPublicAccessBlock)
Kubernetes exec
source:kubernetes.audit @objectRef.subresource:exec
Kubernetes secret access
source:kubernetes.audit @objectRef.resource:secrets
GitHub repo public
source:github @action:repo.change_visibility
Windows failed logons
source:windows @evt.id:4625
Windows privileged logon
source:windows @evt.id:4672
NGINX suspicious attack strings
source:nginx ("union select" OR "information_schema" OR "../" OR "cmd.exe" OR "/etc/passwd")
Code language: JavaScript (javascript)
43. World-Class SIEM Operating Model
Daily
Review critical/high signals
Check signal queue health
Review top noisy rules
Check ingestion failures
Review new risky entities
Code language: JavaScript (javascript)
Weekly
Tune noisy rules
Review suppressions
Review new Datadog OOTB rules
Review MITRE coverage
Check onboarding gaps
Code language: JavaScript (javascript)
Monthly
Threat detection review
False positive analysis
SIEM cost review
Access control review
Run purple team test
Update runbooks
Code language: PHP (php)
Quarterly
Detection coverage assessment
Cloud account onboarding audit
Kubernetes security review
Identity provider review
Incident response tabletop
Compliance evidence export
Code language: JavaScript (javascript)
44. Complete Implementation Checklist
Foundation
Cloud SIEM enabled
Log Management enabled
API/app keys secured
RBAC configured
Security team access configured
Teams and ownership configured
Ingestion
AWS CloudTrail onboarded
GCP Audit Logs onboarded
Azure Activity Logs onboarded
Kubernetes audit logs onboarded
Datadog Audit Trail onboarded
Identity provider logs onboarded
GitHub/GitLab logs onboarded
Linux/Windows logs onboarded
Network/WAF logs onboarded
Processing
Logs parsed
Status remapped correctly
Service/source/env tags standardized
OCSF normalization verified
Sensitive data scanning configured
Unparsed logs monitored
SIEM Analysis
Content Packs enabled
Security Filters validated
OOTB rules enabled
Custom rules created
Suppressions configured
Historical jobs used for backtesting
MITRE mapping reviewed
Response
Signals routed
Notification rules configured
Runbooks attached
Workflow automation configured
Incident process defined
Escalation paths tested
Governance
Terraform/IaC implemented
Pull request review process established
Rule owners assigned
Quarterly rule review scheduled
Cost monitoring enabled
Audit Trail monitored
45. Final Recommended Learning Path
Follow this order:
1. Learn SIEM concepts
2. Learn Datadog logs and pipelines
3. Enable Cloud SIEM
4. Enable AWS CloudTrail Content Pack
5. Generate AWS test signals with Datadog threat emulation repo
6. Learn Signals Explorer
7. Write simple custom rules
8. Add suppressions
9. Add identity provider logs
10. Add Kubernetes audit logs
11. Add GitHub audit logs
12. Learn OCSF normalization
13. Manage rules with Terraform
14. Convert Sigma rules
15. Build SOAR workflows
16. Measure coverage and false positives
17. Run purple-team validation
Code language: JavaScript (javascript)
46. Final Architecture Recommendation for Real Companies
For a production organization, I would implement Datadog Cloud SIEM like this:
| Stage | Recommendation |
|---|---|
| Phase 1 | AWS/GCP/Azure audit logs + identity logs + Datadog Audit Trail |
| Phase 2 | Kubernetes audit logs + GitHub/GitLab + Linux/Windows auth logs |
| Phase 3 | WAF, DNS, firewall, proxy, EDR/security tools |
| Phase 4 | Custom detections, Terraform, Sigma conversion |
| Phase 5 | SOAR workflows, risk scoring, MITRE coverage, purple-team validation |
Minimum production baseline:
CloudTrail / GCP Audit / Azure Activity
Identity provider logs
Kubernetes audit logs
GitHub/GitLab logs
Datadog Audit Trail
Critical app/WAF logs
OOTB Content Packs
10-20 custom high-value rules
Signal routing
Runbooks
Suppression review
Cost monitoring
Detection-as-code
Code language: JavaScript (javascript)
The โworld-classโ version is not just turning on Cloud SIEM. It is building a security operating system around it: high-quality telemetry, normalized fields, strong detections, signal triage, automated enrichment, response workflows, ownership, IaC, testing, and continuous tuning.
Iโm a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.
Do you want to learn Quantum Computing?
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND
Find Trusted Cardiac Hospitals
Compare heart hospitals by city and services โ all in one place.
Explore Hospitals
A topic that deserves more attention is the day-to-day management of Datadog SIEM in large-scale environments. Bringing together logs, cloud events, and Kubernetes telemetry can significantly improve investigation workflows, but without proper ingestion controls and retention policies, storage and licensing costs may grow rapidly. It would also be useful to explore detection engineering practices, such as reducing false positives, periodically reviewing detection rules, and validating alert effectiveness through security testing exercises. These activities help ensure that the SIEM continues to deliver meaningful insights and supports an efficient incident response process as infrastructure and threat landscapes evolve.
Datadog SIEM explained very well. Thanks for the hard work made it simple to understand.
Cloud SIEM is part of the Datadog Cloud Security Platform, which protects an organization’s production environment with a full-stack offering that provides threat detection, posture management, workload security, and application security. Thanks for sharing
Clear Explanation Thanks for these.