{"id":28219,"date":"2026-06-23T04:07:23","date_gmt":"2026-06-23T04:07:23","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=28219"},"modified":"2026-06-23T04:07:26","modified_gmt":"2026-06-23T04:07:26","slug":"introduction-of-datadog-siem","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/introduction-of-datadog-siem\/","title":{"rendered":"Datadog Cloud SIEM: Complete End-to-End Master Guide"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Current as of <strong>June 2026<\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Datadog Cloud SIEM is Datadog\u2019s security information and event management product for collecting security telemetry, analyzing logs and events with detection rules, generating security signals, investigating suspicious activity, and automating response. Datadog describes Cloud SIEM as a security data analysis and correlation system that ingests telemetry from cloud and on-prem systems using the Datadog Agent and API-based integrations. (<a href=\"https:\/\/docs.datadoghq.com\/security\/cloud_siem\/?utm_source=chatgpt.com\">Datadog<\/a>)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This guide is written as a <strong>full practical tutorial<\/strong>: concept, architecture, features, use cases, onboarding, detection engineering, investigation, SOAR, Terraform, GitHub sample projects, and advanced implementation patterns.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">1. What Is SIEM?<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>SIEM<\/strong> means <strong>Security Information and Event Management<\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A SIEM collects security-relevant data from many systems, normalizes it, analyzes it, detects threats, generates alerts, and helps security teams investigate and respond.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Traditional SIEM examples include Splunk Enterprise Security, IBM QRadar, Microsoft Sentinel, Elastic Security, and ArcSight.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Datadog Cloud SIEM is different because it is built directly on top of Datadog\u2019s observability platform. That means security teams can investigate threats using logs, infrastructure metrics, Kubernetes data, cloud telemetry, application traces, user activity, service ownership, dashboards, and automation in one place.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">2. Why Datadog Cloud SIEM?<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Datadog Cloud SIEM is especially useful for modern environments where applications run across:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Area<\/th><th>Examples<\/th><\/tr><\/thead><tbody><tr><td>Cloud<\/td><td>AWS, Azure, GCP, OCI<\/td><\/tr><tr><td>Kubernetes<\/td><td>EKS, GKE, AKS, self-managed Kubernetes<\/td><\/tr><tr><td>Applications<\/td><td>APIs, microservices, backend services<\/td><\/tr><tr><td>Identity<\/td><td>Okta, Auth0, Google Workspace, Azure AD, Duo<\/td><\/tr><tr><td>Developer tools<\/td><td>GitHub, GitLab, Terraform Cloud, Confluent Cloud<\/td><\/tr><tr><td>Endpoints<\/td><td>Windows, Linux, macOS, EDR tools<\/td><\/tr><tr><td>Network<\/td><td>Firewalls, DNS, proxy, WAF, VPN<\/td><\/tr><tr><td>SaaS<\/td><td>Slack, Zoom, Salesforce, Zendesk<\/td><\/tr><tr><td>Security tools<\/td><td>CrowdStrike, Wiz, SentinelOne, Palo Alto, Suricata, Zeek<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The big advantage is correlation. A suspicious AWS IAM action can be investigated alongside Kubernetes events, application logs, service ownership, deployment history, dashboards, and incident workflows.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">3. Datadog Cloud SIEM Core Architecture<\/h1>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-1\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">flowchart<\/span> <span class=\"hljs-selector-tag\">LR<\/span>\n    <span class=\"hljs-selector-tag\">A<\/span><span class=\"hljs-selector-attr\">&#91;Security Data Sources]<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">B<\/span><span class=\"hljs-selector-attr\">&#91;Collection Layer]<\/span>\n    <span class=\"hljs-selector-tag\">B<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">C<\/span><span class=\"hljs-selector-attr\">&#91;Datadog Log Intake]<\/span>\n    <span class=\"hljs-selector-tag\">C<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">D<\/span><span class=\"hljs-selector-attr\">&#91;Log Pipelines \/ Parsing \/ Enrichment]<\/span>\n    <span class=\"hljs-selector-tag\">D<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">E<\/span><span class=\"hljs-selector-attr\">&#91;Cloud SIEM Analysis]<\/span>\n    <span class=\"hljs-selector-tag\">E<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">F<\/span><span class=\"hljs-selector-attr\">&#91;Detection Rules]<\/span>\n    <span class=\"hljs-selector-tag\">F<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">G<\/span><span class=\"hljs-selector-attr\">&#91;Security Signals]<\/span>\n    <span class=\"hljs-selector-tag\">G<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">H<\/span><span class=\"hljs-selector-attr\">&#91;Investigation \/ Triage]<\/span>\n    <span class=\"hljs-selector-tag\">H<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">I<\/span><span class=\"hljs-selector-attr\">&#91;Notification \/ Incident \/ SOAR]<\/span>\n    <span class=\"hljs-selector-tag\">I<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">J<\/span><span class=\"hljs-selector-attr\">&#91;Remediation \/ Reporting]<\/span>\n\n    <span class=\"hljs-selector-tag\">A1<\/span><span class=\"hljs-selector-attr\">&#91;AWS CloudTrail]<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">B<\/span>\n    <span class=\"hljs-selector-tag\">A2<\/span><span class=\"hljs-selector-attr\">&#91;GCP Audit Logs]<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">B<\/span>\n    <span class=\"hljs-selector-tag\">A3<\/span><span class=\"hljs-selector-attr\">&#91;Azure Platform Logs]<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">B<\/span>\n    <span class=\"hljs-selector-tag\">A4<\/span><span class=\"hljs-selector-attr\">&#91;Kubernetes Audit Logs]<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">B<\/span>\n    <span class=\"hljs-selector-tag\">A5<\/span><span class=\"hljs-selector-attr\">&#91;Linux \/ Windows Logs]<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">B<\/span>\n    <span class=\"hljs-selector-tag\">A6<\/span><span class=\"hljs-selector-attr\">&#91;GitHub \/ Okta \/ SaaS Logs]<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">B<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-1\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Datadog Cloud SIEM continuously analyzes incoming data to detect threats, generate actionable security signals, and correlate them across sources. (<a href=\"https:\/\/docs.datadoghq.com\/security\/cloud_siem\/?utm_source=chatgpt.com\">Datadog<\/a>)<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">4. Important Datadog SIEM Terms<\/h1>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Term<\/th><th>Meaning<\/th><\/tr><\/thead><tbody><tr><td>Log<\/td><td>Raw event collected from cloud, application, OS, identity, SaaS, or network source<\/td><\/tr><tr><td>Pipeline<\/td><td>Datadog processing logic used to parse, remap, enrich, and normalize logs<\/td><\/tr><tr><td>Facet<\/td><td>Indexed\/searchable field used for filtering and grouping<\/td><\/tr><tr><td>Content Pack<\/td><td>Datadog-provided onboarding package for a security data source<\/td><\/tr><tr><td>Detection Rule<\/td><td>Logic that analyzes logs\/events and detects suspicious activity<\/td><\/tr><tr><td>OOTB Rule<\/td><td>Out-of-the-box rule created by Datadog<\/td><\/tr><tr><td>Custom Rule<\/td><td>Rule created by your team<\/td><\/tr><tr><td>Security Signal<\/td><td>Alert-like object generated when a detection rule matches<\/td><\/tr><tr><td>Suppression<\/td><td>Logic to prevent noisy or expected activity from generating signals<\/td><\/tr><tr><td>Investigator<\/td><td>Graphical investigation experience for supported sources<\/td><\/tr><tr><td>Notification Rule<\/td><td>Routing rule for sending security signals to people or teams<\/td><\/tr><tr><td>SOAR<\/td><td>Security orchestration, automation, and response<\/td><\/tr><tr><td>OCSF<\/td><td>Open Cybersecurity Schema Framework used for normalized security data<\/td><\/tr><tr><td>Security Filter<\/td><td>Configuration controlling which logs Cloud SIEM analyzes<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">5. Main Features of Datadog Cloud SIEM<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">5.1 Content Packs<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Cloud SIEM Content Packs are curated security onboarding packages. Depending on the integration, a Content Pack can include detection rules, dashboards, parsers, investigators, workflow automation, and configuration guides. (<a href=\"https:\/\/docs.datadoghq.com\/security\/cloud_siem\/ingest_and_enrich\/content_packs\/?utm_source=chatgpt.com\">Datadog<\/a>)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This is now one of the most important Datadog SIEM concepts. Instead of manually building everything from zero, you enable a Content Pack for AWS CloudTrail, GCP Audit Logs, GitHub, Okta, Kubernetes Audit Logs, Windows Event Logs, and many other sources.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Examples of Content Pack categories include:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Category<\/th><th>Examples<\/th><\/tr><\/thead><tbody><tr><td>Authentication<\/td><td>Okta, Auth0, Duo, Keycloak, Google Workspace<\/td><\/tr><tr><td>Cloud Audit<\/td><td>AWS CloudTrail, Azure Security, GCP Audit Logs, Kubernetes Audit Logs<\/td><\/tr><tr><td>Developer Tools<\/td><td>GitHub, GitLab, Terraform Cloud, Confluent Cloud<\/td><\/tr><tr><td>Endpoint<\/td><td>Windows Event Logs, Microsoft Sysmon, Jamf, SentinelOne, CrowdStrike<\/td><\/tr><tr><td>Network<\/td><td>Cisco ASA, Fortinet, Palo Alto, Suricata, Zeek, Cloudflare<\/td><\/tr><tr><td>Web Security<\/td><td>NGINX, Apache, Fastly, App and API Protection<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">5.2 Detection Rules<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Detection rules are the brain of SIEM. They define suspicious behavior.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Datadog provides OOTB detection rules to flag attacker techniques and misconfigurations, and Datadog\u2019s Security Research team continuously adds new default rules. (<a href=\"https:\/\/docs.datadoghq.com\/security\/default_rules\/?utm_source=chatgpt.com\">Datadog<\/a>)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Detection examples:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Rule Type<\/th><th>Example<\/th><\/tr><\/thead><tbody><tr><td>Cloud identity<\/td><td>AWS IAM user created access key<\/td><\/tr><tr><td>Privilege escalation<\/td><td>Admin role attached to user<\/td><\/tr><tr><td>Data exfiltration<\/td><td>BigQuery export to external bucket<\/td><\/tr><tr><td>Defense evasion<\/td><td>CloudTrail disabled<\/td><\/tr><tr><td>Credential access<\/td><td>Secret parameter accessed unexpectedly<\/td><\/tr><tr><td>Kubernetes<\/td><td>Suspicious exec into pod<\/td><\/tr><tr><td>Network<\/td><td>Connection to threat-intel-listed IP<\/td><\/tr><tr><td>Developer tool<\/td><td>GitHub secret exposed or repo visibility changed<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">5.3 Security Signals<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">A security signal is generated when Datadog detects a threat by analyzing logs against detection rules. Signals can be viewed, searched, filtered, assigned, and correlated in Signals Explorer. (<a href=\"https:\/\/docs.datadoghq.com\/security\/cloud_siem\/triage_and_investigate\/investigate_security_signals\/?utm_source=chatgpt.com\">Datadog<\/a>)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A signal usually contains:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Signal Field<\/th><th>Meaning<\/th><\/tr><\/thead><tbody><tr><td>Rule name<\/td><td>Detection that generated the signal<\/td><\/tr><tr><td>Severity<\/td><td>Info, Low, Medium, High, Critical<\/td><\/tr><tr><td>Source<\/td><td>CloudTrail, Okta, GitHub, Kubernetes, etc.<\/td><\/tr><tr><td>Triggering logs<\/td><td>Events that matched the rule<\/td><\/tr><tr><td>User\/resource<\/td><td>Identity, account, host, pod, service, IP<\/td><\/tr><tr><td>MITRE ATT&amp;CK mapping<\/td><td>Tactic\/technique where available<\/td><\/tr><tr><td>Triage state<\/td><td>Open, under review, archived, etc.<\/td><\/tr><tr><td>Timeline<\/td><td>Events and updates around the signal<\/td><\/tr><tr><td>Suggested response<\/td><td>Investigation\/remediation guidance<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">5.4 Custom Detection Rules<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">OOTB rules cover many common cases, but custom rules are required for company-specific risks. Datadog supports custom rules for specific use cases, services, accounts, or events. (<a href=\"https:\/\/docs.datadoghq.com\/security\/cloud_siem\/detect_and_monitor\/custom_detection_rules\/?utm_source=chatgpt.com\">Datadog<\/a>)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Datadog custom detection methods include:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Detection Method<\/th><th>Meaning<\/th><th>Example<\/th><\/tr><\/thead><tbody><tr><td>Threshold<\/td><td>Trigger when event count exceeds threshold<\/td><td>More than 10 failed logins in 5 minutes<\/td><\/tr><tr><td>New Value<\/td><td>Trigger when unseen value appears<\/td><td>User logs in from new country<\/td><\/tr><tr><td>Anomaly<\/td><td>Trigger when behavior deviates from baseline<\/td><td>Unusual API call volume<\/td><\/tr><tr><td>Content Anomaly<\/td><td>Detect unusual content patterns<\/td><td>Rare command or rare user-agent<\/td><\/tr><tr><td>Impossible Travel<\/td><td>Detect impossible user movement<\/td><td>Login from Japan and Germany within minutes<\/td><\/tr><tr><td>Third Party Signal Correlation<\/td><td>Correlate external security signals<\/td><td>EDR alert + cloud activity<\/td><\/tr><tr><td>Sequence<\/td><td>Detect ordered chain of events<\/td><td>Login failure \u2192 success \u2192 privilege escalation<\/td><\/tr><tr><td>Scheduled Rule<\/td><td>Run periodic deeper analysis<\/td><td>Daily privileged access review<\/td><\/tr><tr><td>Historical Job<\/td><td>Backtest detection against historical logs<\/td><td>Check if new rule would have fired last month<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Real-time detection rules continuously monitor incoming logs and trigger immediate alerts when matching patterns or anomalies are detected. (<a href=\"https:\/\/docs.datadoghq.com\/security\/cloud_siem\/detect_and_monitor\/custom_detection_rules\/create_rule\/real_time_rule.md?utm_source=chatgpt.com\">Datadog<\/a>) Scheduled detection rules run at intervals to analyze indexed log data using a defined time window. (<a href=\"https:\/\/docs.datadoghq.com\/security\/cloud_siem\/detect_and_monitor\/custom_detection_rules\/create_rule\/scheduled_rule.md?utm_source=chatgpt.com\">Datadog<\/a>) Historical jobs are one-time queries against historical logs used to backtest detections and convert interesting results into signals. (<a href=\"https:\/\/docs.datadoghq.com\/security\/cloud_siem\/detect_and_monitor\/custom_detection_rules\/create_rule\/historical_job.md?utm_source=chatgpt.com\">Datadog<\/a>)<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">5.5 Suppressions<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Suppressions prevent signals from being generated under specific conditions. This is critical for reducing false positives.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Datadog supports suppression rules across multiple detection rules. For example, suppress signals containing a specific trusted IP, service account, scanner, or maintenance window pattern. (<a href=\"https:\/\/docs.datadoghq.com\/security\/cloud_siem\/detect_and_monitor\/suppressions.md?utm_source=chatgpt.com\">Datadog<\/a>)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Use suppressions for:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Scenario<\/th><th>Example<\/th><\/tr><\/thead><tbody><tr><td>Known scanner<\/td><td>Suppress vulnerability scanner traffic<\/td><\/tr><tr><td>Trusted automation<\/td><td>Suppress Terraform role changes from CI<\/td><\/tr><tr><td>Break-glass test<\/td><td>Suppress controlled security drill<\/td><\/tr><tr><td>Internal NAT IP<\/td><td>Suppress known corporate egress IP<\/td><\/tr><tr><td>Test account<\/td><td>Suppress lab-only user activity<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Important: prefer precise suppressions. Do not suppress broad rules like <code>env:prod<\/code> or <code>source:cloudtrail<\/code>, because that can hide real attacks.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">5.6 OCSF Normalization<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Datadog Cloud SIEM supports the <strong>Open Cybersecurity Schema Framework<\/strong>, or OCSF. Datadog says OCSF support is integrated directly into Cloud SIEM so incoming security logs are standardized and enriched with OCSF-compliant attributes through out-of-the-box pipelines. (<a href=\"https:\/\/docs.datadoghq.com\/security\/cloud_siem\/ingest_and_enrich\/open_cybersecurity_schema_framework\/?utm_source=chatgpt.com\">Datadog<\/a>)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Why this matters:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Without OCSF<\/th><th>With OCSF<\/th><\/tr><\/thead><tbody><tr><td>Each vendor has different field names<\/td><td>Common normalized schema<\/td><\/tr><tr><td>Hard to write portable rules<\/td><td>Easier detection logic<\/td><\/tr><tr><td>Investigation requires vendor-specific knowledge<\/td><td>Standardized user, IP, action, resource fields<\/td><\/tr><tr><td>Cross-source correlation is difficult<\/td><td>Better correlation across cloud, identity, endpoint, network<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Datadog also provides an OCSF processor for custom mappings inside Log Management pipelines. (<a href=\"https:\/\/docs.datadoghq.com\/security\/cloud_siem\/ingest_and_enrich\/open_cybersecurity_schema_framework\/ocsf_processor\/?utm_source=chatgpt.com\">Datadog<\/a>)<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">5.7 Security Filters<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Cloud SIEM does not always need to analyze every log. Security Filters control which ingested logs are analyzed by Cloud SIEM.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Datadog currently documents different filtering approaches depending on the Cloud SIEM product type. For most Content Pack use cases, enabling or disabling Content Packs is the easiest way to manage which logs Cloud SIEM analyzes. For more granular control, teams can configure filters directly. (<a href=\"https:\/\/docs.datadoghq.com\/security\/cloud_siem\/guide\/customize-which-logs-cloud-siem-analyzes\/?utm_source=chatgpt.com\">Datadog<\/a>)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Important detail: Datadog tags ingested logs with <code>datadog.cloud_siem:true<\/code> or <code>datadog.cloud_siem:false<\/code> depending on whether Cloud SIEM selected the log for analysis. (<a href=\"https:\/\/docs.datadoghq.com\/security\/cloud_siem\/guide\/customize-which-logs-cloud-siem-analyzes.md?utm_source=chatgpt.com\">Datadog<\/a>)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Use this query in Logs Explorer:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-2\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">datadog<\/span><span class=\"hljs-selector-class\">.cloud_siem<\/span><span class=\"hljs-selector-pseudo\">:true<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-2\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">To check logs not analyzed:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-3\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">datadog<\/span><span class=\"hljs-selector-class\">.cloud_siem<\/span><span class=\"hljs-selector-pseudo\">:false<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-3\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">6. Datadog Cloud SIEM Use Cases<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">6.1 Cloud Threat Detection<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Detect suspicious cloud activity:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Cloud Threat<\/th><th>Example<\/th><\/tr><\/thead><tbody><tr><td>IAM abuse<\/td><td>New access key created<\/td><\/tr><tr><td>Privilege escalation<\/td><td>Admin policy attached<\/td><\/tr><tr><td>Defense evasion<\/td><td>CloudTrail disabled<\/td><\/tr><tr><td>Persistence<\/td><td>New user created<\/td><\/tr><tr><td>Data exfiltration<\/td><td>S3 bucket data accessed unexpectedly<\/td><\/tr><tr><td>Reconnaissance<\/td><td>ScoutSuite or unusual API enumeration<\/td><\/tr><tr><td>Insecure config change<\/td><td>Security group opened to world<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">6.2 Kubernetes Security Monitoring<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Detect Kubernetes threats:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Kubernetes Threat<\/th><th>Example<\/th><\/tr><\/thead><tbody><tr><td>Suspicious exec<\/td><td><code>kubectl exec<\/code> into sensitive pod<\/td><\/tr><tr><td>Privilege escalation<\/td><td>Privileged pod created<\/td><\/tr><tr><td>Secret access<\/td><td>Kubernetes Secret read by unusual identity<\/td><\/tr><tr><td>Admission bypass<\/td><td>Risky admission controller change<\/td><\/tr><tr><td>Lateral movement<\/td><td>Service account token used unexpectedly<\/td><\/tr><tr><td>Namespace abuse<\/td><td>New cluster role binding created<\/td><\/tr><tr><td>Container escape indicators<\/td><td>Runtime events from workload protection<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">6.3 Identity and Access Monitoring<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Detect identity risks:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Identity Source<\/th><th>Use Case<\/th><\/tr><\/thead><tbody><tr><td>Okta\/Auth0<\/td><td>MFA disabled, impossible travel, admin role change<\/td><\/tr><tr><td>Google Workspace<\/td><td>Suspicious login, new OAuth app<\/td><\/tr><tr><td>Azure AD<\/td><td>Privileged role assignment<\/td><\/tr><tr><td>Duo<\/td><td>MFA bypass or unusual authentication<\/td><\/tr><tr><td>GitHub<\/td><td>Org owner added, secret pushed, repo visibility changed<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">6.4 Developer Tool Security<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Modern attacks often target CI\/CD and developer tools.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Monitor:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Tool<\/th><th>Use Case<\/th><\/tr><\/thead><tbody><tr><td>GitHub<\/td><td>Repo visibility changes, deploy key added, secret scanning alert<\/td><\/tr><tr><td>GitLab<\/td><td>Runner token abuse, admin change<\/td><\/tr><tr><td>Terraform Cloud<\/td><td>Workspace variable changed, run triggered by unknown user<\/td><\/tr><tr><td>Confluent Cloud<\/td><td>API key created, ACL changed<\/td><\/tr><tr><td>Jira\/Confluence<\/td><td>Admin permission or page access abuse<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">6.5 Endpoint and OS Security<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Monitor:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Source<\/th><th>Use Case<\/th><\/tr><\/thead><tbody><tr><td>Linux audit logs<\/td><td>Sudo, SSH, user creation, file changes<\/td><\/tr><tr><td>Windows Event Logs<\/td><td>Logon events, PowerShell, account changes<\/td><\/tr><tr><td>Sysmon<\/td><td>Process creation, network connection, suspicious parent-child process<\/td><\/tr><tr><td>EDR<\/td><td>Malware alerts, suspicious process, blocked threat<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">6.6 Network Security<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Monitor:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Source<\/th><th>Use Case<\/th><\/tr><\/thead><tbody><tr><td>DNS<\/td><td>Domain generation algorithm, suspicious lookup<\/td><\/tr><tr><td>Firewall<\/td><td>Denied traffic, risky country, threat IP<\/td><\/tr><tr><td>WAF<\/td><td>SQLi\/XSS attempts<\/td><\/tr><tr><td>VPN<\/td><td>Impossible travel, unusual country<\/td><\/tr><tr><td>Proxy<\/td><td>Malware download, blocked destination<\/td><\/tr><tr><td>Zeek\/Suricata<\/td><td>Network IDS events<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">7. End-to-End Implementation Roadmap<\/h1>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-4\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">flowchart<\/span> <span class=\"hljs-selector-tag\">TD<\/span>\n    <span class=\"hljs-selector-tag\">A<\/span><span class=\"hljs-selector-attr\">&#91;Step 1: Define Security Goals]<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">B<\/span><span class=\"hljs-selector-attr\">&#91;Step 2: Identify Log Sources]<\/span>\n    <span class=\"hljs-selector-tag\">B<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">C<\/span><span class=\"hljs-selector-attr\">&#91;Step 3: Enable Datadog Cloud SIEM]<\/span>\n    <span class=\"hljs-selector-tag\">C<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">D<\/span><span class=\"hljs-selector-attr\">&#91;Step 4: Enable Content Packs]<\/span>\n    <span class=\"hljs-selector-tag\">D<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">E<\/span><span class=\"hljs-selector-attr\">&#91;Step 5: Ingest Logs]<\/span>\n    <span class=\"hljs-selector-tag\">E<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">F<\/span><span class=\"hljs-selector-attr\">&#91;Step 6: Parse and Normalize]<\/span>\n    <span class=\"hljs-selector-tag\">F<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">G<\/span><span class=\"hljs-selector-attr\">&#91;Step 7: Validate Security Filters]<\/span>\n    <span class=\"hljs-selector-tag\">G<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">H<\/span><span class=\"hljs-selector-attr\">&#91;Step 8: Enable OOTB Rules]<\/span>\n    <span class=\"hljs-selector-tag\">H<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">I<\/span><span class=\"hljs-selector-attr\">&#91;Step 9: Create Custom Rules]<\/span>\n    <span class=\"hljs-selector-tag\">I<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">J<\/span><span class=\"hljs-selector-attr\">&#91;Step 10: Triage Signals]<\/span>\n    <span class=\"hljs-selector-tag\">J<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">K<\/span><span class=\"hljs-selector-attr\">&#91;Step 11: Configure Notifications]<\/span>\n    <span class=\"hljs-selector-tag\">K<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">L<\/span><span class=\"hljs-selector-attr\">&#91;Step 12: Automate Response]<\/span>\n    <span class=\"hljs-selector-tag\">L<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">M<\/span><span class=\"hljs-selector-attr\">&#91;Step 13: Measure and Improve]<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-4\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">8. Prerequisites<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Before starting, prepare:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Requirement<\/th><th>Why Needed<\/th><\/tr><\/thead><tbody><tr><td>Datadog account<\/td><td>Cloud SIEM runs inside Datadog<\/td><\/tr><tr><td>Cloud SIEM enabled<\/td><td>Required for SIEM analysis<\/td><\/tr><tr><td>Log Management<\/td><td>SIEM uses logs as primary input<\/td><\/tr><tr><td>API key<\/td><td>For log ingestion<\/td><\/tr><tr><td>Application key<\/td><td>For API\/Terraform operations<\/td><\/tr><tr><td>Admin or Security permissions<\/td><td>Needed to configure SIEM<\/td><\/tr><tr><td>Cloud accounts<\/td><td>AWS\/Azure\/GCP logs<\/td><\/tr><tr><td>GitHub access<\/td><td>For lab projects<\/td><\/tr><tr><td>Terraform<\/td><td>Optional, for IaC<\/td><\/tr><tr><td>Datadog Agent<\/td><td>For host\/Kubernetes logs<\/td><\/tr><tr><td>Datadog Forwarder<\/td><td>For AWS log forwarding<\/td><\/tr><tr><td>Test environment<\/td><td>Never start threat emulation directly in production<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">9. Data Source Strategy<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">A world-class SIEM project should not ingest random logs blindly. Start with high-value security logs.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Phase 1: Must-have logs<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Priority<\/th><th>Source<\/th><th>Why<\/th><\/tr><\/thead><tbody><tr><td>P0<\/td><td>Cloud audit logs<\/td><td>Cloud attacks show up here first<\/td><\/tr><tr><td>P0<\/td><td>Identity provider logs<\/td><td>Identity is the new perimeter<\/td><\/tr><tr><td>P0<\/td><td>Kubernetes audit logs<\/td><td>Needed for container platform security<\/td><\/tr><tr><td>P0<\/td><td>Datadog Audit Trail<\/td><td>Monitor Datadog account changes<\/td><\/tr><tr><td>P1<\/td><td>GitHub\/GitLab logs<\/td><td>CI\/CD and code security<\/td><\/tr><tr><td>P1<\/td><td>Linux\/Windows auth logs<\/td><td>Host-level access monitoring<\/td><\/tr><tr><td>P1<\/td><td>Firewall\/DNS\/proxy logs<\/td><td>Network threat detection<\/td><\/tr><tr><td>P1<\/td><td>WAF\/AppSec logs<\/td><td>Application attack detection<\/td><\/tr><tr><td>P2<\/td><td>EDR\/security tool alerts<\/td><td>Correlation with cloud and app behavior<\/td><\/tr><tr><td>P2<\/td><td>SaaS audit logs<\/td><td>Collaboration\/data access monitoring<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">10. Datadog SIEM Data Flow by Source<\/h1>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Source<\/th><th>Collection Method<\/th><th>Datadog Component<\/th><\/tr><\/thead><tbody><tr><td>AWS CloudTrail<\/td><td>S3 + Datadog Forwarder Lambda \/ AWS integration<\/td><td>Cloud SIEM Content Pack<\/td><\/tr><tr><td>GCP Audit Logs<\/td><td>Pub\/Sub + Dataflow Datadog template<\/td><td>Cloud SIEM Content Pack<\/td><\/tr><tr><td>Azure Platform Logs<\/td><td>Azure Event Hub \/ Datadog integration<\/td><td>Cloud SIEM Content Pack<\/td><\/tr><tr><td>Kubernetes Audit Logs<\/td><td>Control plane audit log export<\/td><td>Cloud SIEM Content Pack<\/td><\/tr><tr><td>Linux logs<\/td><td>Datadog Agent log collection<\/td><td>Log pipelines + Cloud SIEM<\/td><\/tr><tr><td>Windows logs<\/td><td>Datadog Agent \/ Windows Event Logs<\/td><td>Log pipelines + Cloud SIEM<\/td><\/tr><tr><td>GitHub audit logs<\/td><td>GitHub integration<\/td><td>Content Pack<\/td><\/tr><tr><td>Okta\/Auth0<\/td><td>SaaS integration\/API<\/td><td>Content Pack<\/td><\/tr><tr><td>NGINX\/Apache<\/td><td>Agent log collection<\/td><td>Web security Content Pack<\/td><\/tr><tr><td>Network devices<\/td><td>Syslog \/ Agent \/ Observability Pipelines<\/td><td>Network Content Pack<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">11. Step-by-Step: Enable Cloud SIEM<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Step 1: Enable Cloud SIEM<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">In Datadog:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Security \u2192 Cloud SIEM\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Enable Cloud SIEM for your organization.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Step 2: Choose Content Packs<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Go to:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Security \u2192 Cloud SIEM \u2192 Ingest and Enrich \u2192 Content Packs\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Start with:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">AWS CloudTrail\nDatadog Audit Trail\nKubernetes Audit Logs\nGitHub\nOkta\/Auth0\nWindows Event Logs\nLinux Audit Logs\nNGINX\/Apache\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Cloud SIEM Content Packs are the easiest way to send security data to Datadog because they are designed specifically for SIEM onboarding. (<a href=\"https:\/\/docs.datadoghq.com\/security\/cloud_siem\/ingest_and_enrich\/?utm_source=chatgpt.com\">Datadog<\/a>)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Step 3: Validate Logs Are Ingested<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Go to Logs Explorer and search:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-5\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">source<\/span><span class=\"hljs-selector-pseudo\">:cloudtrail<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-5\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">or:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-6\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">source<\/span><span class=\"hljs-selector-pseudo\">:github<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-6\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">or:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-7\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">source<\/span><span class=\"hljs-selector-pseudo\">:kubernetes.audit<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-7\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h2 class=\"wp-block-heading\">Step 4: Confirm Logs Are Analyzed by Cloud SIEM<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Search:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-8\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">source<\/span><span class=\"hljs-selector-pseudo\">:cloudtrail<\/span> <span class=\"hljs-selector-tag\">datadog<\/span><span class=\"hljs-selector-class\">.cloud_siem<\/span><span class=\"hljs-selector-pseudo\">:true<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-8\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">If logs show:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-9\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">datadog<\/span><span class=\"hljs-selector-class\">.cloud_siem<\/span><span class=\"hljs-selector-pseudo\">:false<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-9\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">then Cloud SIEM is ingesting the log into Datadog, but not analyzing it for SIEM.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Step 5: Check Detection Rules<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Go to:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Security \u2192 Cloud SIEM \u2192 Detection Rules\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Confirm OOTB rules are enabled.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Cloud SIEM applies OOTB detection rules after Content Packs are enabled and configured. (<a href=\"https:\/\/docs.datadoghq.com\/security\/cloud_siem\/detect_and_monitor\/?utm_source=chatgpt.com\">Datadog<\/a>)<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">12. AWS CloudTrail SIEM Tutorial<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">AWS CloudTrail is one of the best first SIEM projects because it detects identity, cloud control-plane, and privilege escalation attacks.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Datadog\u2019s AWS Cloud SIEM guide explains that Cloud SIEM applies detection rules to processed logs and surfaces threats as Security Signals in Signals Explorer. (<a href=\"https:\/\/docs.datadoghq.com\/security\/cloud_siem\/guide\/aws-config-guide-for-cloud-siem\/?utm_source=chatgpt.com\">Datadog<\/a>)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Architecture<\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-10\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">flowchart<\/span> <span class=\"hljs-selector-tag\">LR<\/span>\n    <span class=\"hljs-selector-tag\">A<\/span><span class=\"hljs-selector-attr\">&#91;AWS CloudTrail]<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">B<\/span><span class=\"hljs-selector-attr\">&#91;S3 Bucket]<\/span>\n    <span class=\"hljs-selector-tag\">B<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">C<\/span><span class=\"hljs-selector-attr\">&#91;Datadog Forwarder Lambda]<\/span>\n    <span class=\"hljs-selector-tag\">C<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">D<\/span><span class=\"hljs-selector-attr\">&#91;Datadog Logs Intake]<\/span>\n    <span class=\"hljs-selector-tag\">D<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">E<\/span><span class=\"hljs-selector-attr\">&#91;Cloud SIEM AWS CloudTrail Content Pack]<\/span>\n    <span class=\"hljs-selector-tag\">E<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">F<\/span><span class=\"hljs-selector-attr\">&#91;Detection Rules]<\/span>\n    <span class=\"hljs-selector-tag\">F<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">G<\/span><span class=\"hljs-selector-attr\">&#91;Security Signals]<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-10\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h2 class=\"wp-block-heading\">Step-by-step<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Enable CloudTrail<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">In AWS:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">CloudTrail \u2192 Trails \u2192 Create trail\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Recommended:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Management events: Read + Write\nData events: S3, Lambda, important services\nMulti-region trail: Enabled\nLog file validation: Enabled\nSend to S3: Enabled\n<\/code><\/span><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Step 2: Send CloudTrail logs to Datadog<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Common architecture:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">CloudTrail \u2192 S3 \u2192 Datadog Forwarder Lambda \u2192 Datadog\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Datadog\u2019s AWS SIEM setup notes that AWS service logs are collected with a Datadog Lambda function that triggers on S3 buckets and forwards logs to Datadog. (<a href=\"https:\/\/docs.datadoghq.com\/security\/cloud_siem\/guide\/setting-up-security-monitoring-for-aws.md?utm_source=chatgpt.com\">Datadog<\/a>)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Enable AWS CloudTrail Content Pack<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Enable:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">AWS CloudTrail Content Pack\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">It provides detection rules, dashboards, investigator workflows, and configuration guidance.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Validate ingestion<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">In Logs Explorer:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-11\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">source<\/span><span class=\"hljs-selector-pseudo\">:cloudtrail<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-11\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Useful fields:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-12\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-keyword\">@eventName<\/span>\n@eventSource\n@userIdentity.arn\n@userIdentity.type\n@awsRegion\n@sourceIPAddress\n@userAgent\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-12\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Step 5: Validate SIEM analysis<\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-13\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">source<\/span><span class=\"hljs-selector-pseudo\">:cloudtrail<\/span> <span class=\"hljs-selector-tag\">datadog<\/span><span class=\"hljs-selector-class\">.cloud_siem<\/span><span class=\"hljs-selector-pseudo\">:true<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-13\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Step 6: Watch for signals<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Go to:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Security \u2192 Cloud SIEM \u2192 Signals\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Filter:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-14\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">source<\/span><span class=\"hljs-selector-pseudo\">:cloudtrail<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-14\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">13. AWS Threat Emulation Project Using GitHub<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Project: Datadog AWS Cloud SIEM Threat Emulation<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Datadog has an official GitHub project called <strong>cloud-siem-aws-threat-emulation<\/strong>. It uses Stratus Red Team-style AWS attack simulation to validate Datadog Cloud SIEM detections. The project README says to validate generated signals in Datadog by filtering Cloud SIEM Signals with CloudTrail source and Stratus Red Team user agent. (<a href=\"https:\/\/github.com\/DataDog\/cloud-siem-aws-threat-emulation\/blob\/main\/README.md?utm_source=chatgpt.com\">GitHub<\/a>)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What you learn<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Topic<\/th><th>Skill<\/th><\/tr><\/thead><tbody><tr><td>CloudTrail ingestion<\/td><td>Confirm AWS logs reach Datadog<\/td><\/tr><tr><td>OOTB rules<\/td><td>Validate Datadog default rules<\/td><\/tr><tr><td>Threat emulation<\/td><td>Simulate safe attack techniques<\/td><\/tr><tr><td>Signal triage<\/td><td>Investigate generated alerts<\/td><\/tr><tr><td>Cleanup<\/td><td>Remove created attack artifacts<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Lab steps<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Prepare isolated AWS account<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Use a sandbox AWS account. Do <strong>not<\/strong> run threat emulation in production.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Configure CloudTrail to Datadog<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Confirm:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-15\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">source<\/span><span class=\"hljs-selector-pseudo\">:cloudtrail<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-15\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Step 3: Clone the GitHub project<\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-16\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">git <span class=\"hljs-keyword\">clone<\/span> https:<span class=\"hljs-comment\">\/\/github.com\/DataDog\/cloud-siem-aws-threat-emulation.git<\/span>\ncd cloud-siem-aws-threat-emulation\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-16\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Step 4: Follow project setup<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Install the required tooling as documented by the repo.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Run a safe emulation<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Example types of activities usually include:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-17\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">IAM enumeration\nAccess key activity\nCloudTrail tampering scenario\nS3 <span class=\"hljs-keyword\">public<\/span> exposure scenario\nPrivilege escalation style activity\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-17\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Step 6: Validate in Datadog<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Go to:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Security \u2192 Cloud SIEM \u2192 Signals\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Search:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">source:cloudtrail @http.useragent:*stratus-red-team*\n<\/code><\/span><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Step 7: Investigate signal<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">For each signal, inspect:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-18\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">What happened?\nWhich user?\nWhich source IP?\nWhich AWS account?\nWhich region?\nWhich API call?\nWas <span class=\"hljs-keyword\">this<\/span> expected?\nWhat happened before and after?\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-18\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Step 8: Cleanup<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Run cleanup commands from the project documentation.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">14. GCP Audit Logs SIEM Tutorial<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Datadog\u2019s GCP Cloud SIEM guide states that Cloud SIEM applies detection rules to processed logs, including Google Cloud audit logs, and uses Google Cloud Dataflow with the Datadog template to forward logs from Google Cloud services to Datadog. (<a href=\"https:\/\/docs.datadoghq.com\/security\/cloud_siem\/guide\/google-cloud-config-guide-for-cloud-siem.md?utm_source=chatgpt.com\">Datadog<\/a>)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Architecture<\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-19\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">flowchart<\/span> <span class=\"hljs-selector-tag\">LR<\/span>\n    <span class=\"hljs-selector-tag\">A<\/span><span class=\"hljs-selector-attr\">&#91;GCP Audit Logs]<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">B<\/span><span class=\"hljs-selector-attr\">&#91;Log Sink]<\/span>\n    <span class=\"hljs-selector-tag\">B<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">C<\/span><span class=\"hljs-selector-attr\">&#91;Pub\/Sub Topic]<\/span>\n    <span class=\"hljs-selector-tag\">C<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">D<\/span><span class=\"hljs-selector-attr\">&#91;Dataflow Datadog Template]<\/span>\n    <span class=\"hljs-selector-tag\">D<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">E<\/span><span class=\"hljs-selector-attr\">&#91;Datadog Logs Intake]<\/span>\n    <span class=\"hljs-selector-tag\">E<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">F<\/span><span class=\"hljs-selector-attr\">&#91;Cloud SIEM]<\/span>\n    <span class=\"hljs-selector-tag\">F<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">G<\/span><span class=\"hljs-selector-attr\">&#91;Security Signals]<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-19\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h2 class=\"wp-block-heading\">Steps<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Enable Data Access audit logs<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Enable:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Admin Read\nData Read\nData Write\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Datadog\u2019s GCP guide specifically recommends enabling these Data Access audit log types. (<a href=\"https:\/\/docs.datadoghq.com\/security\/cloud_siem\/guide\/google-cloud-config-guide-for-cloud-siem.md?utm_source=chatgpt.com\">Datadog<\/a>)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Create Pub\/Sub topic and subscription<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Example:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-20\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\"><span class=\"hljs-keyword\">export<\/span>-audit-logs-to-datadog\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-20\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Step 3: Create log sink<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Filter:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-21\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">logName:<span class=\"hljs-string\">\"cloudaudit.googleapis.com\"<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-21\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h3 class=\"wp-block-heading\">Step 4: Create Dataflow worker service account<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Grant required permissions.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Run Dataflow Datadog template<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Use the Datadog Dataflow template.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Important: Datadog says Pub\/Sub Push subscription collection is being deprecated for this use case and recommends Pull subscription with the Datadog Dataflow template instead. (<a href=\"https:\/\/docs.datadoghq.com\/security\/cloud_siem\/guide\/google-cloud-config-guide-for-cloud-siem.md?utm_source=chatgpt.com\">Datadog<\/a>)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Validate<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Logs Explorer:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-22\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">source<\/span><span class=\"hljs-selector-pseudo\">:gcp<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-22\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Cloud SIEM:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-23\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">source<\/span><span class=\"hljs-selector-pseudo\">:gcp<\/span> <span class=\"hljs-selector-tag\">datadog<\/span><span class=\"hljs-selector-class\">.cloud_siem<\/span><span class=\"hljs-selector-pseudo\">:true<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-23\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Signals:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Security \u2192 Cloud SIEM \u2192 Signals\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">15. Azure SIEM Tutorial<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Datadog\u2019s Azure Cloud SIEM guide says Cloud SIEM applies detection rules to processed Azure logs and surfaces detected threats as Security Signals in Signals Explorer. (<a href=\"https:\/\/docs.datadoghq.com\/security\/cloud_siem\/guide\/azure-config-guide-for-cloud-siem.md?utm_source=chatgpt.com\">Datadog<\/a>)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Architecture<\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-24\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">flowchart<\/span> <span class=\"hljs-selector-tag\">LR<\/span>\n    <span class=\"hljs-selector-tag\">A<\/span><span class=\"hljs-selector-attr\">&#91;Azure Activity Logs]<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">B<\/span><span class=\"hljs-selector-attr\">&#91;Event Hub]<\/span>\n    <span class=\"hljs-selector-tag\">B<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">C<\/span><span class=\"hljs-selector-attr\">&#91;Datadog Azure Integration \/ Forwarder]<\/span>\n    <span class=\"hljs-selector-tag\">C<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">D<\/span><span class=\"hljs-selector-attr\">&#91;Datadog Logs]<\/span>\n    <span class=\"hljs-selector-tag\">D<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">E<\/span><span class=\"hljs-selector-attr\">&#91;Cloud SIEM]<\/span>\n    <span class=\"hljs-selector-tag\">E<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">F<\/span><span class=\"hljs-selector-attr\">&#91;Signals]<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-24\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h2 class=\"wp-block-heading\">Recommended Azure logs<\/h2>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Azure Activity Logs\nAzure AD \/ Entra ID sign-in logs\nAzure AD audit logs\nKey Vault audit logs\nStorage account access logs\nNetwork security group flow logs\nDefender for Cloud alerts\nAKS audit logs\n<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">Example detections<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Detection<\/th><th>Why Important<\/th><\/tr><\/thead><tbody><tr><td>Privileged role assigned<\/td><td>Possible privilege escalation<\/td><\/tr><tr><td>New service principal credential<\/td><td>Possible persistence<\/td><\/tr><tr><td>Key Vault secret read<\/td><td>Credential access<\/td><\/tr><tr><td>Security rule opened to internet<\/td><td>Exposure<\/td><\/tr><tr><td>Azure policy disabled<\/td><td>Defense evasion<\/td><\/tr><tr><td>Impossible travel<\/td><td>Account compromise<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">16. Kubernetes Audit Logs SIEM Tutorial<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Why Kubernetes audit logs matter<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Kubernetes audit logs show API server activity:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-25\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">create pod\nexec into pod\nread secret\ncreate clusterrolebinding\n<span class=\"hljs-keyword\">delete<\/span> deployment\npatch daemonset\ncreate privileged workload\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-25\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h2 class=\"wp-block-heading\">Recommended events to monitor<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Event<\/th><th>Why<\/th><\/tr><\/thead><tbody><tr><td><code>create pods\/exec<\/code><\/td><td>Interactive shell into container<\/td><\/tr><tr><td><code>get secrets<\/code><\/td><td>Credential access<\/td><\/tr><tr><td><code>create clusterrolebinding<\/code><\/td><td>Privilege escalation<\/td><\/tr><tr><td><code>create privileged pod<\/code><\/td><td>Container escape risk<\/td><\/tr><tr><td><code>patch daemonset<\/code><\/td><td>Persistence<\/td><\/tr><tr><td><code>delete audit policy<\/code><\/td><td>Defense evasion<\/td><\/tr><tr><td><code>create serviceaccount token<\/code><\/td><td>Credential abuse<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Example Datadog query<\/h2>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">source:kubernetes.audit @verb:create @objectRef.resource:pods\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Suspicious exec:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">source:kubernetes.audit @objectRef.subresource:exec\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Secret access:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">source:kubernetes.audit @objectRef.resource:secrets\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Privileged RBAC change:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">source:kubernetes.audit @objectRef.resource:(clusterrolebindings OR rolebindings)\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">17. Linux Audit Logs SIEM Tutorial<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Useful Linux security logs<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Log<\/th><th>Purpose<\/th><\/tr><\/thead><tbody><tr><td><code>\/var\/log\/auth.log<\/code><\/td><td>SSH, sudo, authentication<\/td><\/tr><tr><td><code>\/var\/log\/secure<\/code><\/td><td>RHEL\/CentOS auth events<\/td><\/tr><tr><td>auditd logs<\/td><td>Syscall and file access auditing<\/td><\/tr><tr><td>syslog<\/td><td>General system security events<\/td><\/tr><tr><td>sudo logs<\/td><td>Privilege escalation<\/td><\/tr><tr><td>SSH logs<\/td><td>Remote login attempts<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Datadog Agent log collection example<\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-26\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">logs:\n  - type: file\n    <span class=\"hljs-attr\">path<\/span>: <span class=\"hljs-regexp\">\/var\/<\/span>log\/auth.log\n    <span class=\"hljs-attr\">service<\/span>: linux-auth\n    <span class=\"hljs-attr\">source<\/span>: auth\n    <span class=\"hljs-attr\">tags<\/span>:\n      - env:lab\n      - team:security\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-26\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Restart Agent:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">sudo systemctl restart datadog-agent\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Validate:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">sudo datadog-agent status\nsudo datadog-agent stream-logs\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Datadog query:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-27\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">source<\/span><span class=\"hljs-selector-pseudo\">:auth<\/span> <span class=\"hljs-selector-tag\">service<\/span><span class=\"hljs-selector-pseudo\">:linux-auth<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-27\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h2 class=\"wp-block-heading\">Example custom rule: SSH brute force<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Query:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-28\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">source:auth <span class=\"hljs-string\">\"Failed password\"<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-28\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Group by:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-29\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">host<\/span>\n<span class=\"hljs-keyword\">@network<\/span>.client.ip\n@usr.name\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-29\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Condition:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">More than 10 events in 5 minutes\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Severity:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Medium\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Message:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-30\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">Possible SSH brute force attempt <span class=\"hljs-keyword\">from<\/span> {{@network.client.ip}} against {{host.name}}.\nInvestigate successful logins <span class=\"hljs-keyword\">from<\/span> <span class=\"hljs-keyword\">this<\/span> IP and check whether the username was valid.\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-30\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">18. Windows Event Logs SIEM Tutorial<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Important Windows Event IDs<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Event ID<\/th><th>Meaning<\/th><\/tr><\/thead><tbody><tr><td>4624<\/td><td>Successful logon<\/td><\/tr><tr><td>4625<\/td><td>Failed logon<\/td><\/tr><tr><td>4634<\/td><td>Logoff<\/td><\/tr><tr><td>4672<\/td><td>Special privileges assigned<\/td><\/tr><tr><td>4688<\/td><td>Process creation<\/td><\/tr><tr><td>4720<\/td><td>User account created<\/td><\/tr><tr><td>4728<\/td><td>User added to privileged group<\/td><\/tr><tr><td>4732<\/td><td>User added to local group<\/td><\/tr><tr><td>4740<\/td><td>Account locked out<\/td><\/tr><tr><td>4768<\/td><td>Kerberos authentication ticket requested<\/td><\/tr><tr><td>4769<\/td><td>Kerberos service ticket requested<\/td><\/tr><tr><td>1102<\/td><td>Audit log cleared<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Example detection: Windows audit log cleared<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Query:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">source:windows @evt.id:1102\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Severity:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">High\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Why:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Clearing Windows Security logs is a common defense evasion technique.\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">19. GitHub SIEM Tutorial<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">GitHub audit logs are very important because source control and CI\/CD are frequent attack targets.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Events to monitor<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Event<\/th><th>Risk<\/th><\/tr><\/thead><tbody><tr><td>Organization owner added<\/td><td>Privilege escalation<\/td><\/tr><tr><td>Repository visibility changed to public<\/td><td>Data exposure<\/td><\/tr><tr><td>Deploy key added<\/td><td>Persistence<\/td><\/tr><tr><td>Secret scanning alert<\/td><td>Secret leakage<\/td><\/tr><tr><td>GitHub Actions workflow modified<\/td><td>CI\/CD compromise<\/td><\/tr><tr><td>PAT created or used suspiciously<\/td><td>Credential abuse<\/td><\/tr><tr><td>Branch protection disabled<\/td><td>Defense evasion<\/td><\/tr><tr><td>Webhook added<\/td><td>Data exfiltration<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Example Datadog query<\/h2>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">source:github @action:repo.change_visibility\n<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">Example custom rule<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Name:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-31\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">GitHub Repository Made <span class=\"hljs-keyword\">Public<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-31\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Query:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-32\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">source:github @action:repo.change_visibility @visibility:<span class=\"hljs-keyword\">public<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-32\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Severity:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">High\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Message:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-33\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">A GitHub repository was made public. Validate whether <span class=\"hljs-keyword\">this<\/span> was approved.\nCheck repository name, actor, organization, and recent commits <span class=\"hljs-keyword\">for<\/span> sensitive data exposure.\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-33\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">20. Okta\/Auth0 Identity SIEM Tutorial<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Events to monitor<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Event<\/th><th>Risk<\/th><\/tr><\/thead><tbody><tr><td>MFA disabled<\/td><td>Account weakening<\/td><\/tr><tr><td>Admin role assigned<\/td><td>Privilege escalation<\/td><\/tr><tr><td>Impossible travel<\/td><td>Account compromise<\/td><\/tr><tr><td>New device<\/td><td>Suspicious login<\/td><\/tr><tr><td>Repeated failed logins<\/td><td>Brute force<\/td><\/tr><tr><td>Password reset<\/td><td>Account recovery abuse<\/td><\/tr><tr><td>New API token<\/td><td>Persistence<\/td><\/tr><tr><td>Suspicious OAuth app<\/td><td>Consent phishing<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Example rule: MFA disabled<\/h2>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">source:okta @eventType:user.mfa.factor.deactivate\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Severity:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">High\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Group by:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-34\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-keyword\">@usr<\/span>.id\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-34\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">21. Detection Engineering in Datadog SIEM<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">21.1 Good detection rule design<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">A good rule should have:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Component<\/th><th>Example<\/th><\/tr><\/thead><tbody><tr><td>Clear title<\/td><td>AWS CloudTrail Disabled<\/td><\/tr><tr><td>Strong query<\/td><td>Match exact API event<\/td><\/tr><tr><td>Severity<\/td><td>Based on impact<\/td><\/tr><tr><td>Group-by<\/td><td>User\/account\/IP\/resource<\/td><\/tr><tr><td>Time window<\/td><td>5 min, 15 min, 1 hour, etc.<\/td><\/tr><tr><td>MITRE mapping<\/td><td>Defense Evasion, Credential Access<\/td><\/tr><tr><td>Message<\/td><td>What happened and how to respond<\/td><\/tr><tr><td>Suppression<\/td><td>Known automation excluded<\/td><\/tr><tr><td>Owner<\/td><td>Security\/platform team<\/td><\/tr><tr><td>Runbook<\/td><td>Investigation steps<\/td><\/tr><tr><td>Test method<\/td><td>Historical job or threat emulation<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">21.2 Rule quality checklist<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Before enabling a rule in production:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-35\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">Does the rule detect real attacker behavior?\nDoes it generate too many <span class=\"hljs-keyword\">false<\/span> positives?\nCan an analyst understand the signal?\nDoes the signal <span class=\"hljs-keyword\">include<\/span> user\/IP\/resource?\nIs there a runbook?\nIs severity correct?\nIs there an owner?\nIs there a safe suppression strategy?\nCan we test it?\nCan we backtest it?\nCan it be managed <span class=\"hljs-keyword\">as<\/span> code?\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-35\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">22. Example Custom Rules<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Rule 1: AWS CloudTrail Disabled<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Query:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">source:cloudtrail @eventName:StopLogging\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Group by:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-36\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-keyword\">@userIdentity<\/span>.arn\n@awsRegion\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-36\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Severity:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Critical\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Message:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-37\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">CloudTrail logging was stopped by {{@userIdentity.arn}} <span class=\"hljs-keyword\">in<\/span> {{@awsRegion}}.\nThis may indicate defense evasion. Confirm whether <span class=\"hljs-keyword\">this<\/span> was an approved change.\nCheck recent IAM activity, source IP, user agent, and other API calls <span class=\"hljs-keyword\">from<\/span> the same identity.\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-37\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Rule 2: IAM Access Key Created<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Query:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">source:cloudtrail @eventName:CreateAccessKey\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Group by:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-38\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-keyword\">@userIdentity<\/span>.arn\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-38\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Severity:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Medium\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Upgrade to High if:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-39\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">The actor is <span class=\"hljs-keyword\">new<\/span>\nThe source IP is unusual\nThe user is privileged\nThe key belongs to another user\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-39\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Rule 3: S3 Bucket Policy Changed<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Query:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">source:cloudtrail @eventName:(PutBucketPolicy OR PutBucketAcl OR PutPublicAccessBlock)\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Group by:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-40\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-keyword\">@requestParameters<\/span>.bucketName\n@userIdentity.arn\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-40\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Severity:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">High\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Rule 4: Kubernetes Secret Access<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Query:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-41\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">source:kubernetes.audit @objectRef.resource:secrets @verb:<span class=\"hljs-keyword\">get<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-41\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Group by:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-42\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-keyword\">@user<\/span>.username\n@objectRef.namespace\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-42\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Severity:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Medium\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Escalate if:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-43\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">namespace<\/span><span class=\"hljs-selector-pseudo\">:prod<\/span>\n<span class=\"hljs-selector-tag\">unusual<\/span> <span class=\"hljs-selector-tag\">user<\/span>\n<span class=\"hljs-selector-tag\">serviceaccount<\/span> <span class=\"hljs-selector-tag\">outside<\/span> <span class=\"hljs-selector-tag\">namespace<\/span>\n<span class=\"hljs-selector-tag\">high<\/span> <span class=\"hljs-selector-tag\">frequency<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-43\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Rule 5: GitHub Branch Protection Disabled<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Query:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">source:github @action:protected_branch.destroy\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Severity:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">High\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Rule 6: Windows Audit Log Cleared<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Query:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">source:windows @evt.id:1102\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Severity:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Critical\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Rule 7: NGINX Possible SQL Injection<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Query:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-44\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">source:nginx @http.url_details.queryString:(<span class=\"hljs-string\">\"*union select*\"<\/span> OR <span class=\"hljs-string\">\"*sleep(*\"<\/span> OR <span class=\"hljs-string\">\"*information_schema*\"<\/span>)\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-44\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Severity:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Medium\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Note: This should be tuned carefully to avoid false positives.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">23. Creating a Custom Rule in Datadog UI<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Go to:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-45\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">Security \u2192 Cloud SIEM \u2192 Detection Rules \u2192 <span class=\"hljs-keyword\">New<\/span> Rule\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-45\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Choose:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Real-Time Rule\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Select method:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Threshold\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Define query:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">source:cloudtrail @eventName:StopLogging\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Set condition:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">count &gt; 0 over 5 minutes\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Group by:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-46\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-keyword\">@userIdentity<\/span>.arn\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-46\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Add message:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">CloudTrail logging stopped by {{@userIdentity.arn}}.\nInvestigate immediately.\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Set severity:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Critical\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Add tags:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-47\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">team<\/span><span class=\"hljs-selector-pseudo\">:security<\/span>\n<span class=\"hljs-selector-tag\">source<\/span><span class=\"hljs-selector-pseudo\">:aws<\/span>\n<span class=\"hljs-selector-tag\">mitre<\/span><span class=\"hljs-selector-pseudo\">:defense-evasion<\/span>\n<span class=\"hljs-selector-tag\">env<\/span><span class=\"hljs-selector-pseudo\">:prod<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-47\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Save rule.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">24. Signal Investigation Workflow<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Datadog Cloud SIEM Signals Explorer allows teams to view, search, filter, correlate, and assign signals without learning a dedicated query language. (<a href=\"https:\/\/docs.datadoghq.com\/security\/cloud_siem\/triage_and_investigate\/investigate_security_signals\/?utm_source=chatgpt.com\">Datadog<\/a>)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Investigation flow<\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-48\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">flowchart<\/span> <span class=\"hljs-selector-tag\">TD<\/span>\n    <span class=\"hljs-selector-tag\">A<\/span><span class=\"hljs-selector-attr\">&#91;Signal Created]<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">B<\/span><span class=\"hljs-selector-attr\">&#91;Read What Happened]<\/span>\n    <span class=\"hljs-selector-tag\">B<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">C<\/span><span class=\"hljs-selector-attr\">&#91;Identify User \/ IP \/ Resource]<\/span>\n    <span class=\"hljs-selector-tag\">C<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">D<\/span><span class=\"hljs-selector-attr\">&#91;Check Triggering Logs]<\/span>\n    <span class=\"hljs-selector-tag\">D<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">E<\/span><span class=\"hljs-selector-attr\">&#91;Check Same User Timeline]<\/span>\n    <span class=\"hljs-selector-tag\">E<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">F<\/span><span class=\"hljs-selector-attr\">&#91;Check Same IP Timeline]<\/span>\n    <span class=\"hljs-selector-tag\">F<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">G<\/span><span class=\"hljs-selector-attr\">&#91;Check Related Cloud \/ App \/ K8s Logs]<\/span>\n    <span class=\"hljs-selector-tag\">G<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">H<\/span><span class=\"hljs-selector-attr\">&#91;Classify True Positive or False Positive]<\/span>\n    <span class=\"hljs-selector-tag\">H<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">I<\/span><span class=\"hljs-selector-attr\">&#91;Contain \/ Remediate]<\/span>\n    <span class=\"hljs-selector-tag\">I<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">J<\/span><span class=\"hljs-selector-attr\">&#91;Update Rule \/ Suppression \/ Runbook]<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-48\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h2 class=\"wp-block-heading\">Standard triage questions<\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-49\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">Who performed the action?\nWas the identity human or service account?\nWas MFA used?\nWas the source IP expected?\nWas the user-agent expected?\nWhat resource was affected?\nWas <span class=\"hljs-keyword\">this<\/span> <span class=\"hljs-keyword\">in<\/span> production?\nWas <span class=\"hljs-keyword\">this<\/span> change approved?\nDid similar activity happen before?\nDid the same identity perform other suspicious actions?\nIs there related app, Kubernetes, network, or endpoint activity?\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-49\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">25. MITRE ATT&amp;CK Mapping<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">A strong SIEM program should map detections to MITRE ATT&amp;CK.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>MITRE Tactic<\/th><th>Datadog SIEM Example<\/th><\/tr><\/thead><tbody><tr><td>Initial Access<\/td><td>Suspicious login from threat IP<\/td><\/tr><tr><td>Execution<\/td><td>Kubernetes exec into pod<\/td><\/tr><tr><td>Persistence<\/td><td>New IAM access key created<\/td><\/tr><tr><td>Privilege Escalation<\/td><td>Admin role attached<\/td><\/tr><tr><td>Defense Evasion<\/td><td>CloudTrail stopped<\/td><\/tr><tr><td>Credential Access<\/td><td>Secret read from SSM\/Secrets Manager<\/td><\/tr><tr><td>Discovery<\/td><td>Cloud API enumeration<\/td><\/tr><tr><td>Lateral Movement<\/td><td>Unusual service account activity<\/td><\/tr><tr><td>Collection<\/td><td>S3 object read spike<\/td><\/tr><tr><td>Exfiltration<\/td><td>BigQuery export to external bucket<\/td><\/tr><tr><td>Impact<\/td><td>Resource deletion or ransomware-like behavior<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">26. Risk Scoring and Entity Investigation<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Datadog calculates entity risk scores based on associated signals, including signal severity and how many times a signal fired over the past 14 days. (<a href=\"https:\/\/docs.datadoghq.com\/security\/cloud_siem\/triage_and_investigate\/entities_and_risk_scoring.md?utm_source=chatgpt.com\">Datadog<\/a>)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Use risk scoring to answer:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Which user is riskiest?\nWhich host has repeated suspicious behavior?\nWhich cloud account has the highest risk?\nWhich service account needs review?\nWhich IP appears in multiple signals?\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">27. Notifications and Alert Routing<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Signals are only useful if they reach the right team.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Common routing:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Signal Type<\/th><th>Notify<\/th><\/tr><\/thead><tbody><tr><td>Critical cloud control-plane attack<\/td><td>Security on-call + cloud platform team<\/td><\/tr><tr><td>Kubernetes privilege escalation<\/td><td>Platform SRE + security<\/td><\/tr><tr><td>GitHub organization change<\/td><td>DevSecOps + repo owner<\/td><\/tr><tr><td>Okta admin change<\/td><td>IAM team + security<\/td><\/tr><tr><td>WAF attack spike<\/td><td>AppSec + application owner<\/td><\/tr><tr><td>Windows log cleared<\/td><td>SOC + endpoint team<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Datadog allows Notification Rules to route signals to individuals or teams, and signal modification requires Security Signals Write permission. (<a href=\"https:\/\/docs.datadoghq.com\/security\/cloud_siem\/triage_and_investigate\/investigate_security_signals\/?utm_source=chatgpt.com\">Datadog<\/a>)<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">28. SOAR and Response Automation<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">SOAR means <strong>Security Orchestration, Automation, and Response<\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Datadog Cloud SIEM can work with Workflow Automation. Content Packs may include workflow automation to accelerate investigation and remediation. (<a href=\"https:\/\/docs.datadoghq.com\/security\/cloud_siem\/ingest_and_enrich\/content_packs\/?utm_source=chatgpt.com\">Datadog<\/a>)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Example automation ideas<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Signal<\/th><th>Automated Action<\/th><\/tr><\/thead><tbody><tr><td>IAM access key created by unusual user<\/td><td>Create Jira ticket, notify Slack, enrich user details<\/td><\/tr><tr><td>GitHub repo made public<\/td><td>Notify repo owner, open incident, collect repo metadata<\/td><\/tr><tr><td>Okta MFA disabled<\/td><td>Notify IAM, ask for approval evidence<\/td><\/tr><tr><td>Threat IP seen in firewall logs<\/td><td>Query related logs, enrich IP, notify SOC<\/td><\/tr><tr><td>Kubernetes secret accessed<\/td><td>Notify platform team, collect namespace\/pod\/service account details<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Do not automatically delete users, revoke production credentials, or block IPs without a clear approval process unless your organization has mature playbooks.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">29. Datadog SIEM with Terraform<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Terraform is useful for managing Datadog configuration as code. The official Datadog Terraform provider is used to interact with Datadog resources and requires proper credentials. (<a href=\"https:\/\/github.com\/DataDog\/terraform-provider-datadog\/blob\/master\/docs\/index.md?utm_source=chatgpt.com\">GitHub<\/a>)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Useful Terraform-managed SIEM resources<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Resource Type<\/th><th>Use<\/th><\/tr><\/thead><tbody><tr><td>Detection rules<\/td><td>Manage custom SIEM rules as code<\/td><\/tr><tr><td>Monitors<\/td><td>Alert on ingestion gaps or SIEM health<\/td><\/tr><tr><td>Dashboards<\/td><td>Security dashboards<\/td><\/tr><tr><td>Log pipelines<\/td><td>Parsing and normalization<\/td><\/tr><tr><td>Log indexes<\/td><td>Retention and cost control<\/td><\/tr><tr><td>Sensitive data scanner<\/td><td>Redaction controls<\/td><\/tr><tr><td>Integrations<\/td><td>Cloud\/source integrations where supported<\/td><\/tr><tr><td>Teams\/roles<\/td><td>Access governance<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Sample Terraform skeleton<\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-50\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">terraform {\n  required_providers {\n    datadog = {\n      source  = <span class=\"hljs-string\">\"DataDog\/datadog\"<\/span>\n      version = <span class=\"hljs-string\">\"~&gt; 3.0\"<\/span>\n    }\n  }\n}\n\nprovider <span class=\"hljs-string\">\"datadog\"<\/span> {\n  api_key = <span class=\"hljs-keyword\">var<\/span>.datadog_api_key\n  app_key = <span class=\"hljs-keyword\">var<\/span>.datadog_app_key\n  api_url = <span class=\"hljs-keyword\">var<\/span>.datadog_api_url\n}\n\nvariable <span class=\"hljs-string\">\"datadog_api_key\"<\/span> {\n  type      = string\n  sensitive = <span class=\"hljs-literal\">true<\/span>\n}\n\nvariable <span class=\"hljs-string\">\"datadog_app_key\"<\/span> {\n  type      = string\n  sensitive = <span class=\"hljs-literal\">true<\/span>\n}\n\nvariable <span class=\"hljs-string\">\"datadog_api_url\"<\/span> {\n  type    = string\n  <span class=\"hljs-keyword\">default<\/span> = <span class=\"hljs-string\">\"https:\/\/api.datadoghq.com\/\"<\/span>\n}\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-50\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h2 class=\"wp-block-heading\">Official GitHub project: Terraform security modules<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Datadog has an official GitHub repository named <strong>terraform-modules-datadog-security<\/strong>, which contains Terraform modules for common integrations between Datadog security products and cloud providers. (<a href=\"https:\/\/github.com\/DataDog\/terraform-modules-datadog-security?utm_source=chatgpt.com\">GitHub<\/a>)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Use this repository as a reference for cloud security onboarding patterns.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">30. Sigma to Datadog Rules<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Sigma is a generic detection rule format used by detection engineers.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Datadog has an official <strong>pysigma-backend-datadog<\/strong> GitHub project. It supports output formats for Datadog query syntax and can convert Sigma rules into Datadog Cloud SIEM detection format. (<a href=\"https:\/\/github.com\/DataDog\/pysigma-backend-datadog?utm_source=chatgpt.com\">GitHub<\/a>)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Use case<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">You have Sigma rule:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-51\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">title: Suspicious PowerShell Encoded Command\n<span class=\"hljs-attr\">logsource<\/span>:\n  product: windows\n  <span class=\"hljs-attr\">category<\/span>: process_creation\n<span class=\"hljs-attr\">detection<\/span>:\n  selection:\n    CommandLine|contains: <span class=\"hljs-string\">\"-enc\"<\/span>\n  <span class=\"hljs-attr\">condition<\/span>: selection\n<span class=\"hljs-attr\">level<\/span>: high\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-51\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">You convert it into Datadog-compatible query\/rule format.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Why useful<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Benefit<\/th><th>Explanation<\/th><\/tr><\/thead><tbody><tr><td>Detection portability<\/td><td>Reuse community Sigma detections<\/td><\/tr><tr><td>Faster rule creation<\/td><td>Convert baseline logic<\/td><\/tr><tr><td>Standard detection workflow<\/td><td>Detection-as-code<\/td><\/tr><tr><td>Easier migration<\/td><td>Move from another SIEM to Datadog<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">31. Recommended GitHub Projects for Hands-On Learning<\/h1>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Project<\/th><th>Owner<\/th><th>Purpose<\/th><\/tr><\/thead><tbody><tr><td>cloud-siem-aws-threat-emulation<\/td><td>DataDog<\/td><td>Validate AWS Cloud SIEM detections using threat emulation<\/td><\/tr><tr><td>terraform-provider-datadog<\/td><td>DataDog<\/td><td>Manage Datadog resources with Terraform<\/td><\/tr><tr><td>terraform-modules-datadog-security<\/td><td>DataDog<\/td><td>Security-focused Terraform modules for cloud integrations<\/td><\/tr><tr><td>pysigma-backend-datadog<\/td><td>DataDog<\/td><td>Convert Sigma detections to Datadog queries\/SIEM rules<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">32. Complete Lab Roadmap<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Lab 1: Basic SIEM with Linux auth logs<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Goal:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Collect Linux SSH\/sudo logs and create brute-force detection.\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Skills:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Datadog Agent\nLog collection\nLog Explorer\nCustom detection rule\nSecurity signal triage\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Lab 2: AWS CloudTrail SIEM<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Goal:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Forward CloudTrail logs into Datadog and enable AWS CloudTrail Content Pack.\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Skills:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">CloudTrail\nS3\nDatadog Forwarder\nContent Packs\nOOTB detections\nSignals Explorer\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Lab 3: AWS Threat Emulation<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Goal:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-52\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\"><span class=\"hljs-keyword\">Use<\/span> <span class=\"hljs-title\">DataDog<\/span>\/<span class=\"hljs-title\">cloud<\/span>-<span class=\"hljs-title\">siem<\/span>-<span class=\"hljs-title\">aws<\/span>-<span class=\"hljs-title\">threat<\/span>-<span class=\"hljs-title\">emulation<\/span> <span class=\"hljs-title\">to<\/span> <span class=\"hljs-title\">trigger<\/span> <span class=\"hljs-title\">test<\/span> <span class=\"hljs-title\">signals<\/span>.\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-52\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Skills:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Threat simulation\nCloudTrail detection validation\nRule testing\nTriage\nCleanup\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Lab 4: Kubernetes Audit Logs<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Goal:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Detect suspicious Kubernetes API activity.\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Skills:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Kubernetes audit policy\nControl plane logs\nKubernetes SIEM detection\nRBAC investigation\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Lab 5: GitHub Audit Logs<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Goal:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Detect repository visibility changes and privileged user changes.\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Skills:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">GitHub audit logs\nDeveloper security\nCustom detections\nNotification routing\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Lab 6: Detection-as-Code<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Goal:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-53\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">Manage SIEM rules and dashboards <span class=\"hljs-keyword\">with<\/span> Terraform.\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-53\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Skills:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Terraform provider\nRule versioning\nPull request review\nEnvironment promotion\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Lab 7: Sigma Conversion<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Goal:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Convert Sigma rules into Datadog-compatible query\/rule format.\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Skills:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Sigma\npysigma-backend-datadog\nDetection engineering\nRule portability\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">33. Production Reference Architecture<\/h1>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-54\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">flowchart<\/span> <span class=\"hljs-selector-tag\">TB<\/span>\n    <span class=\"hljs-selector-tag\">subgraph<\/span> <span class=\"hljs-selector-tag\">Cloud<\/span><span class=\"hljs-selector-attr\">&#91;<span class=\"hljs-string\">\"Cloud Accounts\"<\/span>]<\/span>\n        <span class=\"hljs-selector-tag\">A1<\/span><span class=\"hljs-selector-attr\">&#91;AWS CloudTrail]<\/span>\n        <span class=\"hljs-selector-tag\">A2<\/span><span class=\"hljs-selector-attr\">&#91;GCP Audit Logs]<\/span>\n        <span class=\"hljs-selector-tag\">A3<\/span><span class=\"hljs-selector-attr\">&#91;Azure Activity Logs]<\/span>\n    <span class=\"hljs-selector-tag\">end<\/span>\n\n    <span class=\"hljs-selector-tag\">subgraph<\/span> <span class=\"hljs-selector-tag\">Platform<\/span><span class=\"hljs-selector-attr\">&#91;<span class=\"hljs-string\">\"Platform\"<\/span>]<\/span>\n        <span class=\"hljs-selector-tag\">B1<\/span><span class=\"hljs-selector-attr\">&#91;Kubernetes Audit Logs]<\/span>\n        <span class=\"hljs-selector-tag\">B2<\/span><span class=\"hljs-selector-attr\">&#91;Datadog Agent]<\/span>\n        <span class=\"hljs-selector-tag\">B3<\/span><span class=\"hljs-selector-attr\">&#91;Workload Protection]<\/span>\n    <span class=\"hljs-selector-tag\">end<\/span>\n\n    <span class=\"hljs-selector-tag\">subgraph<\/span> <span class=\"hljs-selector-tag\">SaaS<\/span><span class=\"hljs-selector-attr\">&#91;<span class=\"hljs-string\">\"SaaS \/ Identity \/ Dev Tools\"<\/span>]<\/span>\n        <span class=\"hljs-selector-tag\">C1<\/span><span class=\"hljs-selector-attr\">&#91;Okta\/Auth0]<\/span>\n        <span class=\"hljs-selector-tag\">C2<\/span><span class=\"hljs-selector-attr\">&#91;GitHub\/GitLab]<\/span>\n        <span class=\"hljs-selector-tag\">C3<\/span><span class=\"hljs-selector-attr\">&#91;Google Workspace]<\/span>\n    <span class=\"hljs-selector-tag\">end<\/span>\n\n    <span class=\"hljs-selector-tag\">subgraph<\/span> <span class=\"hljs-selector-tag\">Network<\/span><span class=\"hljs-selector-attr\">&#91;<span class=\"hljs-string\">\"Network \/ Edge\"<\/span>]<\/span>\n        <span class=\"hljs-selector-tag\">D1<\/span><span class=\"hljs-selector-attr\">&#91;Firewall]<\/span>\n        <span class=\"hljs-selector-tag\">D2<\/span><span class=\"hljs-selector-attr\">&#91;DNS]<\/span>\n        <span class=\"hljs-selector-tag\">D3<\/span><span class=\"hljs-selector-attr\">&#91;WAF]<\/span>\n        <span class=\"hljs-selector-tag\">D4<\/span><span class=\"hljs-selector-attr\">&#91;Proxy]<\/span>\n    <span class=\"hljs-selector-tag\">end<\/span>\n\n    <span class=\"hljs-selector-tag\">Cloud<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">E<\/span><span class=\"hljs-selector-attr\">&#91;Datadog Log Intake]<\/span>\n    <span class=\"hljs-selector-tag\">Platform<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">E<\/span>\n    <span class=\"hljs-selector-tag\">SaaS<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">E<\/span>\n    <span class=\"hljs-selector-tag\">Network<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">E<\/span>\n\n    <span class=\"hljs-selector-tag\">E<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">F<\/span><span class=\"hljs-selector-attr\">&#91;Parsing \/ OCSF \/ Enrichment]<\/span>\n    <span class=\"hljs-selector-tag\">F<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">G<\/span><span class=\"hljs-selector-attr\">&#91;Cloud SIEM Analysis]<\/span>\n    <span class=\"hljs-selector-tag\">G<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">H<\/span><span class=\"hljs-selector-attr\">&#91;OOTB + Custom Rules]<\/span>\n    <span class=\"hljs-selector-tag\">H<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">I<\/span><span class=\"hljs-selector-attr\">&#91;Security Signals]<\/span>\n    <span class=\"hljs-selector-tag\">I<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">J<\/span><span class=\"hljs-selector-attr\">&#91;Signals Explorer \/ Investigators]<\/span>\n    <span class=\"hljs-selector-tag\">I<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">K<\/span><span class=\"hljs-selector-attr\">&#91;Notifications]<\/span>\n    <span class=\"hljs-selector-tag\">I<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">L<\/span><span class=\"hljs-selector-attr\">&#91;Workflow Automation]<\/span>\n    <span class=\"hljs-selector-tag\">I<\/span> <span class=\"hljs-selector-tag\">--<\/span>&gt; <span class=\"hljs-selector-tag\">M<\/span><span class=\"hljs-selector-attr\">&#91;Incidents \/ Cases \/ Reports]<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-54\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">34. Best Practices for Datadog SIEM<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">34.1 Start with high-value logs<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Do not onboard every log first. Start with:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">CloudTrail\nGCP Audit Logs\nAzure Activity Logs\nIdentity provider logs\nKubernetes audit logs\nGitHub\/GitLab audit logs\nDatadog Audit Trail\nEndpoint authentication logs\n<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">34.2 Use Content Packs first<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Content Packs give you faster time to value because they include prebuilt security content.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">34.3 Normalize logs<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Use OOTB pipelines and OCSF where possible.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">34.4 Tune detections<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Every production SIEM needs tuning.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Tune:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">query\nthreshold\ngroup-by\nseverity\nsuppression\nmessage\nowner\nnotification\nrunbook\n<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">34.5 Avoid over-suppression<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Suppress only known-good activity. Do not suppress broad categories.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">34.6 Create runbooks<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Every high\/critical rule should have:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">What happened?\nWhy it matters\nHow to validate\nHow to contain\nHow to remediate\nWho owns it\nHow to close\n<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">34.7 Measure SIEM quality<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Track:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-55\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">Signal volume\n<span class=\"hljs-keyword\">False<\/span> positive rate\nMean time to triage\nMean time to respond\nCoverage by MITRE tactic\nTop noisy rules\nTop risky users\nTop risky cloud accounts\nUnparsed log volume\nLogs not analyzed by Cloud SIEM\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-55\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h2 class=\"wp-block-heading\">34.8 Manage detections as code<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Use Terraform, GitHub pull requests, peer reviews, and environment promotion.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">34.9 Separate dev\/test\/prod<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Use tags:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-56\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">env<\/span><span class=\"hljs-selector-pseudo\">:prod<\/span>\n<span class=\"hljs-selector-tag\">env<\/span><span class=\"hljs-selector-pseudo\">:stage<\/span>\n<span class=\"hljs-selector-tag\">team<\/span><span class=\"hljs-selector-pseudo\">:security<\/span>\n<span class=\"hljs-selector-tag\">source<\/span><span class=\"hljs-selector-pseudo\">:cloudtrail<\/span>\n<span class=\"hljs-selector-tag\">cloud_provider<\/span><span class=\"hljs-selector-pseudo\">:aws<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-56\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h2 class=\"wp-block-heading\">34.10 Validate continuously<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Use:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Threat emulation\nHistorical jobs\nTabletop exercises\nPurple team tests\nSynthetic attack logs\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">35. Common Mistakes<\/h1>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Mistake<\/th><th>Impact<\/th><\/tr><\/thead><tbody><tr><td>Ingesting too many logs without strategy<\/td><td>Cost and noise<\/td><\/tr><tr><td>Not enabling cloud audit logs fully<\/td><td>Blind spots<\/td><\/tr><tr><td>No identity logs<\/td><td>Cannot detect account compromise<\/td><\/tr><tr><td>No Kubernetes audit logs<\/td><td>Cannot detect cluster abuse<\/td><\/tr><tr><td>Ignoring log parsing<\/td><td>Rules do not work correctly<\/td><\/tr><tr><td>No OCSF\/normalization<\/td><td>Harder correlation<\/td><\/tr><tr><td>Too many critical alerts<\/td><td>Alert fatigue<\/td><\/tr><tr><td>No suppressions<\/td><td>False positives<\/td><\/tr><tr><td>Too many suppressions<\/td><td>Missed attacks<\/td><\/tr><tr><td>No runbooks<\/td><td>Slow response<\/td><\/tr><tr><td>No owner\/team mapping<\/td><td>Nobody acts<\/td><\/tr><tr><td>No detection-as-code<\/td><td>Rule drift<\/td><\/tr><tr><td>No testing<\/td><td>Rules may not work<\/td><\/tr><tr><td>No ingestion monitoring<\/td><td>Silent SIEM failure<\/td><\/tr><tr><td>No cost controls<\/td><td>Unexpected bills<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">36. Datadog SIEM Troubleshooting<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Problem: No security signals<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Check:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-57\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">Are logs arriving?\nAre logs parsed?\nAre logs tagged datadog.cloud_siem:<span class=\"hljs-literal\">true<\/span>?\nAre Content Packs enabled?\nAre OOTB rules enabled?\nDoes the activity actually match a rule?\nAre suppressions hiding signals?\nIs the time <span class=\"hljs-built_in\">window<\/span> correct?\nDo you have permission to view signals?\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-57\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h2 class=\"wp-block-heading\">Problem: Logs visible but not analyzed<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Search:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-58\" data-shcb-language-name=\"CSS\" data-shcb-language-slug=\"css\"><span><code class=\"hljs language-css\"><span class=\"hljs-selector-tag\">datadog<\/span><span class=\"hljs-selector-class\">.cloud_siem<\/span><span class=\"hljs-selector-pseudo\">:false<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-58\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">CSS<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">css<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Fix:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Enable relevant Content Pack\nAdjust Security Filter\nCheck index filter if using Cloud SIEM Standalone\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Datadog notes that Security Filters or log index filters control which logs Cloud SIEM analyzes, depending on the Cloud SIEM product type. (<a href=\"https:\/\/docs.datadoghq.com\/security\/cloud_siem\/guide\/customize-which-logs-cloud-siem-analyzes\/?utm_source=chatgpt.com\">Datadog<\/a>)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Problem: Too many noisy signals<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Fix:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Add precise suppressions\nTune thresholds\nGroup by user\/IP\/resource\nReduce low-value rules\nLower severity for expected activity\nAdd maintenance exclusions\nCreate separate rule for prod only\n<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">Problem: Rule does not trigger<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Check:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-59\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">Does the query <span class=\"hljs-keyword\">return<\/span> logs <span class=\"hljs-keyword\">in<\/span> Log Explorer?\nAre fields parsed <span class=\"hljs-keyword\">as<\/span> expected?\nIs the time <span class=\"hljs-built_in\">window<\/span> correct?\nIs the group-by correct?\nIs rule enabled?\nIs source log selected <span class=\"hljs-keyword\">for<\/span> SIEM analysis?\nIs a suppression hiding it?\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-59\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h2 class=\"wp-block-heading\">Problem: Wrong severity<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Review:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Business impact\nAsset criticality\nEnvironment\nUser privilege\nData sensitivity\nAttack stage\nRepeat behavior\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">37. SIEM Governance Model<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">A mature Datadog SIEM implementation should define:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Area<\/th><th>Owner<\/th><\/tr><\/thead><tbody><tr><td>Cloud log onboarding<\/td><td>Cloud platform team<\/td><\/tr><tr><td>SIEM detection rules<\/td><td>Security engineering<\/td><\/tr><tr><td>Kubernetes audit logs<\/td><td>Platform\/SRE<\/td><\/tr><tr><td>Identity logs<\/td><td>IAM team<\/td><\/tr><tr><td>GitHub logs<\/td><td>DevSecOps<\/td><\/tr><tr><td>Log pipelines<\/td><td>Observability\/platform team<\/td><\/tr><tr><td>Incident response<\/td><td>SOC\/security operations<\/td><\/tr><tr><td>Terraform modules<\/td><td>DevOps\/platform<\/td><\/tr><tr><td>Access control<\/td><td>Security + IAM<\/td><\/tr><tr><td>Cost monitoring<\/td><td>FinOps + platform<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">38. Access Control and Data Security<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Security logs can contain sensitive data.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Control:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-60\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">Who can view security signals?\nWho can edit detection rules?\nWho can create suppressions?\nWho can view sensitive logs?\nWho can manage API\/app keys?\nWho can trigger workflows?\nWho can <span class=\"hljs-keyword\">export<\/span> logs?\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-60\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Datadog notes that modifying security signals requires Security Signals Write permission. (<a href=\"https:\/\/docs.datadoghq.com\/security\/cloud_siem\/triage_and_investigate\/investigate_security_signals.md?utm_source=chatgpt.com\">Datadog<\/a>)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Use:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">RBAC\nTeams\nScoped application keys\nService accounts\nSensitive Data Scanner\nLog index access controls\nAudit Trail\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">39. Cost Management for Cloud SIEM<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">SIEM cost can grow quickly if unmanaged.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Control these:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Area<\/th><th>Cost Risk<\/th><th>Control<\/th><\/tr><\/thead><tbody><tr><td>Log ingestion<\/td><td>Too many logs<\/td><td>Source filtering<\/td><\/tr><tr><td>SIEM analyzed logs<\/td><td>Every log analyzed<\/td><td>Security Filters \/ Content Packs<\/td><\/tr><tr><td>Indexed logs<\/td><td>High retention\/search volume<\/td><td>Index strategy<\/td><\/tr><tr><td>Custom metrics from logs<\/td><td>Too many generated metrics<\/td><td>Strict metric creation<\/td><\/tr><tr><td>Archives<\/td><td>Long retention<\/td><td>Lifecycle policies<\/td><\/tr><tr><td>Synthetics\/RUM correlation<\/td><td>Extra telemetry<\/td><td>Sampling<\/td><\/tr><tr><td>Debug logs<\/td><td>Huge volume<\/td><td>Disable debug after testing<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Use:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Content Pack scoping\nSecurity Filters\nLog exclusion filters\nArchive for compliance\nIndex only useful logs\nMonitor ingestion volume\nReview top sources monthly\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">40. Advanced Topic: Security Filters vs Detection Rules<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">This is very important.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Layer<\/th><th>Purpose<\/th><\/tr><\/thead><tbody><tr><td>Security Filter<\/td><td>Decides which logs Cloud SIEM analyzes<\/td><\/tr><tr><td>Detection Rule<\/td><td>Decides which analyzed logs create signals<\/td><\/tr><tr><td>Suppression<\/td><td>Decides which matching signals should not be generated<\/td><\/tr><tr><td>Notification Rule<\/td><td>Decides who gets notified<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Example:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Security Filter:\nAnalyze source:cloudtrail\n\nDetection Rule:\nDetect @eventName:StopLogging\n\nSuppression:\nIgnore known automation role\n\nNotification:\nSend Critical cloud alerts to security-oncall\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">41. Advanced Topic: Real-Time vs Scheduled vs Historical<\/h1>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Type<\/th><th>Use Case<\/th><\/tr><\/thead><tbody><tr><td>Real-Time Rule<\/td><td>Immediate threat detection<\/td><\/tr><tr><td>Scheduled Rule<\/td><td>Periodic deeper analysis<\/td><\/tr><tr><td>Historical Job<\/td><td>Backtesting and retrospective hunting<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Use real-time rules for:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">CloudTrail disabled\nAdmin role attached\nGitHub owner added\nKubernetes secret read\nWindows audit log cleared\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Use scheduled rules for:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Daily review of unusual admin activity\nWeekly service account access review\nPeriodic data access analysis\n<\/code><\/span><\/pre>\n\n\n<p class=\"wp-block-paragraph\">Use historical jobs for:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-61\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">Testing <span class=\"hljs-keyword\">new<\/span> detection rule\nIncident retrospective\nThreat hunting against past logs\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-61\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">42. Advanced Topic: Threat Hunting Queries<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">AWS suspicious user-agent<\/h2>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">source:cloudtrail @userAgent:(*kali* OR *nmap* OR *scoutsuite* OR *stratus-red-team*)\n<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">AWS IAM changes<\/h2>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">source:cloudtrail @eventSource:iam.amazonaws.com\n<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">CloudTrail stopped<\/h2>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">source:cloudtrail @eventName:(StopLogging OR DeleteTrail OR UpdateTrail)\n<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">S3 public access changes<\/h2>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">source:cloudtrail @eventName:(PutBucketPolicy OR PutBucketAcl OR PutPublicAccessBlock)\n<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">Kubernetes exec<\/h2>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">source:kubernetes.audit @objectRef.subresource:exec\n<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">Kubernetes secret access<\/h2>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">source:kubernetes.audit @objectRef.resource:secrets\n<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">GitHub repo public<\/h2>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">source:github @action:repo.change_visibility\n<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">Windows failed logons<\/h2>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">source:windows @evt.id:4625\n<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">Windows privileged logon<\/h2>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">source:windows @evt.id:4672\n<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">NGINX suspicious attack strings<\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-62\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">source:nginx (<span class=\"hljs-string\">\"union select\"<\/span> OR <span class=\"hljs-string\">\"information_schema\"<\/span> OR <span class=\"hljs-string\">\"..\/\"<\/span> OR <span class=\"hljs-string\">\"cmd.exe\"<\/span> OR <span class=\"hljs-string\">\"\/etc\/passwd\"<\/span>)\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-62\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">43. World-Class SIEM Operating Model<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Daily<\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-63\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">Review critical\/high signals\nCheck signal queue health\nReview top noisy rules\nCheck ingestion failures\nReview <span class=\"hljs-keyword\">new<\/span> risky entities\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-63\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h2 class=\"wp-block-heading\">Weekly<\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-64\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">Tune noisy rules\nReview suppressions\nReview <span class=\"hljs-keyword\">new<\/span> Datadog OOTB rules\nReview MITRE coverage\nCheck onboarding gaps\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-64\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h2 class=\"wp-block-heading\">Monthly<\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-65\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">Threat detection review\n<span class=\"hljs-keyword\">False<\/span> positive analysis\nSIEM cost review\nAccess control review\nRun purple team test\nUpdate runbooks\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-65\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h2 class=\"wp-block-heading\">Quarterly<\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-66\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">Detection coverage assessment\nCloud account onboarding audit\nKubernetes security review\nIdentity provider review\nIncident response tabletop\nCompliance evidence <span class=\"hljs-keyword\">export<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-66\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">44. Complete Implementation Checklist<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Foundation<\/h2>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Cloud SIEM enabled\nLog Management enabled\nAPI\/app keys secured\nRBAC configured\nSecurity team access configured\nTeams and ownership configured\n<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">Ingestion<\/h2>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">AWS CloudTrail onboarded\nGCP Audit Logs onboarded\nAzure Activity Logs onboarded\nKubernetes audit logs onboarded\nDatadog Audit Trail onboarded\nIdentity provider logs onboarded\nGitHub\/GitLab logs onboarded\nLinux\/Windows logs onboarded\nNetwork\/WAF logs onboarded\n<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">Processing<\/h2>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Logs parsed\nStatus remapped correctly\nService\/source\/env tags standardized\nOCSF normalization verified\nSensitive data scanning configured\nUnparsed logs monitored\n<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">SIEM Analysis<\/h2>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Content Packs enabled\nSecurity Filters validated\nOOTB rules enabled\nCustom rules created\nSuppressions configured\nHistorical jobs used for backtesting\nMITRE mapping reviewed\n<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">Response<\/h2>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Signals routed\nNotification rules configured\nRunbooks attached\nWorkflow automation configured\nIncident process defined\nEscalation paths tested\n<\/code><\/span><\/pre>\n\n\n<h2 class=\"wp-block-heading\">Governance<\/h2>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">Terraform\/IaC implemented\nPull request review process established\nRule owners assigned\nQuarterly rule review scheduled\nCost monitoring enabled\nAudit Trail monitored\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">45. Final Recommended Learning Path<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Follow this order:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-67\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\"><span class=\"hljs-number\">1.<\/span> Learn SIEM concepts\n<span class=\"hljs-number\">2.<\/span> Learn Datadog logs and pipelines\n<span class=\"hljs-number\">3.<\/span> Enable Cloud SIEM\n<span class=\"hljs-number\">4.<\/span> Enable AWS CloudTrail Content Pack\n<span class=\"hljs-number\">5.<\/span> Generate AWS test signals <span class=\"hljs-keyword\">with<\/span> Datadog threat emulation repo\n<span class=\"hljs-number\">6.<\/span> Learn Signals Explorer\n<span class=\"hljs-number\">7.<\/span> Write simple custom rules\n<span class=\"hljs-number\">8.<\/span> Add suppressions\n<span class=\"hljs-number\">9.<\/span> Add identity provider logs\n<span class=\"hljs-number\">10.<\/span> Add Kubernetes audit logs\n<span class=\"hljs-number\">11.<\/span> Add GitHub audit logs\n<span class=\"hljs-number\">12.<\/span> Learn OCSF normalization\n<span class=\"hljs-number\">13.<\/span> Manage rules <span class=\"hljs-keyword\">with<\/span> Terraform\n<span class=\"hljs-number\">14.<\/span> Convert Sigma rules\n<span class=\"hljs-number\">15.<\/span> Build SOAR workflows\n<span class=\"hljs-number\">16.<\/span> Measure coverage and <span class=\"hljs-literal\">false<\/span> positives\n<span class=\"hljs-number\">17.<\/span> Run purple-team validation\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-67\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">46. Final Architecture Recommendation for Real Companies<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">For a production organization, I would implement Datadog Cloud SIEM like this:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Stage<\/th><th>Recommendation<\/th><\/tr><\/thead><tbody><tr><td>Phase 1<\/td><td>AWS\/GCP\/Azure audit logs + identity logs + Datadog Audit Trail<\/td><\/tr><tr><td>Phase 2<\/td><td>Kubernetes audit logs + GitHub\/GitLab + Linux\/Windows auth logs<\/td><\/tr><tr><td>Phase 3<\/td><td>WAF, DNS, firewall, proxy, EDR\/security tools<\/td><\/tr><tr><td>Phase 4<\/td><td>Custom detections, Terraform, Sigma conversion<\/td><\/tr><tr><td>Phase 5<\/td><td>SOAR workflows, risk scoring, MITRE coverage, purple-team validation<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Minimum production baseline:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-68\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">CloudTrail \/ GCP Audit \/ Azure Activity\nIdentity provider logs\nKubernetes audit logs\nGitHub\/GitLab logs\nDatadog Audit Trail\nCritical app\/WAF logs\nOOTB Content Packs\n<span class=\"hljs-number\">10<\/span><span class=\"hljs-number\">-20<\/span> custom high-value rules\nSignal routing\nRunbooks\nSuppression review\nCost monitoring\nDetection-<span class=\"hljs-keyword\">as<\/span>-code\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-68\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p class=\"wp-block-paragraph\">The \u201cworld-class\u201d version is not just turning on Cloud SIEM. It is building a security operating system around it: high-quality telemetry, normalized fields, strong detections, signal triage, automated enrichment, response workflows, ownership, IaC, testing, and continuous tuning.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Current as of June 2026. Datadog Cloud SIEM is Datadog\u2019s security information and event management product for collecting security telemetry, analyzing logs and events with detection rules,&#8230; <\/p>\n","protected":false},"author":1,"featured_media":28220,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[25768],"tags":[],"class_list":["post-28219","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-datadog"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/28219","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=28219"}],"version-history":[{"count":3,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/28219\/revisions"}],"predecessor-version":[{"id":77131,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/28219\/revisions\/77131"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media\/28220"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=28219"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=28219"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=28219"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}