Skip to content

[DOCS-8106] Add Cloud SIEM data security doc #30536

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 25 additions & 15 deletions config/_default/menus/main.en.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6021,6 +6021,11 @@ menu:
parent: cloud_siem
identifier: siem_guides
weight: 11
- name: Data Security
url: data_security/cloud_siem/
parent: cloud_siem
identifier: siem_data_security
weight: 12
- name: Cloud Security
url: security/cloud_security_management
parent: security_platform_heading
Expand Down Expand Up @@ -7925,46 +7930,51 @@ menu:
url: data_security/agent/
parent: data_security
weight: 1
- name: Tracing
identifier: data_security_tracing
url: /tracing/configure_data_security/
- name: Cloud SIEM
identifier: data_security_cloud_siem
url: data_security/cloud_siem/
parent: data_security
weight: 2
- name: Log Management
identifier: data_security_log_management
url: data_security/logs/
parent: data_security
weight: 3
- name: Kubernetes
identifier: data_security_kubernetes
url: data_security/kubernetes
parent: data_security
weight: 4
- name: Synthetic Monitoring
identifier: data_security_synthetic_monitoring
url: data_security/synthetics/
- name: Log Management
identifier: data_security_log_management
url: data_security/logs/
parent: data_security
weight: 5
weight: 4
- name: Real User Monitoring
identifier: data_security_real_user_monitoring
url: data_security/real_user_monitoring/
parent: data_security
weight: 5
- name: Synthetic Monitoring
identifier: data_security_synthetic_monitoring
url: data_security/synthetics/
parent: data_security
weight: 6
- name: Tracing
identifier: data_security_tracing
url: /tracing/configure_data_security/
parent: data_security
weight: 7
- name: PCI Compliance
identifier: data_security_pci_compliance
url: data_security/pci_compliance/
parent: data_security
weight: 7
weight: 8
- name: HIPAA Compliance
identifier: data_security_hipaa_compliance
url: data_security/hipaa_compliance/
parent: data_security
weight: 8
weight: 9
- name: Data Retention Periods
identifier: data_retention_periods
url: data_security/data_retention_periods/
parent: data_security
weight: 9
weight: 10
- name: Guides
identifier: data_security_guide
url: data_security/guide/
Expand Down
57 changes: 57 additions & 0 deletions content/en/data_security/cloud_siem.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
---
title: Cloud SIEM Data Security
disable_toc: false
aliases:
- /path-to-old-doc/
further_reading:
- link: "/data_security/"
tag: "Documentation"
text: "Review the main categories of data submitted to Datadog"
- link: "/data_security/pci_compliance/"
tag: "Documentation"
text: "Set up a PCI-compliant Datadog organization"
---

<div class="alert alert-info">This page is about the security of data sent to Datadog. If you're looking for cloud and application security products and features, see the <a href="/security/" target="_blank">Security</a> section.</div>

## Overview

A security signal is generated when at least one case defined in a detection rule is matched over a given period of time. You can customize detection rules to provide notification messages that contain specific information about the signal (for example, user ID, IP addresses, and so on) and the triggering group-by values of the signal. Security rules can also use webhooks to send notifications to third-party services. Since data sent to Datadog may contain sensitive information, this document goes over those notification features and what to do if you do not want users to have access to these features.

Check notice on line 19 in content/en/data_security/cloud_siem.md

View workflow job for this annotation

GitHub Actions / vale

Datadog.sentencelength

Suggestion: Try to keep your sentence length to 25 words or fewer.

Check notice on line 19 in content/en/data_security/cloud_siem.md

View workflow job for this annotation

GitHub Actions / vale

Datadog.sentencelength

Suggestion: Try to keep your sentence length to 25 words or fewer.

## Security rules can use message template variables

When you create a detection rule you can customize the notification message with [notification variables][1], which adds specific information related to the signal. For example, if the following JSON object is associated with a security signal:

```
{
"network": {
"client": {
"ip": "1.2.3.4"
}
},
"usr": {
"id": "[email protected]"
},
"used_mfa": "false"
}
```
Using `{{@network.client.ip}}` in the notification message displays the IP addresses associated with the signal.

Contact [support][2] if you do not want users to be able to add template variables to notification messages.

## Security rules can include triggering group-by values in the notification title

In the **Describe your playbook** section for [log detection rules][3] and [signal correlation rules][4], you can add group-by values in the notification title. For example, if you are grouping by `service`, the service name shows in the title. Uncheck **Include triggering group-by values in notification title** to opt out of adding triggering group-by values to the title.

Contact [support][2] If you do not want the option to include triggering group-by values in the notification title.

## Security rules can use webhooks

Security notifications can be sent to [integrations][5], such as Jira, PagerDuty, and [webhooks][6]. Contact [support][2] if you do not want users to be able to send notifications to a third-party service using webhooks.

[1]: /security/notifications/variables/?tab=cloudsiem#template-variables
[2]: /help/
[3]: /security/cloud_siem/log_detection_rules/?tab=threshold#say-whats-happening
[4]: /security/cloud_siem/signal_correlation_rules#say-whats-happening
[5]: /security/notifications/#integrations
[6]: /integrations/webhooks/
Loading