From 6cd95959feed65bd8ebc83a8de417d69bd0cc78c Mon Sep 17 00:00:00 2001 From: May Lee Date: Thu, 17 Jul 2025 12:06:20 -0400 Subject: [PATCH 1/9] add data security doc --- config/_default/menus/main.en.yaml | 40 +++++++++++------- content/en/data_security/cloud_siem.md | 57 ++++++++++++++++++++++++++ 2 files changed, 82 insertions(+), 15 deletions(-) create mode 100644 content/en/data_security/cloud_siem.md diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml index b5c5dd3857a61..acfdf68dc4fc8 100644 --- a/config/_default/menus/main.en.yaml +++ b/config/_default/menus/main.en.yaml @@ -6021,6 +6021,11 @@ menu: parent: cloud_siem identifier: siem_guides weight: 11 + - name: Data Security + url: data_security/cloud_siem/ + parent: cloud_siem + identifier: siem_data_security + weight: 12 - name: Cloud Security url: security/cloud_security_management parent: security_platform_heading @@ -7925,46 +7930,51 @@ menu: url: data_security/agent/ parent: data_security weight: 1 - - name: Tracing - identifier: data_security_tracing - url: /tracing/configure_data_security/ + - name: Cloud SIEM + identifier: data_security_cloud_siem + url: data_security/cloud_siem/ parent: data_security weight: 2 - - name: Log Management - identifier: data_security_log_management - url: data_security/logs/ - parent: data_security - weight: 3 - name: Kubernetes identifier: data_security_kubernetes url: data_security/kubernetes parent: data_security weight: 4 - - name: Synthetic Monitoring - identifier: data_security_synthetic_monitoring - url: data_security/synthetics/ + - name: Log Management + identifier: data_security_log_management + url: data_security/logs/ parent: data_security - weight: 5 + weight: 4 - name: Real User Monitoring identifier: data_security_real_user_monitoring url: data_security/real_user_monitoring/ parent: data_security + weight: 5 + - name: Synthetic Monitoring + identifier: data_security_synthetic_monitoring + url: data_security/synthetics/ + parent: data_security weight: 6 + - name: Tracing + identifier: data_security_tracing + url: /tracing/configure_data_security/ + parent: data_security + weight: 7 - name: PCI Compliance identifier: data_security_pci_compliance url: data_security/pci_compliance/ parent: data_security - weight: 7 + weight: 8 - name: HIPAA Compliance identifier: data_security_hipaa_compliance url: data_security/hipaa_compliance/ parent: data_security - weight: 8 + weight: 9 - name: Data Retention Periods identifier: data_retention_periods url: data_security/data_retention_periods/ parent: data_security - weight: 9 + weight: 10 - name: Guides identifier: data_security_guide url: data_security/guide/ diff --git a/content/en/data_security/cloud_siem.md b/content/en/data_security/cloud_siem.md new file mode 100644 index 0000000000000..e2156189f8bdf --- /dev/null +++ b/content/en/data_security/cloud_siem.md @@ -0,0 +1,57 @@ +--- +title: Cloud SIEM Data Security +disable_toc: false +aliases: +- /path-to-old-doc/ +further_reading: +- link: "/data_security/" + tag: "Documentation" + text: "Review the main categories of data submitted to Datadog" +- link: "/data_security/pci_compliance/" + tag: "Documentation" + text: "Set up a PCI-compliant Datadog organization" +--- + +
This page is about the security of data sent to Datadog. If you're looking for cloud and application security products and features, see the Security section.
+ +## Overview + +A security signal is generated when at least one case defined in a detection rule is matched over a given period of time. You can customize detection rules to provide notification messages that contain specific information about the signal (for example, user ID, IP addresses, and so on) and the triggering group-by values of the signal. Security rules can also use webhooks to send notifications to third-party services. Since data sent to Datadog may contain sensitive information, this document goes over those notification features and what to do if you do not want users to have access to these features. + +## Security rules can use message template variables + +When you create a detection rule you can customize the notification message with [notification variables][1], which adds specific information related to the signal. For example, if the following JSON object is associated with a security signal: + +``` +{ + "network": { + "client": { + "ip": "1.2.3.4" + } + }, + "usr": { + "id": "user@domain.com" + }, + "used_mfa": "false" +} +``` +Using `{{@network.client.ip}}` in the notification message displays the IP addresses associated with the signal. + +Contact [support][2] if you do not want users to be able to add template variables to notification messages. + +## Security rules can include triggering group-by values in the notification title + +In the **Describe your playbook** section for [log detection rules][3] and [signal correlation rules][4], you can add group-by values in the notification title. For example, if you are grouping by `service`, the service name shows in the title. Uncheck **Include triggering group-by values in notification title** to opt out of adding triggering group-by values to the title. + +Contact [support][2] If you do not want the option to include triggering group-by values in the notification title. + +## Security rules can use webhooks + +Security notifications can be sent to [integrations][5], such as Jira, PagerDuty, and [webhooks][6]. Contact [support][2] if you do not want users to be able to send notifications to a third-party service using webhooks. + +[1]: /security/notifications/variables/?tab=cloudsiem#template-variables +[2]: /help/ +[3]: /security/cloud_siem/log_detection_rules/?tab=threshold#say-whats-happening +[4]: /security/cloud_siem/signal_correlation_rules#say-whats-happening +[5]: /security/notifications/#integrations +[6]: /integrations/webhooks/ \ No newline at end of file From 5111b4888d224e2551db9ccb6e8f84ecd7156051 Mon Sep 17 00:00:00 2001 From: May Lee Date: Thu, 31 Jul 2025 14:53:36 -0400 Subject: [PATCH 2/9] add hipaa note --- content/en/data_security/cloud_siem.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/en/data_security/cloud_siem.md b/content/en/data_security/cloud_siem.md index e2156189f8bdf..5384ef8923acc 100644 --- a/content/en/data_security/cloud_siem.md +++ b/content/en/data_security/cloud_siem.md @@ -47,6 +47,8 @@ Contact [support][2] If you do not want the option to include triggering group-b ## Security rules can use webhooks +
If you are a HIPAA-enabled organization, webhooks for security rules is disabled.
+ Security notifications can be sent to [integrations][5], such as Jira, PagerDuty, and [webhooks][6]. Contact [support][2] if you do not want users to be able to send notifications to a third-party service using webhooks. [1]: /security/notifications/variables/?tab=cloudsiem#template-variables From 2ecb0e79ad0add980fca3749cd931354a7b4502e Mon Sep 17 00:00:00 2001 From: May Lee Date: Thu, 31 Jul 2025 15:08:47 -0400 Subject: [PATCH 3/9] edit warning --- content/en/data_security/cloud_siem.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/data_security/cloud_siem.md b/content/en/data_security/cloud_siem.md index 5384ef8923acc..cf08c9bef2469 100644 --- a/content/en/data_security/cloud_siem.md +++ b/content/en/data_security/cloud_siem.md @@ -47,7 +47,7 @@ Contact [support][2] If you do not want the option to include triggering group-b ## Security rules can use webhooks -
If you are a HIPAA-enabled organization, webhooks for security rules is disabled.
+
If you are a HIPAA-enabled organization, webhooks for security rules is disabled.
Security notifications can be sent to [integrations][5], such as Jira, PagerDuty, and [webhooks][6]. Contact [support][2] if you do not want users to be able to send notifications to a third-party service using webhooks. From 4dfb642c34179d317b78cb1c796d090af18bbfbc Mon Sep 17 00:00:00 2001 From: May Lee Date: Wed, 6 Aug 2025 11:15:07 -0400 Subject: [PATCH 4/9] updates --- content/en/data_security/cloud_siem.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/data_security/cloud_siem.md b/content/en/data_security/cloud_siem.md index cf08c9bef2469..6e62270c7433e 100644 --- a/content/en/data_security/cloud_siem.md +++ b/content/en/data_security/cloud_siem.md @@ -43,11 +43,11 @@ Contact [support][2] if you do not want users to be able to add template variabl In the **Describe your playbook** section for [log detection rules][3] and [signal correlation rules][4], you can add group-by values in the notification title. For example, if you are grouping by `service`, the service name shows in the title. Uncheck **Include triggering group-by values in notification title** to opt out of adding triggering group-by values to the title. -Contact [support][2] If you do not want the option to include triggering group-by values in the notification title. +Contact [support][2] If you do not want to have the triggering group-by values option available. ## Security rules can use webhooks -
If you are a HIPAA-enabled organization, webhooks for security rules is disabled.
+
If your organization had HIPAA enabled in 2024 or earlier, you may have to reach out to Datadog support to enable webhooks for security rules.
Security notifications can be sent to [integrations][5], such as Jira, PagerDuty, and [webhooks][6]. Contact [support][2] if you do not want users to be able to send notifications to a third-party service using webhooks. From c2a206b8cb6ca1f78932367b793e612019398b0d Mon Sep 17 00:00:00 2001 From: May Lee Date: Wed, 6 Aug 2025 11:16:24 -0400 Subject: [PATCH 5/9] small update --- content/en/data_security/cloud_siem.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/data_security/cloud_siem.md b/content/en/data_security/cloud_siem.md index 6e62270c7433e..9155c010a1bda 100644 --- a/content/en/data_security/cloud_siem.md +++ b/content/en/data_security/cloud_siem.md @@ -43,7 +43,7 @@ Contact [support][2] if you do not want users to be able to add template variabl In the **Describe your playbook** section for [log detection rules][3] and [signal correlation rules][4], you can add group-by values in the notification title. For example, if you are grouping by `service`, the service name shows in the title. Uncheck **Include triggering group-by values in notification title** to opt out of adding triggering group-by values to the title. -Contact [support][2] If you do not want to have the triggering group-by values option available. +Contact [support][2] If you do not want to have the **Include triggering group-by values in notification title** option available. ## Security rules can use webhooks From a22a645d016ad420116bfaa57c44c9eb7c6fd678 Mon Sep 17 00:00:00 2001 From: May Lee Date: Wed, 6 Aug 2025 12:02:43 -0400 Subject: [PATCH 6/9] add links to doc --- content/en/security/cloud_siem/detection_rules/_index.md | 7 +++++-- .../cloud_siem/detection_rules/signal_correlation_rules.md | 5 ++++- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/content/en/security/cloud_siem/detection_rules/_index.md b/content/en/security/cloud_siem/detection_rules/_index.md index dfb7a54c1e613..f22358330c581 100644 --- a/content/en/security/cloud_siem/detection_rules/_index.md +++ b/content/en/security/cloud_siem/detection_rules/_index.md @@ -386,7 +386,7 @@ One way to decrease signal noise is to prioritize production environment signals The severity decrement is applied to signals with an environment tag starting with `staging`, `test`, or `dev`. -## Say what's happening +## Describe your playbook {{% security-rule-say-whats-happening %}} @@ -394,6 +394,8 @@ Use the **Tag resulting signals** dropdown menu to add tags to your signals. For **Note**: the tag `security` is special. This tag is used to classify the security signal. The recommended options are: `attack`, `threat-intel`, `compliance`, `anomaly`, and `data-leak`. +See [Cloud SIEM Data Security ][7] for more information on using message template variables, group-by values in the notification title, and webhooks. + ## Suppression rules Optionally, add a suppression rule to prevent a signal from getting generated. For example, if a user `john.doe` is triggering a signal, but their actions are benign and you do not want signals triggered from this user, add the following query into the **Add a suppression query** field: `@user.username:john.doe`. @@ -440,4 +442,5 @@ The rule deprecation process is as follows: [3]: https://app.datadoghq.com/logs/ [4]: https://app.datadoghq.com/security/rules [5]: /security/cloud_siem/historical_jobs/ -[6]: /security/default_rules/?category=cat-cloud-siem-log-detection#all \ No newline at end of file +[6]: /security/default_rules/?category=cat-cloud-siem-log-detection#all +[7]: /data_security/cloud_siem/ \ No newline at end of file diff --git a/content/en/security/cloud_siem/detection_rules/signal_correlation_rules.md b/content/en/security/cloud_siem/detection_rules/signal_correlation_rules.md index 724924728d96a..58684c4437294 100644 --- a/content/en/security/cloud_siem/detection_rules/signal_correlation_rules.md +++ b/content/en/security/cloud_siem/detection_rules/signal_correlation_rules.md @@ -62,7 +62,7 @@ Click **Add Case** to add additional cases. **Note**: The `evaluation window` must be less than or equal to the `keep alive` and `maximum signal duration`. -### Say what's happening +### Describe your playbook {{% security-rule-say-whats-happening %}} @@ -70,8 +70,11 @@ Use the **Tag resulting signals** dropdown menu to add tags to your signals. For **Note**: the tag `security` is special. This tag is used to classify the security signal. The recommended options are: `attack`, `threat-intel`, `compliance`, `anomaly`, and `data-leak`. +See [Cloud SIEM Data Security ][2] for more information on using message template variables, group-by values in the notification title, and webhooks. + ## Further reading {{< partial name="whats-next/whats-next.html" >}} [1]: https://app.datadoghq.com/security/configuration/rules?product=siem +[2]: /data_security/cloud_siem/ From a0ce3ed4b9cf620e8100386202d4204a1842ba64 Mon Sep 17 00:00:00 2001 From: May Lee Date: Wed, 20 Aug 2025 17:08:41 -0400 Subject: [PATCH 7/9] Apply suggestions from code review Co-authored-by: Janine Chan <64388808+janine-c@users.noreply.github.com> --- content/en/data_security/cloud_siem.md | 27 ++++++++++--------- .../cloud_siem/detection_rules/_index.md | 2 +- 2 files changed, 16 insertions(+), 13 deletions(-) diff --git a/content/en/data_security/cloud_siem.md b/content/en/data_security/cloud_siem.md index 9155c010a1bda..cf739e60869e9 100644 --- a/content/en/data_security/cloud_siem.md +++ b/content/en/data_security/cloud_siem.md @@ -1,8 +1,6 @@ --- title: Cloud SIEM Data Security disable_toc: false -aliases: -- /path-to-old-doc/ further_reading: - link: "/data_security/" tag: "Documentation" @@ -16,7 +14,9 @@ further_reading: ## Overview -A security signal is generated when at least one case defined in a detection rule is matched over a given period of time. You can customize detection rules to provide notification messages that contain specific information about the signal (for example, user ID, IP addresses, and so on) and the triggering group-by values of the signal. Security rules can also use webhooks to send notifications to third-party services. Since data sent to Datadog may contain sensitive information, this document goes over those notification features and what to do if you do not want users to have access to these features. +Datadog generates a security signal when at least one case defined in a detection rule is matched over a given period of time. You can customize detection rules to provide notification messages that contain specific information about the signal (for example, user ID, IP addresses, and so on) and the triggering group-by values of the signal. Security rules can also use webhooks to send notifications to third-party services. + +Because data sent to Datadog may contain sensitive information, this document goes over those notification features and what to do if you do not want your users to have access to these features. ## Security rules can use message template variables @@ -29,31 +29,34 @@ When you create a detection rule you can customize the notification message with "ip": "1.2.3.4" } }, - "usr": { + "user": { "id": "user@domain.com" }, "used_mfa": "false" } ``` -Using `{{@network.client.ip}}` in the notification message displays the IP addresses associated with the signal. +Using `{{@network.client.ip}}` in the notification message would display the IP address associated with the signal. -Contact [support][2] if you do not want users to be able to add template variables to notification messages. +Contact [support][2] if you want to prevent users from adding template variables to notification messages. ## Security rules can include triggering group-by values in the notification title -In the **Describe your playbook** section for [log detection rules][3] and [signal correlation rules][4], you can add group-by values in the notification title. For example, if you are grouping by `service`, the service name shows in the title. Uncheck **Include triggering group-by values in notification title** to opt out of adding triggering group-by values to the title. +In the **Describe your playbook** sections for [log detection rules][3] and [signal correlation rules][4], you can add group-by values in the notification title. For example, if you are grouping by `service`, the service name shows in the title. Uncheck **Include triggering group-by values in notification title** to prevent group-by values from appearing in the title. -Contact [support][2] If you do not want to have the **Include triggering group-by values in notification title** option available. +Contact [support][2] if you want to remove the **Include triggering group-by values in notification title** option. ## Security rules can use webhooks -
If your organization had HIPAA enabled in 2024 or earlier, you may have to reach out to Datadog support to enable webhooks for security rules.
+
If your organization had HIPAA enabled in 2024 or earlier, reach out to Datadog support to enable webhooks for security rules.
+ +Security notifications can be sent to [integrations][5], such as Jira, PagerDuty, and [webhooks][6]. Contact [support][2] to prevent users from sending notifications to third-party services using webhooks. -Security notifications can be sent to [integrations][5], such as Jira, PagerDuty, and [webhooks][6]. Contact [support][2] if you do not want users to be able to send notifications to a third-party service using webhooks. +## Further reading +{{< partial name="whats-next/whats-next.html" >}} [1]: /security/notifications/variables/?tab=cloudsiem#template-variables [2]: /help/ -[3]: /security/cloud_siem/log_detection_rules/?tab=threshold#say-whats-happening -[4]: /security/cloud_siem/signal_correlation_rules#say-whats-happening +[3]: /security/cloud_siem/log_detection_rules/?tab=threshold#describe-your-playbook +[4]: /security/cloud_siem/signal_correlation_rules#describe-your-playbook [5]: /security/notifications/#integrations [6]: /integrations/webhooks/ \ No newline at end of file diff --git a/content/en/security/cloud_siem/detection_rules/_index.md b/content/en/security/cloud_siem/detection_rules/_index.md index f22358330c581..25e2ce405031f 100644 --- a/content/en/security/cloud_siem/detection_rules/_index.md +++ b/content/en/security/cloud_siem/detection_rules/_index.md @@ -394,7 +394,7 @@ Use the **Tag resulting signals** dropdown menu to add tags to your signals. For **Note**: the tag `security` is special. This tag is used to classify the security signal. The recommended options are: `attack`, `threat-intel`, `compliance`, `anomaly`, and `data-leak`. -See [Cloud SIEM Data Security ][7] for more information on using message template variables, group-by values in the notification title, and webhooks. +See [Cloud SIEM Data Security][7] for more information on securely using message template variables, group-by values in the notification title, and webhooks. ## Suppression rules From 5890046d84fd33e80a3422728e02e70d2cc08be9 Mon Sep 17 00:00:00 2001 From: May Lee Date: Wed, 20 Aug 2025 17:10:59 -0400 Subject: [PATCH 8/9] Update content/en/security/cloud_siem/detection_rules/signal_correlation_rules.md Co-authored-by: Janine Chan <64388808+janine-c@users.noreply.github.com> --- .../cloud_siem/detection_rules/signal_correlation_rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/security/cloud_siem/detection_rules/signal_correlation_rules.md b/content/en/security/cloud_siem/detection_rules/signal_correlation_rules.md index 58684c4437294..8ff7f04ccc250 100644 --- a/content/en/security/cloud_siem/detection_rules/signal_correlation_rules.md +++ b/content/en/security/cloud_siem/detection_rules/signal_correlation_rules.md @@ -70,7 +70,7 @@ Use the **Tag resulting signals** dropdown menu to add tags to your signals. For **Note**: the tag `security` is special. This tag is used to classify the security signal. The recommended options are: `attack`, `threat-intel`, `compliance`, `anomaly`, and `data-leak`. -See [Cloud SIEM Data Security ][2] for more information on using message template variables, group-by values in the notification title, and webhooks. +See [Cloud SIEM Data Security][2] for more information on securely using message template variables, group-by values in the notification title, and webhooks. ## Further reading From 8c063d55d9815ce8297a609f5aa6bbfb70cf0a02 Mon Sep 17 00:00:00 2001 From: May Lee Date: Wed, 20 Aug 2025 17:13:21 -0400 Subject: [PATCH 9/9] fix nav --- config/_default/menus/main.en.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml index 0babe607011f0..18839d5823fdb 100644 --- a/config/_default/menus/main.en.yaml +++ b/config/_default/menus/main.en.yaml @@ -8065,7 +8065,7 @@ menu: identifier: data_security_guide url: data_security/guide/ parent: data_security - weight: 9 + weight: 11 - name: Help url: help/ pre: info-fill