Back

Datadog SIEM: The Basics and a Quick Tutorial

Coralogix team
Coralogix Team Aug 12, 2024
5 mins read

Key Features of Datadog Cloud SIEM 

Datadog Cloud SIEM provides the following capabilities.

Visualization and Insights

Datadog Cloud SIEM’s visualization tools enable security teams to gain deep insights into their security data. The platform uses intuitive graph-based visualizations to display security insights and activity across cloud environments. Security professionals can view more than 15 months of historical data, allowing for detailed root cause analysis of suspicious activity. 

By connecting users and resources to security logs and telemetry, it offers context to better assess risk and urgency. These visualizations help in identifying trends and patterns that may indicate security threats.

Centralized Security Data

The platform ingests, normalizes, and enriches logs and third-party security alerts, ensuring that all relevant data is consolidated into a single, accessible location. With over 750 integrations, Datadog Cloud SIEM offers visibility into all network traffic, identity providers, endpoints, and SaaS applications. 

This centralized approach enables easier collaboration among security, development, and operations teams through integrations with ticketing portals, chat systems, and remediation tools. Unifying security data improves the ability to detect, investigate, and respond to threats.

Threat Detection and Response

Datadog Cloud SIEM can detect and respond to threats across dynamic environments. The platform is supported by a dedicated Datadog Security Research team that maintains over 400 detections, continuously updating them to address new and emerging threats. 

Using built-in threat intelligence and aligned with the MITRE ATT&CK framework, the platform provides extensive threat detection capabilities. Security teams can create custom detection rules tailored to their needs, ensuring coverage of potential attack vectors. 

Automation and Case Management

The platform automates routine security tasks and remediation processes through pre-configured workflows, reducing the manual effort required by security teams. With over 300 actions available to orchestrate security processes, it allows for customization of workflows to meet organizational needs. 

The Case Management feature supports the automatic or on-demand creation of cases, supporting collaborative and centralized investigations. By sharing visibility into rich observability context, teams can accelerate their response to security incidents, reducing the overall operational overhead.

Datadog Cloud SIEM Pricing

The platform’s pricing starts at $5 per million events analyzed, per month. This base price allows organizations to access Datadog Cloud SIEM’s security features without incurring prohibitive costs. Datadog Cloud SIEM also supports annual and on-demand billing options, providing further flexibility for budgeting and financial planning.

It’s important to note that workflows are billed separately, which helps ensure that organizations only pay for the automation features they actually use. This modular approach to pricing allows for customization based on the scale of the organization’s security operations. 

Learn more in our detailed guide to Datadog pricing 

Quick Tutorial: Getting Started with Datadog Cloud SIEM 

Here’s an overview of how to use Datadog Cloud SIEM.

Setup

To get started with Cloud SIEM:

  1. Users first need to configure log ingestion. This involves collecting logs from various sources using out-of-the-box integration pipelines or creating custom log pipelines. Datadog Cloud SIEM supports hundreds of integrations, including cloud audit logs, identity provider logs, SaaS and workspace logs, and third-party security integrations like Amazon GuardDuty.
  2. Once log ingestion is configured, enable Cloud SIEM by selecting and configuring Content Packs. These packs provide out-of-the-box content for critical security log sources. Additionally, configure any other log sources that Cloud SIEM needs to analyze.
  3. After configuring the necessary settings, click on Activate to create a custom Cloud SIEM log index. 
  4. Ensure that the Cloud SIEM index is in the first position within the log configuration. If the setup page indicates that the index is not in the correct position, follow the steps to reorder it. This involves selecting the new position for the index and confirming the changes. 
  5. Once the index is correctly positioned, review and fix any warnings or errors for the Content Packs and other log sources.
Datadog SIEM

Source: Datadog

Exploring Signals

After setup: 

  1. Explore the out-of-the-box detection rules that start detecting threats in the environment immediately. These rules apply to all processed logs to maximize detection coverage. 
  2. Review the generated security signals to understand detected threats. 
  3. Configure notification rules to alert the team when signals are generated, using integrations such as Slack, Jira, email, and webhooks. 
  4. Additionally, subscribe to weekly threat digest reports to stay informed about the most important security threats discovered.

Investigating Signals

When a security signal alerts the team to suspicious activity, the investigation phase begins. Common questions during an investigation include:

  • Is the user accessing other accounts?
  • What actions did the user take around the specific time frame?
  • What actions were taken on a resource by the user?
  • What users have interacted with this resource?

For example, if a security signal indicates that an Amazon S3 bucket configuration was changed to be accessible by everyone, investigate who took this action and their recent activities to determine if credentials were compromised.

Datadog Cloud SIEM’s Investigator provides a graphical interface to switch from one affected entity to another, allowing users to visualize user behavior and its impact on the environment. To use Investigator:

  1. Go to the Security, then Cloud SIEM, and then select the Investigator tab.
  2. Choose an entity type, and explore the activities associated with the entity. 
  3. Use the interface to view related logs or filter actions for detailed analysis. 
  4. It is also possible to access the Investigator directly from a security signal panel for targeted investigations.

Coralogix: Ultimate Datadog SIEM Alternative

Coralogix sets itself apart in observability with its modern architecture, enabling real-time insights into logs, metrics, and traces with built-in cost optimization. Coralogix’s straightforward pricing covers all its platform offerings including APM, RUM, SIEM, infrastructure monitoring and much more. With unparalleled support that features less than 1 minute response times and 1 hour resolution times, Coralogix is a leading choice for thousands of organizations across the globe.

Learn more about the Coralogix platform

On this page

    Related articles