[DOCS-11525] Update Cloud SIEM landing page #30784
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
📝 Documentation Team Review RequiredThis pull request requires approval from the @DataDog/documentation team before it can be merged. Please ensure your changes follow our documentation guidelines and wait for a team member to review and approve your changes. |
Preview links (active after the
|
maycmlee
commented
Jul 29, 2025
jnhunsberger
requested changes
Jul 30, 2025
|
|
||
| Threats are surfaced in Datadog as Security Signals and can be correlated and triaged in the [Security Signals Explorer][1]. Security Signals are generated by Datadog Cloud SIEM with [Detection Rules][2]. Detection Rules detect threats across different sources and are available out of the box for immediate use. You can clone any of the provided detection rules to change the configuration. You can also add a [new rule][3] from scratch to fit your specific use case. | ||
| To keep your team on top of the latest attacks, Datadog also has a team of threat researchers who analyze petabytes of telemetry across cloud and on-premises systems to identify emerging threats and attacker behaviors. See Datadog Security Labs to read articles about their recent investigations. |
There was a problem hiding this comment.
Need a link for "Datadog Security Labs": https://securitylabs.datadoghq.com/
maycmlee
commented
Jul 30, 2025
maycmlee
commented
Jul 30, 2025
|
|
||
| Cloud SIEM embeds both cloud and on-premises telemetry directly into security workflows to accelerate investigation and response. And with a shared platform that brings DevOps and Security teams together, organizations can break down silos and respond to threats collaboratively and efficiently. | ||
|
|
||
| ### Flexible cost control |
There was a problem hiding this comment.
@jnhunsberger What do you think about changing this title to Scalable security logs cost control or Cost-efficient security logs ingestion?
maycmlee
commented
Jul 30, 2025
maycmlee
commented
Jul 30, 2025
maycmlee
commented
Jul 31, 2025
|
|
||
| ### Log search and analysis | ||
|
|
||
| Build searches in the Log Explorer using facets or by clicking fields directly in the logs. Or use Bits AI and natural language search to find important security events. With built-in group-by and table lookup functions as well as pattern analysis and visualizations, security teams can get security insights from their data. See [Log Search Syntax][10] for more information. |
There was a problem hiding this comment.
@jnhunsberger Should we link to the Log Explorer doc as well? https://docs.datadoghq.com/logs/explorer/
|
|
||
| #### Mean Time to Respond to Signals | ||
|
|
||
| See KPIs of how quickly your team responds. Sets a signal to `under review` or `archive` by signal severity. |
There was a problem hiding this comment.
Sets a signal to
under revieworarchiveby signal severity.
@jnhunsberger i'm kind of confused by this sentence...who or what sets the signal to under review or archive?
jnhunsberger
reviewed
Aug 1, 2025
|
|
||
| ### Log search and analysis | ||
|
|
||
| Build searches in the Log Explorer using facets or by clicking fields directly in the logs. Or use Bits AI and natural language search to find important security events. With built-in group-by and table lookup functions as well as pattern analysis and visualizations, security teams can get security insights from their data. See [Log Search Syntax][10] for more information. |
|
|
||
| ## Cloud SIEM Overview page | ||
|
|
||
| Navigate to the [Cloud SIEM Overview dashboard][3]. Use this dashboard to see key security insights and act on common workflows for security analysts, security and detection engineers, and Security Operations Center (SOC) managers. From the Overview page, you can: |
There was a problem hiding this comment.
The overview page is not a dashboard per se. I recommend changing the two references to dashboard to page.
| - Complete onboarding tasks and review content‑pack health. | ||
| - View and investigate top signals by geography or ISP. | ||
| - Analyze signals and rules by MITRE ATT&CK tactics. | ||
| - Track detection performance (MTTD, false‑positive rates). |
There was a problem hiding this comment.
should we spell out MTTD (mean time to detect)?
|
|
||
| #### Rules by false positive rate | ||
|
|
||
| See which rules are the noisiest by calculating the percentage of signals that are marked as false positive out of all the signals generated by a rule. Click on a rule to view signals for that rule in the Signal Explorer. |
There was a problem hiding this comment.
Can we please add in the Diver Deeper section from the Google Doc here?
estherk15
approved these changes
Aug 4, 2025
| Navigate to the [Cloud SIEM Overview page][3]. Use this page to see key security insights and act on common workflows for security analysts, security and detection engineers, and Security Operations Center (SOC) managers. From the Overview page, you can: | ||
| - Access important signals, open cases, and high-risk entities. | ||
| - Complete onboarding tasks and review content‑pack health. | ||
| - View and investigate top signals by geography or ISP. |
There was a problem hiding this comment.
Does ISP need to be spelled out or is it a standard acronym in Security?
|
|
||
| See the [Getting Started Guide][4] for more detailed setup instructions. | ||
|
|
||
| ## Cloud SIEM Overview page |
There was a problem hiding this comment.
May be outside the scope of this, but I think this could be it's own page if you're going to give a thorough breakdown.
There was a problem hiding this comment.
Yes, I was thinking maybe after the full restructure, we could think about moving this to its own page.
| {{< /learning-center-callout >}} | ||
|
|
||
| ## Overview | ||
|
|
||
| Datadog Cloud SIEM (Security Information and Event Management) unifies developer, operation, and security teams on one platform. Use a single dashboard to display DevOps content, business metrics, and security insights. Cloud SIEM detects threats to your applications and infrastructure, such as targeted attacks, communications from threat intel-listed IP addresses, and insecure configurations, in real time. Notify your team of these security issues by email, Slack, Jira, PagerDuty, or webhooks. | ||
| Datadog Cloud SIEM (Security Information and Event Management) is a security data analysis and correlation system. It enables your entire security operations team to view, detect, investigate, and respond to security issues. Leveraging Datadog's scalable platform, Cloud SIEM ingests telemetry from both cloud and on‑premises systems using the Datadog Agent and API-based integrations. |
There was a problem hiding this comment.
Suggested change
| Datadog Cloud SIEM (Security Information and Event Management) is a security data analysis and correlation system. It enables your entire security operations team to view, detect, investigate, and respond to security issues. Leveraging Datadog's scalable platform, Cloud SIEM ingests telemetry from both cloud and on‑premises systems using the Datadog Agent and API-based integrations. | |
| Datadog Cloud SIEM (Security Information and Event Management) is a security data analysis and correlation system. It enables your entire security operations team to view, detect, investigate, and respond to security issues. Leveraging Datadog's scalable platform, Cloud SIEM ingests telemetry from both cloud and on‑premises systems through the Datadog Agent and API-based integrations. |
maycmlee
commented
Aug 4, 2025
Co-authored-by: Esther Kim <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do? What is the motivation?
Merge instructions
Merge readiness:
For Datadog employees:
Your branch name MUST follow the
<name>/<description>convention and include the forward slash (/). Without this format, your pull request will not pass CI, the GitLab pipeline will not run, and you won't get a branch preview. Getting a branch preview makes it easier for us to check any issues with your PR, such as broken links.If your branch doesn't follow this format, rename it or create a new branch and PR.
[6/5/2025] Merge queue has been disabled on the documentation repo. If you have write access to the repo, the PR has been reviewed by a Documentation team member, and all of the required checks have passed, you can use the Squash and Merge button to merge the PR. If you don't have write access, or you need help, reach out in the #documentation channel in Slack.
Additional notes