VOOZH about

URL: https://docs.datadoghq.com/bits_ai/bits_security_analyst/

⇱ Bits Security Analyst

For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/bits_ai/bits_security_analyst.md. A documentation index is available at /llms.txt.

Bits Security Analyst

This product is not supported for your selected Datadog site. ().

Overview

Bits Security Analyst is an autonomous AI agent that investigates Cloud SIEM signals end to end. It queries security signals and logs, and uses data-based reasoning to help security engineers investigate threat alerts and make a recommendation on the verdict of each alert signal. By reducing manual effort and analyst fatigue, Bits Security Analyst makes security operations smoother and more efficient.

Key capabilities

Bits Security Analyst investigations are autonomous. If a detection rule is enabled, Bits AI autonomously investigates signals associated with it.

In the Cloud SIEM Signals Explorer, you can click the Bits Security Analyst tab to only show signals that Bits AI investigated. In the Severity column, a Bits AI status displays as Investigating, until marking the signal as either Benign or Suspicious.

When you click a row with a Bits AI investigation, the Bits AI Investigation side panel opens:

In the side panel, you can see Bits AI’s investigative findings, including:

  • Overall conclusion
  • Key evidence used to come to that conclusion
  • Investigative steps showing Bits AI’s data queries, including embedded results and links to full queries
  • Analysis on each investigative step

You can also take additional steps directly from the side panel:

  • Create a case with pre-populated Bits AI investigation results
  • Run a workflow with a SOAR blueprint
  • Declare an incident
  • Add a rule suppression
  • Archive the signal, or view the signal with the usual Cloud SIEM interface
  • Give Bits AI feedback on its analysis

Additionally, when you use Cloud SIEM notifications to send new signal alerts to Slack or Jira, Bits AI automatically updates those notifications. It includes replies showing the Bits AI investigative conclusion, with a link to the full investigation.

Supported sources

Bits AI can run investigations on the following Security log sources:

  • Amazon GuardDuty
    • Finding categories include anomalous IAM behavior, EC2 credential exfiltration and misuse, S3 data exposure, CloudTrail or S3 defense evasion, and attack sequences correlating IAM credential and S3 data compromise
  • AWS CloudTrail
  • Azure
  • GCP
  • Kubernetes
  • Microsoft Entra ID
  • Okta
  • Google Workspace
  • Microsoft 365
  • GitHub
  • Snowflake
  • SentinelOne
  • Email phishing

Set up Bits Security Analyst

Prerequisites

To use Bits Security Analyst:

  • Ensure your organization is using a non-legacy version of Cloud SIEM. If you need assistance, contact Datadog support.
  • To set up Bits Security Analyst, you need the Bits Security Analyst Config Write permission.
  • To view investigations, you must have 14 days or more of log history. If you have a shorter log history, you can still set up Bits Security Analyst, but won’t see any investigations until you have that much history.

Setup

When you enable Bits Security Analyst, Datadog analyzes your rules, including custom rules, to determine whether it can confidently investigate signals associated with them. For all eligible rules above medium severity, it starts autonomously investigating signals.

Rule eligibility depends on whether Datadog has built the investigation capability for the log source, and whether the Agent is able to investigate the specific rule. If you have new custom rules to evaluate, or want to ask about a rule that wasn’t made eligible, contact Datadog support.

  1. In Datadog, go to Security > Settings > Bits Security Analyst.

  2. Turn on the toggle to Enable Bits Security Analyst. Additional settings appear.

  3. (Optional) Configure which rules and which severities you want Bits Security Analyst to automatically investigate signals for. There are two ways to do so:

    • Click Rule Settings to configure investigations for individual rules. You can change the minimum severity for signals to be investigated, and enable or disable individual rules for investigation.
    • Click Query Filter to write a signal query filter, so Bits Security Analyst only investigates signals that match your filter.

  4. Some log sources require credentials to run or enhance investigations by accessing logs, telemetry, or other data that isn’t in Datadog. To add credentials, click Edit credentials. In the Select or Add Connection window that opens, follow the prompts to select an existing connection from Actions Catalog, or add a connection. Datadog securely stores and restricts all credentials using Actions Catalog.

    Some log sources require additional setup so you can create HTTP connections. Here’s an example:

Disable Bits Security Analyst

  1. In Datadog, go to Security > Settings > Bits Security Analyst.
  2. Scroll to the bottom of the page. Under Disable Bits Security Analyst, turn off the Enabled toggle.
    Disabling Bits Security Analyst permanently resets all configuration settings.

Further reading