VOOZH about

URL: https://docs.datadoghq.com/security/detection_rules/

⇱ Detection Rules

For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/detection_rules.md. A documentation index is available at /llms.txt.

Detection Rules

Available for:

Cloud SIEM | Cloud Security | App and API Protection | Workload Protection

Detection rules define conditional logic that is applied to all ingested logs and cloud configurations. When at least one case defined in a rule is matched over a given period of time, a security signal is generated. You can view these signals in the Signals Explorer.

Out-of-the-box detection rules

Datadog provides out-of-the-box detection rules to flag attacker techniques and potential misconfigurations. When new detection rules are released, they are automatically imported into your account, your App and API Protection library, and the Agent, depending on your configuration.

Out-of-the box rules are available for the following security products:

MITRE ATT&CK map

Available for:

Cloud SIEM | App and API Protection | Workload Protection

MITRE ATT&CK is a framework that helps organizations understand how cyber attackers operate. It maps the following:

  • Tactics: The “why” of an attack. These are the high-level goals, like gaining initial access, executing malicious code, or stealing data.
  • Techniques: The “how” of an attack. These are the specific actions an attacker takes to achieve a tactic, like using phishing to get into a system or exploiting a vulnerability in software.

By mapping tactics and techniques, MITRE ATT&CK provides security teams with a common language to communicate threats and better prepare defenses.

To use the MITRE ATT&CK map, do the following:

  1. Open Detection Rules in SIEM or Workload Protection.
  2. Select MITRE ATT&CK map.
  3. Select one of more products in the filter .
  4. Review the map for the following:
    • Assessing Coverage: Determine which attack techniques are well-covered and which are under-monitored.
    • Prioritizing Rule Creation: Focus on creating detection rules for techniques with low or no coverage.
    • Streamlining Rule Management: Manage and update detection rules, ensuring they align with the latest threat intelligence. The MITRE ATT&CK map available in SIEM or Workload Protection, but you can select Application and API Protection in the filter. Application and API Protection is included in the MITRE ATT&CK map for all-inclusive security coverage.

Beta detection rules

Datadog’s Security Research team continually adds new OOTB security detection rules. While the aim is to deliver high quality detections with the release of integrations or other new features, the performance of the detection at scale often needs to be observed before making the rule generally available. This gives Datadog’s Security Research the time to either refine or deprecate detection opportunities that do not meet our standards.

Custom detection rules

There may be situations where you need to customize a rule based on your environment or workload. For example, if you’re using AAP, you may want to customize a detection rule that detects users performing sensitive actions from a geolocation where your business doesn’t operate.

To create custom rules, you can clone the default rules and edit the copies, or create your own rules from scratch.

Search and filter detection rules

To view out-of-the-box and custom detection rules in Datadog, navigate to the Security Settings page. Rules are listed on separate pages for each product (App and API Protection, Cloud Security, and Cloud SIEM).

To search and filter the rules, use the search box and facets to query by value. For example, to only show rules for a given rule type, hover over the rule type and select only. You can also filter by facets such as source and severity when investigating and triaging incoming issues.

Create detection rules

To create a custom detection rule, click the New Rule button in the upper-right corner of the Detection Rules page. You can also clone an existing default or custom rule and use it as a template.

For detailed instructions, see the following articles:

Manage detection rules

You can manage detection rules from both the SIEM or Workload Protection pages in Datadog. These instructions describe how to perform these actions from those pages, but these options are also available when you click on a detection rule to open it in a side panel.

Enable or disable rules

To enable or disable a rule, toggle the switch to the right of the rule name.

You can also bulk enable or disable rules:

  1. Click Select Rules.
  2. Select the rules you want to enable or disable.
  3. Click the Bulk Actions dropdown menu.
  4. Select Enable Rules or Disable Rules.

Edit a rule

You can edit out-of-the-box and custom detection rules. If you want to preserve the original rule instead of editing it directly, you can clone the rule, make changes to the cloned rule, and disable the original rule.

To edit a rule, click the vertical three-dot menu for the rule and select Edit default rule or Edit rule, depending on the rule type.

Clone a rule

To clone a rule, click the vertical three-dot menu for the rule and select Clone rule.

Cloning a rule is helpful if you wish to duplicate an existing rule and lightly modify settings to cover other areas of detection. For example, you could duplicate a log detection rule and modify it from Threshold to Anomaly to add a new dimension to threat detection using the same queries and triggers.

Delete a rule

To delete a rule, click the vertical three-dot menu for the rule and select Delete rule.

You can also bulk delete rules:

  1. Click Select Rules.
  2. Select the rules you want to delete.
  3. Click the Bulk Actions dropdown menu.
  4. Select Delete Rules.

See the version history for a rule

Use Rule Version History to:

  • See past versions of a detection rule and understand the changes over time.
  • See who made the changes for improved collaboration.
  • Compare versions with diffs to analyze the modifications and impact of the changes.

To see the version history of a rule:

  1. Navigate to the Security Settings page. In the left navigation panel:
    • For AAP: Click App and API Protection and then click Detection Rules.
    • For Cloud Security: Click Cloud Security and then click Threat Detection Rules.
    • For Cloud SIEM: Click Cloud SIEM and then click Detection Rules.
  2. Click on the rule you are interested in, then click Edit rule.
  3. In the rule editor, click Version History to see past changes:
    • Click a specific version to see what changes were made.
    • Click Open Version Comparison to see what changed between versions, then select the two versions you want to compare. Click Unified if you want to see the comparison in the same panel.
      • Data highlighted in red indicates data that was modified or removed.
      • Data highlighted in green indicates data that was added.

Restrict edit permissions

By default, all users have view and edit access to the detection rules. To use granular access controls to limit the roles that may edit a single rule:

  1. Click the vertical three-dot menu for the rule and select Permissions.
  2. Click Restrict Access. The dialog box updates to show that members of your organization have Viewer access by default. Use that dropdown menu to select one or more roles, teams, or users that may edit the security rule.
  3. Use the dropdown menu to select one or more roles, teams, or users that may edit the security rule.
  4. Click Add.
  5. Click Save.

Note: To maintain your edit access to the rule, Datadog requires you to include at least one role that you are a member of before saving.

To restore access to a rule:

  1. Click the vertical three-dot menu for the rule and select Permissions.
  2. Click Restore Full Access.
  3. Click Save.

View generated signals

To view the security signals for a rule in the Signals Explorer, click the vertical three-dot menu and select View generated signals. This is useful when correlating signals across multiple sources by rule, or when completing an audit of rules.

Export a rule

To export a copy of a rule, click the rule to open it in the side panel. Click Export, then select either Export rule to JSON or Export rule to Terraform.

You can also bulk export rules:

  1. Click Select Rules.
  2. Select the rules you want to export.
  3. Click the Bulk Actions dropdown menu.
  4. Select either Export to JSON or Export to Terraform.

Rule deprecation

Regular audits of all detection rules are performed to maintain high fidelity signal quality. Deprecated rules are replaced with an improved rule.

The rule deprecation process is as follows:

  • There is a warning with the deprecation date on the rule. In the UI, the warning is shown in the:
    • Signal side panel’s Rule Details > Playbook section
    • Misconfigurations side panel (Cloud Security Misconfigurations only)
    • Rule editor for that specific rule
  • After the rule is deprecated, there is a 15 month period before the rule is deleted. This is due to the signal retention period of 15 months. During this time, you can re-enable the rule by cloning the rule in the UI.
  • After the rule is deleted, you can no longer clone and re-enable it.

Further reading