diff --git a/content/en/developers/integrations/create-a-cloud-siem-detection-rule.md b/content/en/developers/integrations/create-a-cloud-siem-detection-rule.md index 854e4b564dd..fa78e9e1222 100644 --- a/content/en/developers/integrations/create-a-cloud-siem-detection-rule.md +++ b/content/en/developers/integrations/create-a-cloud-siem-detection-rule.md @@ -38,9 +38,9 @@ Within your integration in the Integration Developer Platform, navigate to the C ## Verify your detection rule in production -To see the out-of-the-box detection rule, the relevant integration tile must be `Installed` in Datadog, and Cloud SIEM must be enabled. +To see the out-of-the-box detection rule, the relevant integration tile must be `Installed` in Datadog, and Cloud SIEM must be enabled. -1. Find your detection rule in the [Detection Rules list][2], and click to expand it. +1. Find your detection rule in the [Detection Rules list][2], and click to expand it. 2. Ensure that its logos render correctly. 3. Verify that the rule is enabled. @@ -68,7 +68,7 @@ This error means that the JSON located at `` is considered invalid JS ``` partnerRuleId is empty for rule name="" - partnerRuleId= is available ``` -A `partnerRuleId` is required for each rule and is missing. Use the generated ``. +A `partnerRuleId` is required for each rule and is missing. Use the generated ``. ``` partnerRuleId= is in the incorrect format for rule name="", it must follow the format=^[a-z0-9]{3}-[a-z0-9]{3}-[a-z0-9]{3}$ - partnerRuleId= is available @@ -130,9 +130,9 @@ Reach out to Datadog to address the issue. {{< partial name="whats-next/whats-next.html" >}} [1]: https://docs.datadoghq.com/security/cloud_siem/ -[2]: https://app.datadoghq.com/security/rules?deprecated=hide&groupBy=tactic&product=siem&sort=rule_name +[2]: https://app.datadoghq.com/security/siem/rules?deprecated=hide&groupBy=tactic&product=siem&sort=rule_name [3]: https://docs.datadoghq.com/developers/integrations/agent_integration/ -[4]: https://app.datadoghq.com/security/rules/new?product=siem -[5]: https://github.com/DataDog/integrations-extras +[4]: https://app.datadoghq.com/security/siem/rules/new?product=siem +[5]: https://github.com/DataDog/integrations-extras [6]: https://github.com/DataDog/marketplace [7]: https://docs.datadoghq.com/security/cloud_siem/detection_rules diff --git a/content/en/getting_started/security/cloud_siem.md b/content/en/getting_started/security/cloud_siem.md index 9c39249dc5a..50172e52d54 100644 --- a/content/en/getting_started/security/cloud_siem.md +++ b/content/en/getting_started/security/cloud_siem.md @@ -127,7 +127,7 @@ Contact [support][26] to disable Cloud SIEM. [6]: https://www.datadoghq.com/blog/monitoring-cloudtrail-logs/ [7]: https://www.datadoghq.com/blog/how-to-monitor-authentication-logs/ [8]: https://app.datadoghq.com/security/landing -[9]: https://app.datadoghq.com/security/content-packs +[9]: https://app.datadoghq.com/security/siem/content-packs [10]: https://app.datadoghq.com/security/configuration/siem/log-sources [11]: https://app.datadoghq.com/security/configuration/siem/setup [12]: /security/default_rules/#cat-cloud-siem-log-detection @@ -137,7 +137,7 @@ Contact [support][26] to disable Cloud SIEM. [16]: https://app.datadoghq.com/security/configuration/notification-rules [17]: /security/notifications/rules/ [18]: https://app.datadoghq.com/security/configuration/reports -[19]: https://app.datadoghq.com/security/investigator/ +[19]: https://app.datadoghq.com/security/siem/investigator/ [20]: /security/cloud_siem/triage_and_investigate/investigator [21]: https://app.datadoghq.com/dashboard/lists/preset/100 [22]: /dashboards/#overview diff --git a/content/en/security/cloud_siem/_index.md b/content/en/security/cloud_siem/_index.md index d59f86f4ebc..1203c382f04 100644 --- a/content/en/security/cloud_siem/_index.md +++ b/content/en/security/cloud_siem/_index.md @@ -71,7 +71,7 @@ Cloud SIEM embeds both cloud and on-premises telemetry directly into security wo ### Flexible cost control for security data -As your organization scales, controlling the ingestion cost of security logs without compromising visibility is critical. Cloud SIEM is integrated with Datadog Log Management so you can choose the appropriate retention and querying capability for your security logs. This flexibility helps you balance cost efficiency with your threat detection needs. +As your organization scales, controlling the ingestion cost of security logs without compromising visibility is critical. Cloud SIEM is integrated with Datadog Log Management so you can choose the appropriate retention and querying capability for your security logs. This flexibility helps you balance cost efficiency with your threat detection needs. Store logs using one of the available options: - [Standard indexing][6] for logs that need to be queried frequently with the most compute. @@ -263,7 +263,7 @@ See which rules are the noisiest by calculating the percentage of signals that a [1]: https://securitylabs.datadoghq.com/ [2]: https://www.datadoghq.com/product/cloud-siem/ -[3]: https://app.datadoghq.com/security/home? +[3]: https://app.datadoghq.com/security/siem/home? [4]: /getting_started/security/cloud_siem/ [5]: /security/cloud_siem/investigate_security_signals/#case-management [6]: /logs/log_configuration/indexes diff --git a/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/_index.md b/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/_index.md index 7518caf8540..551df95dbc0 100644 --- a/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/_index.md +++ b/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/_index.md @@ -87,7 +87,7 @@ Use unit testing to test your rules against sample logs and make sure the detect {{< partial name="whats-next/whats-next.html" >}} [1]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/real_time_rule/ -[2]: https://app.datadoghq.com/security/rules +[2]: https://app.datadoghq.com/security/siem/rules [3]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/threshold/ [4]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/new_value/ [5]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/anomaly/ diff --git a/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/historical_job.md b/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/historical_job.md index f01cc568b5f..d78fa24ad2a 100644 --- a/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/historical_job.md +++ b/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/historical_job.md @@ -238,5 +238,5 @@ Click **Add Root Query** to add additional queries. {{% security-rule-say-whats-happening %}} -[1]: https://app.datadoghq.com/security/rules/new +[1]: https://app.datadoghq.com/security/siem/rules/new [2]: /security_platform/notifications/#notification-channels \ No newline at end of file diff --git a/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/real_time_rule.md b/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/real_time_rule.md index 7c4171070b1..5df48210542 100644 --- a/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/real_time_rule.md +++ b/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/real_time_rule.md @@ -343,4 +343,4 @@ In the **Preview detection** section, check the steps, transitions, and time win {{% cloud_siem/create_suppression %}} -[1]: https://app.datadoghq.com/security/rules/new \ No newline at end of file +[1]: https://app.datadoghq.com/security/siem/rules/new \ No newline at end of file diff --git a/content/en/security/cloud_siem/detect_and_monitor/historical_jobs.md b/content/en/security/cloud_siem/detect_and_monitor/historical_jobs.md index b819dc82018..8977c7726e4 100644 --- a/content/en/security/cloud_siem/detect_and_monitor/historical_jobs.md +++ b/content/en/security/cloud_siem/detect_and_monitor/historical_jobs.md @@ -73,9 +73,9 @@ See [Calculated Fields Formulas][5] for the available functions and operators. {{< partial name="whats-next/whats-next.html" >}} -[1]: https://app.datadoghq.com/security/rules +[1]: https://app.datadoghq.com/security/siem/rules [2]: https://app.datadoghq.com/security/configuration/siem/rules/new-job?product=siem -[3]: https://app.datadoghq.com/security/detections/historical-jobs +[3]: https://app.datadoghq.com/security/siem/detections/historical-jobs [4]: /logs/explorer/calculated_fields/ [5]: /logs/explorer/calculated_fields/formulas/ [6]: https://app.datadoghq.com/security/configuration/siem/rules/new-job?product=siem#rule-editor-define-queries diff --git a/content/en/security/cloud_siem/detect_and_monitor/mitre_attack_map.md b/content/en/security/cloud_siem/detect_and_monitor/mitre_attack_map.md index 954c5282f56..84bcd090b3b 100644 --- a/content/en/security/cloud_siem/detect_and_monitor/mitre_attack_map.md +++ b/content/en/security/cloud_siem/detect_and_monitor/mitre_attack_map.md @@ -62,7 +62,7 @@ This is an example of the format you need to use for tagging custom rules and th {{< partial name="whats-next/whats-next.html" >}} -[1]: https://app.datadoghq.com/security/rules +[1]: https://app.datadoghq.com/security/siem/rules [2]: https://docs.datadoghq.com/security/cloud_siem/guide/how-to-setup-security-filters-using-cloud-siem-api/ -[3]: https://app.datadoghq.com/security/rules?query=product=siem&sort=date&viz=attck-map +[3]: https://app.datadoghq.com/security/siem/rules?query=product=siem&sort=date&viz=attck-map [4]: https://docs.datadoghq.com/security/cloud_siem/detect_and_monitor/custom_detection_rules/?tab=threshold diff --git a/content/en/security/cloud_siem/detect_and_monitor/version_history.md b/content/en/security/cloud_siem/detect_and_monitor/version_history.md index 40b52d171fb..ce46840e762 100644 --- a/content/en/security/cloud_siem/detect_and_monitor/version_history.md +++ b/content/en/security/cloud_siem/detect_and_monitor/version_history.md @@ -34,4 +34,4 @@ To see the version history of a rule: {{< partial name="whats-next/whats-next.html" >}} -[1]: https://app.datadoghq.com/security/rules \ No newline at end of file +[1]: https://app.datadoghq.com/security/siem/rules \ No newline at end of file diff --git a/content/en/security/cloud_siem/ingest_and_enrich/_index.md b/content/en/security/cloud_siem/ingest_and_enrich/_index.md index 6c93f10b17e..f45492aa021 100644 --- a/content/en/security/cloud_siem/ingest_and_enrich/_index.md +++ b/content/en/security/cloud_siem/ingest_and_enrich/_index.md @@ -47,7 +47,7 @@ Datadog provides built-in [Threat Intelligence][5] for Cloud SIEM logs and also {{< partial name="whats-next/whats-next.html" >}} [1]: /security/cloud_siem/content_packs/ -[2]: https://app.datadoghq.com/security/content-packs +[2]: https://app.datadoghq.com/security/siem/content-packs [3]: /integrations/ [4]: /logs/log_collection/ [5]: /security/threat_intelligence/#threat-intelligence-sources diff --git a/content/en/security/cloud_siem/ingest_and_enrich/content_packs.md b/content/en/security/cloud_siem/ingest_and_enrich/content_packs.md index f8cc1150d66..c5a96217f25 100644 --- a/content/en/security/cloud_siem/ingest_and_enrich/content_packs.md +++ b/content/en/security/cloud_siem/ingest_and_enrich/content_packs.md @@ -49,7 +49,7 @@ further_reading: {{< partial name="whats-next/whats-next.html" >}} -[1]: https://app.datadoghq.com/security/content-packs +[1]: https://app.datadoghq.com/security/siem/content-packs [2]: /security/detection_rules/ [3]: /security/cloud_siem/triage_and_investigate/investigator [4]: /service_management/workflows/ \ No newline at end of file diff --git a/content/en/security/cloud_siem/triage_and_investigate/entities_and_risk_scoring.md b/content/en/security/cloud_siem/triage_and_investigate/entities_and_risk_scoring.md index 568f66be506..07f92d10298 100644 --- a/content/en/security/cloud_siem/triage_and_investigate/entities_and_risk_scoring.md +++ b/content/en/security/cloud_siem/triage_and_investigate/entities_and_risk_scoring.md @@ -51,7 +51,7 @@ The **Next steps** section of the entity side panel includes the available mitig ## Risk scoring -An entity's risk score approximates the entity's risk level over the past 14 days of activity. +An entity's risk score approximates the entity's risk level over the past 14 days of activity. The risk score is calculated from the characteristics of the entity's associated signals, such as the severity level of the signal and how many times the signal has fired. @@ -87,6 +87,6 @@ The severity threshold of an entity is calculated by adding up the score impact [1]: /security/cloud_siem/guide/aws-config-guide-for-cloud-siem/ [2]: https://docs.datadoghq.com/security/cloud_security_management/setup [3]: https://app.datadoghq.com/security -[4]: https://app.datadoghq.com/security/entities +[4]: https://app.datadoghq.com/security/siem/risk-insights [5]: /security/cloud_siem/guide/google-cloud-config-guide-for-cloud-siem/ [6]: /security/cloud_siem/guide/azure-config-guide-for-cloud-siem/ diff --git a/content/en/security/cloud_siem/triage_and_investigate/investigate_security_signals.md b/content/en/security/cloud_siem/triage_and_investigate/investigate_security_signals.md index 508016ad428..20062058504 100644 --- a/content/en/security/cloud_siem/triage_and_investigate/investigate_security_signals.md +++ b/content/en/security/cloud_siem/triage_and_investigate/investigate_security_signals.md @@ -61,12 +61,12 @@ To view your signals by MITRE ATT&CK Tactic and Technique: 1. Click on a security signal from the table. 1. In the **What Happened** section, see the logs that matched the query. Hover over the query to see the query details. - You can also see specific information like username or network IP. In **Rule Details**, click the funnel icon to create a suppression rule or add the information to an existing suppression. See [Create suppression rule][11] for more details. -1. In the **Next Steps** section: +1. In the **Next Steps** section: a. Under **Triage**, click the dropdown to change the triage status of the signal. The default status is `OPEN`. - `Open`: Datadog Security triggered a detection based on a rule, and the resulting signal is not yet resolved. - `Under Review`: During an active investigation, change the triage status to `Under Review`. From the `Under Review` state, you can move the status to `Archived` or `Open` as needed. - `Archived`: When the detection that caused the signal has been resolved, update the status to `Archived`. When a signal is archived, you can give a reason and description for future reference. If an archived issue resurfaces, or if further investigation is necessary, the status can be changed back to `Open`. All signals are locked 30 days after they have been created. - b. Click **Assign Signal** to assign a signal to yourself or another Datadog user. + b. Click **Assign Signal** to assign a signal to yourself or another Datadog user. c. Under **Take Action**, you can create a case, declare an incident, edit suppressions, or run workflows. Creating a case automatically assigns the signal to you and sets the triage status to `Under Review`. {{< img src="security/security_monitoring/investigate_security_signals/signal_side_panel.png" alt="The signal side panel of a compromised AWS IAM user access key showing two IP addresses and their locations" style="width:90%;" >}} @@ -130,7 +130,7 @@ Click the **Logs** tab to view the logs related to the signal. Click **View All To investigate entities: 1. Click the **Entities** tab to see entities related to the signal, such as users or IP addresses. -1. Click the down arrow next to **View Related Logs** and: +1. Click the down arrow next to **View Related Logs** and: - Select **View IP Dashboard** to see more information about the IP address in the IP Investigation dashboard. - Select **View Related Signals** to open Signals Explorer and see the other signals associated with the IP address. 1. For cloud environment entities, such as an assumed role or IAM user, view the activity graph to see what other actions the user took. Click **View in Investigator** to go to the Investigator to see more details. @@ -209,7 +209,7 @@ You can also launch this query directly from the signal panel: [2]: /account_management/audit_trail/events/#cloud-security-platform-events [3]: /account_management/rbac/ [4]: /logs/explorer/saved_views/ -[5]: https://app.datadoghq.com/security/home +[5]: https://app.datadoghq.com/security/siem/home [6]: /service_management/case_management/ [7]: /service_management/incident_management/ [8]: /service_management/workflows/trigger/#trigger-a-workflow-from-a-security-signal diff --git a/content/en/security/cloud_siem/triage_and_investigate/investigator.md b/content/en/security/cloud_siem/triage_and_investigate/investigator.md index bafff22f476..ab5dbac7425 100644 --- a/content/en/security/cloud_siem/triage_and_investigate/investigator.md +++ b/content/en/security/cloud_siem/triage_and_investigate/investigator.md @@ -46,7 +46,7 @@ The Cloud SIEM Investigator provides a graphical interface for you to pivot from 4. Click on a node and select **View related logs** or **View related signals** to investigate further. Use the **Search for** dropdown menu to filter by actions. -[1]: https://app.datadoghq.com/security/investigator/aws +[1]: https://app.datadoghq.com/security/siem/investigator?provider=aws {{% /tab %}} @@ -60,7 +60,7 @@ The Cloud SIEM Investigator provides a graphical interface for you to pivot from 4. Click on a node and select **View related logs** or **View related signals** to investigate further. Use the **Search for** dropdown menu to filter by actions. -[1]: https://app.datadoghq.com/security/investigator/gcp +[1]: https://app.datadoghq.com/security/siem/investigator?provider=gcp {{% /tab %}} {{% tab "Azure" %}} @@ -73,7 +73,7 @@ The Cloud SIEM Investigator provides a graphical interface for you to pivot from 4. Click on a node and select **View related logs** or **View related signals** to investigate further. Use the **Search for** dropdown menu to filter by actions. -[1]: https://app.datadoghq.com/security/investigator/azure +[1]: https://app.datadoghq.com/security/siem/investigator?provider=azure {{% /tab %}} {{% tab "Datadog" %}} @@ -86,7 +86,7 @@ The Cloud SIEM Investigator provides a graphical interface for you to pivot from 4. Click on a node and select **View related Audit Trail** or **View related signals** to investigate further. Use the **Search for** dropdown menu to filter by actions. -[1]: https://app.datadoghq.com/security/investigator/datadog +[1]: https://app.datadoghq.com/security/siem/investigator?provider=datadog {{% /tab %}} {{< /tabs >}} diff --git a/content/en/security/detection_rules/_index.md b/content/en/security/detection_rules/_index.md index 7e14a6a8634..d2ad484bfe6 100644 --- a/content/en/security/detection_rules/_index.md +++ b/content/en/security/detection_rules/_index.md @@ -176,7 +176,7 @@ The rule deprecation process is as follows: 1. There is a warning with the deprecation date on the rule. In the UI, the warning is shown in the: - Signal side panel's **Rule Details > Playbook** section - Misconfigurations side panel (Cloud Security Misconfigurations only) - - [Rule editor][10] for that specific rule + - [Rule editor][10] for that specific rule 2. Once the rule is deprecated, there is a 15 month period before the rule is deleted. This is due to the signal retention period of 15 months. During this time, you can re-enable the rule by [cloning the rule](#clone-a-rule) in the UI. 3. Once the rule is deleted, you can no longer clone and re-enable it. @@ -199,6 +199,6 @@ The rule deprecation process is as follows: [13]: /security/cloud_security_management/misconfigurations/custom_rules [14]: /security/workload_protection/workload_security_rules?tab=host#create-custom-rules [15]: https://app.datadoghq.com/security/configuration/ -[16]: https://app.datadoghq.com/security/rules +[16]: https://app.datadoghq.com/security/siem/rules [17]: https://app.datadoghq.com/security/workload-protection/detection-rules diff --git a/content/en/security/suppressions.md b/content/en/security/suppressions.md index 8e2fbd4fab3..14051a9ffcb 100644 --- a/content/en/security/suppressions.md +++ b/content/en/security/suppressions.md @@ -55,7 +55,7 @@ The [suppression list][3] provides a centralized and organized way for you to ma 1. Select the detection rules you want to apply this suppression to. You can select multiple detection rules. 1. In the **Add Suppression Query** section, you have the option to enter suppression queries so that a signal is not generated when the values are met. For example, if a user `john.doe` is triggering a signal, but their actions are benign and you no longer want signals triggered from this user, input the log query: `@user.username:john.doe`. {{< img src="security/security_monitoring/suppressions/suppression_query.png" alt="The add suppression query with the query @user.username:john.doe" style="width:65%;" >}} - Suppression rule queries are based on **signal attributes**. + Suppression rule queries are based on **signal attributes**. 1. Additionally, you can add a log exclusion query to exclude logs from being analyzed. These queries are based on **log attributes**. **Note**: The legacy suppression was based on log exclusion queries, but it is now included in the suppression rule's **Add a suppression query** step. ### Restrict edit permissions @@ -69,5 +69,5 @@ The [suppression list][3] provides a centralized and organized way for you to ma [1]: https://app.datadoghq.com/security/configuration/siem/rules/new [2]: /security/detection_rules/ [3]: https://app.datadoghq.com/security/configuration/suppressions -[4]: https://app.datadoghq.com/security/rules +[4]: https://app.datadoghq.com/security/siem/rules [5]: /logs/explorer/facets/#log-side-panel