DataDog · 2016floreza · Dec 11, 2025 · Dec 11, 2025 · Dec 11, 2025
@@ -38,9 +38,9 @@ Within your integration in the Integration Developer Platform, navigate to the C
 
 ## Verify your detection rule in production
 
-To see the out-of-the-box detection rule, the relevant integration tile must be `Installed` in Datadog, and Cloud SIEM must be enabled. 
+To see the out-of-the-box detection rule, the relevant integration tile must be `Installed` in Datadog, and Cloud SIEM must be enabled.
 
-1. Find your detection rule in the [Detection Rules list][2], and click to expand it. 
+1. Find your detection rule in the [Detection Rules list][2], and click to expand it.
 2. Ensure that its logos render correctly.
 3. Verify that the rule is enabled.
 
@@ -68,7 +68,7 @@ This error means that the JSON located at `<FILE_PATH>` is considered invalid JS
 ```
 partnerRuleId is empty for rule name="<RULE_NAME>" - partnerRuleId=<NEW_RULE_ID> is available
 ```
-A `partnerRuleId` is required for each rule and is missing. Use the generated `<NEW_RULE_ID>`. 
+A `partnerRuleId` is required for each rule and is missing. Use the generated `<NEW_RULE_ID>`.
 
 ```
 partnerRuleId=<RULE_ID> is in the incorrect format for rule name="<RULE_NAME>", it must follow the format=^[a-z0-9]{3}-[a-z0-9]{3}-[a-z0-9]{3}$ - partnerRuleId=<NEW_RULE_ID> is available
@@ -130,9 +130,9 @@ Reach out to Datadog to address the issue.
 {{< partial name="whats-next/whats-next.html" >}}
 
 [1]: https://docs.datadoghq.com/security/cloud_siem/
-[2]: https://app.datadoghq.com/security/rules?deprecated=hide&groupBy=tactic&product=siem&sort=rule_name 
+[2]: https://app.datadoghq.com/security/siem/rules?deprecated=hide&groupBy=tactic&product=siem&sort=rule_name
 [3]: https://docs.datadoghq.com/developers/integrations/agent_integration/
-[4]: https://app.datadoghq.com/security/rules/new?product=siem
-[5]: https://github.com/DataDog/integrations-extras 
+[4]: https://app.datadoghq.com/security/siem/rules/new?product=siem
+[5]: https://github.com/DataDog/integrations-extras
 [6]: https://github.com/DataDog/marketplace
 [7]: https://docs.datadoghq.com/security/cloud_siem/detection_rules
@@ -127,7 +127,7 @@ Contact [support][26] to disable Cloud SIEM.
 [6]: https://www.datadoghq.com/blog/monitoring-cloudtrail-logs/
 [7]: https://www.datadoghq.com/blog/how-to-monitor-authentication-logs/
 [8]: https://app.datadoghq.com/security/landing
-[9]: https://app.datadoghq.com/security/content-packs
+[9]: https://app.datadoghq.com/security/siem/content-packs
 [10]: https://app.datadoghq.com/security/configuration/siem/log-sources
 [11]: https://app.datadoghq.com/security/configuration/siem/setup
 [12]: /security/default_rules/#cat-cloud-siem-log-detection
@@ -137,7 +137,7 @@ Contact [support][26] to disable Cloud SIEM.
 [16]: https://app.datadoghq.com/security/configuration/notification-rules
 [17]: /security/notifications/rules/
 [18]: https://app.datadoghq.com/security/configuration/reports
-[19]: https://app.datadoghq.com/security/investigator/
+[19]: https://app.datadoghq.com/security/siem/investigator/
 [20]: /security/cloud_siem/triage_and_investigate/investigator
 [21]: https://app.datadoghq.com/dashboard/lists/preset/100
 [22]: /dashboards/#overview

@@ -71,7 +71,7 @@ Cloud SIEM embeds both cloud and on-premises telemetry directly into security wo
 
 ### Flexible cost control for security data
 
-As your organization scales, controlling the ingestion cost of security logs without compromising visibility is critical. Cloud SIEM is integrated with Datadog Log Management so you can choose the appropriate retention and querying capability for  your security logs. This flexibility helps you balance cost efficiency with your threat detection needs. 
+As your organization scales, controlling the ingestion cost of security logs without compromising visibility is critical. Cloud SIEM is integrated with Datadog Log Management so you can choose the appropriate retention and querying capability for  your security logs. This flexibility helps you balance cost efficiency with your threat detection needs.
 
 Store logs using one of the available options:
 - [Standard indexing][6] for logs that need to be queried frequently with the most compute.
@@ -263,7 +263,7 @@ See which rules are the noisiest by calculating the percentage of signals that a
 
 [1]: https://securitylabs.datadoghq.com/
 [2]: https://www.datadoghq.com/product/cloud-siem/
-[3]: https://app.datadoghq.com/security/home?
+[3]: https://app.datadoghq.com/security/siem/home?
 [4]: /getting_started/security/cloud_siem/
 [5]: /security/cloud_siem/investigate_security_signals/#case-management
 [6]: /logs/log_configuration/indexes

@@ -87,7 +87,7 @@ Use unit testing to test your rules against sample logs and make sure the detect
 {{< partial name="whats-next/whats-next.html" >}}
 
 [1]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/real_time_rule/
-[2]: https://app.datadoghq.com/security/rules
+[2]: https://app.datadoghq.com/security/siem/rules
 [3]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/threshold/
 [4]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/new_value/
 [5]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/anomaly/

@@ -238,5 +238,5 @@ Click **Add Root Query** to add additional queries.
 
 {{% security-rule-say-whats-happening %}}
 
-[1]: https://app.datadoghq.com/security/rules/new
+[1]: https://app.datadoghq.com/security/siem/rules/new
 [2]: /security_platform/notifications/#notification-channels
@@ -343,4 +343,4 @@ In the **Preview detection** section, check the steps, transitions, and time win
 
 {{% cloud_siem/create_suppression %}}
 
-[1]: https://app.datadoghq.com/security/rules/new
+[1]: https://app.datadoghq.com/security/siem/rules/new
@@ -73,9 +73,9 @@ See [Calculated Fields Formulas][5] for the available functions and operators.
 
 {{< partial name="whats-next/whats-next.html" >}}
 
-[1]: https://app.datadoghq.com/security/rules
+[1]: https://app.datadoghq.com/security/siem/rules
 [2]: https://app.datadoghq.com/security/configuration/siem/rules/new-job?product=siem
-[3]: https://app.datadoghq.com/security/detections/historical-jobs
+[3]: https://app.datadoghq.com/security/siem/detections/historical-jobs
 [4]: /logs/explorer/calculated_fields/
 [5]: /logs/explorer/calculated_fields/formulas/
 [6]: https://app.datadoghq.com/security/configuration/siem/rules/new-job?product=siem#rule-editor-define-queries
@@ -62,7 +62,7 @@ This is an example of the format you need to use for tagging custom rules and th
 
 {{< partial name="whats-next/whats-next.html" >}}
 
-[1]: https://app.datadoghq.com/security/rules
+[1]: https://app.datadoghq.com/security/siem/rules
 [2]: https://docs.datadoghq.com/security/cloud_siem/guide/how-to-setup-security-filters-using-cloud-siem-api/
-[3]: https://app.datadoghq.com/security/rules?query=product=siem&sort=date&viz=attck-map
+[3]: https://app.datadoghq.com/security/siem/rules?query=product=siem&sort=date&viz=attck-map
 [4]: https://docs.datadoghq.com/security/cloud_siem/detect_and_monitor/custom_detection_rules/?tab=threshold
@@ -34,4 +34,4 @@ To see the version history of a rule:
 
 {{< partial name="whats-next/whats-next.html" >}}
 
-[1]: https://app.datadoghq.com/security/rules
+[1]: https://app.datadoghq.com/security/siem/rules
@@ -47,7 +47,7 @@ Datadog provides built-in [Threat Intelligence][5] for Cloud SIEM logs and also
 {{< partial name="whats-next/whats-next.html" >}}
 
 [1]: /security/cloud_siem/content_packs/
-[2]: https://app.datadoghq.com/security/content-packs
+[2]: https://app.datadoghq.com/security/siem/content-packs
 [3]: /integrations/
 [4]: /logs/log_collection/
 [5]: /security/threat_intelligence/#threat-intelligence-sources

@@ -49,7 +49,7 @@ further_reading:
 
 {{< partial name="whats-next/whats-next.html" >}}
 
-[1]: https://app.datadoghq.com/security/content-packs
+[1]: https://app.datadoghq.com/security/siem/content-packs
 [2]: /security/detection_rules/
 [3]: /security/cloud_siem/triage_and_investigate/investigator
 [4]: /service_management/workflows/
@@ -51,7 +51,7 @@ The **Next steps** section of the entity side panel includes the available mitig
 
 ## Risk scoring
 
-An entity's risk score approximates the entity's risk level over the past 14 days of activity. 
+An entity's risk score approximates the entity's risk level over the past 14 days of activity.
 
 The risk score is calculated from the characteristics of the entity's associated signals, such as the severity level of the signal and how many times the signal has fired.
 
@@ -87,6 +87,6 @@ The severity threshold of an entity is calculated by adding up the score impact
 [1]: /security/cloud_siem/guide/aws-config-guide-for-cloud-siem/
 [2]: https://docs.datadoghq.com/security/cloud_security_management/setup
 [3]: https://app.datadoghq.com/security
-[4]: https://app.datadoghq.com/security/entities
+[4]: https://app.datadoghq.com/security/siem/risk-insights
 [5]: /security/cloud_siem/guide/google-cloud-config-guide-for-cloud-siem/
 [6]: /security/cloud_siem/guide/azure-config-guide-for-cloud-siem/
@@ -61,12 +61,12 @@ To view your signals by MITRE ATT&CK Tactic and Technique:
 1. Click on a security signal from the table.
 1. In the **What Happened** section, see the logs that matched the query. Hover over the query to see the query details.
     - You can also see specific information like username or network IP. In **Rule Details**, click the funnel icon to create a suppression rule or add the information to an existing suppression. See [Create suppression rule][11] for more details.
-1. In the **Next Steps** section:   
+1. In the **Next Steps** section:
   a. Under **Triage**, click the dropdown to change the triage status of the signal. The default status is `OPEN`.
       - `Open`: Datadog Security triggered a detection based on a rule, and the resulting signal is not yet resolved.
       - `Under Review`: During an active investigation, change the triage status to `Under Review`. From the `Under Review` state, you can move the status to `Archived` or `Open` as needed.
       - `Archived`: When the detection that caused the signal has been resolved, update the status to `Archived`. When a signal is archived, you can give a reason and description for future reference. If an archived issue resurfaces, or if further investigation is necessary, the status can be changed back to `Open`. All signals are locked 30 days after they have been created.</ul>
-  b. Click **Assign Signal** to assign a signal to yourself or another Datadog user.  
+  b. Click **Assign Signal** to assign a signal to yourself or another Datadog user.
   c. Under **Take Action**, you can create a case, declare an incident, edit suppressions, or run workflows. Creating a case automatically assigns the signal to you and sets the triage status to `Under Review`.
 
 {{< img src="security/security_monitoring/investigate_security_signals/signal_side_panel.png" alt="The signal side panel of a compromised AWS IAM user access key showing two IP addresses and their locations" style="width:90%;" >}}
@@ -130,7 +130,7 @@ Click the **Logs** tab to view the logs related to the signal. Click **View All
 To investigate entities:
 
 1. Click the **Entities** tab to see entities related to the signal, such as users or IP addresses.
-1. Click the down arrow next to **View Related Logs** and:   
+1. Click the down arrow next to **View Related Logs** and:
     - Select **View IP Dashboard** to see more information about the IP address in the IP Investigation dashboard.
     - Select **View Related Signals** to open Signals Explorer and see the other signals associated with the IP address.
 1. For cloud environment entities, such as an assumed role or IAM user, view the activity graph to see what other actions the user took. Click **View in Investigator** to go to the Investigator to see more details.
@@ -209,7 +209,7 @@ You can also launch this query directly from the signal panel:
 [2]: /account_management/audit_trail/events/#cloud-security-platform-events
 [3]: /account_management/rbac/
 [4]: /logs/explorer/saved_views/
-[5]: https://app.datadoghq.com/security/home
+[5]: https://app.datadoghq.com/security/siem/home
 [6]: /service_management/case_management/
 [7]: /service_management/incident_management/
 [8]: /service_management/workflows/trigger/#trigger-a-workflow-from-a-security-signal

@@ -46,7 +46,7 @@ The Cloud SIEM Investigator provides a graphical interface for you to pivot from
 
 4. Click on a node and select **View related logs** or **View related signals** to investigate further. Use the **Search for** dropdown menu to filter by actions.
 
-[1]: https://app.datadoghq.com/security/investigator/aws
+[1]: https://app.datadoghq.com/security/siem/investigator?provider=aws
 
 {{% /tab %}}
 
@@ -60,7 +60,7 @@ The Cloud SIEM Investigator provides a graphical interface for you to pivot from
 
 4. Click on a node and select **View related logs** or **View related signals** to investigate further. Use the **Search for** dropdown menu to filter by actions.
 
-[1]: https://app.datadoghq.com/security/investigator/gcp
+[1]: https://app.datadoghq.com/security/siem/investigator?provider=gcp
 {{% /tab %}}
 
 {{% tab "Azure" %}}
@@ -73,7 +73,7 @@ The Cloud SIEM Investigator provides a graphical interface for you to pivot from
 
 4. Click on a node and select **View related logs** or **View related signals** to investigate further. Use the **Search for** dropdown menu to filter by actions.
 
-[1]: https://app.datadoghq.com/security/investigator/azure
+[1]: https://app.datadoghq.com/security/siem/investigator?provider=azure
 {{% /tab %}}
 
 {{% tab "Datadog" %}}
@@ -86,7 +86,7 @@ The Cloud SIEM Investigator provides a graphical interface for you to pivot from
 
 4. Click on a node and select **View related Audit Trail** or **View related signals** to investigate further. Use the **Search for** dropdown menu to filter by actions.
 
-[1]: https://app.datadoghq.com/security/investigator/datadog
+[1]: https://app.datadoghq.com/security/siem/investigator?provider=datadog
 {{% /tab %}}
 {{< /tabs >}}
 

@@ -176,7 +176,7 @@ The rule deprecation process is as follows:
 1. There is a warning with the deprecation date on the rule. In the UI, the warning is shown in the:
     - Signal side panel's **Rule Details > Playbook** section
     - Misconfigurations side panel (Cloud Security Misconfigurations only)
-    - [Rule editor][10] for that specific rule 
+    - [Rule editor][10] for that specific rule
 2. Once the rule is deprecated, there is a 15 month period before the rule is deleted. This is due to the signal retention period of 15 months. During this time, you can re-enable the rule by [cloning the rule](#clone-a-rule) in the UI.
 3. Once the rule is deleted, you can no longer clone and re-enable it.
 
@@ -199,6 +199,6 @@ The rule deprecation process is as follows:
 [13]: /security/cloud_security_management/misconfigurations/custom_rules
 [14]: /security/workload_protection/workload_security_rules?tab=host#create-custom-rules
 [15]: https://app.datadoghq.com/security/configuration/
-[16]: https://app.datadoghq.com/security/rules
+[16]: https://app.datadoghq.com/security/siem/rules
 [17]: https://app.datadoghq.com/security/workload-protection/detection-rules
 
@@ -55,7 +55,7 @@ The [suppression list][3] provides a centralized and organized way for you to ma
 1. Select the detection rules you want to apply this suppression to. You can select multiple detection rules.
 1. In the **Add Suppression Query** section, you have the option to enter suppression queries so that a signal is not generated when the values are met. For example, if a user `john.doe` is triggering a signal, but their actions are benign and you no longer want signals triggered from this user, input the log query: `@user.username:john.doe`.
 {{< img src="security/security_monitoring/suppressions/suppression_query.png" alt="The add suppression query with the query @user.username:john.doe" style="width:65%;" >}}
-  Suppression rule queries are based on **signal attributes**. 
+  Suppression rule queries are based on **signal attributes**.
 1. Additionally, you can add a log exclusion query to exclude logs from being analyzed. These queries are based on **log attributes**. **Note**: The legacy suppression was based on log exclusion queries, but it is now included in the suppression rule's **Add a suppression query** step.
 
 ### Restrict edit permissions
@@ -69,5 +69,5 @@ The [suppression list][3] provides a centralized and organized way for you to ma
 [1]: https://app.datadoghq.com/security/configuration/siem/rules/new
 [2]: /security/detection_rules/
 [3]: https://app.datadoghq.com/security/configuration/suppressions
-[4]: https://app.datadoghq.com/security/rules
+[4]: https://app.datadoghq.com/security/siem/rules
 [5]: /logs/explorer/facets/#log-side-panel
Original file line number	Diff line number	Diff line change
Expand Up		@@ -343,4 +343,4 @@ In the Preview detection section, check the steps, transitions, and time win

		{{% cloud_siem/create_suppression %}}

		[1]: https://app.datadoghq.com/security/rules/new
		[1]: https://app.datadoghq.com/security/siem/rules/new
Original file line number	Diff line number	Diff line change
Expand Up		@@ -34,4 +34,4 @@ To see the version history of a rule:

		{{< partial name="whats-next/whats-next.html" >}}

		[1]: https://app.datadoghq.com/security/rules
		[1]: https://app.datadoghq.com/security/siem/rules