Book a demo

Complete this form to speak with one
of our sales representatives.

Back to Guides
Datadog SIEM: The Basics and a Quick Tutorial
Reading 4 minutes

What Is Datadog Cloud SIEM? 

Datadog Cloud SIEM (Security Information and Event Management) is a cloud-native security platform that provides real-time visibility and insights into the security status of an organization’s entire infrastructure. It integrates seamlessly with cloud services, on-premise data centers, and hybrid environments. 

 

By aggregating logs and metrics, it enables security teams to quickly identify, investigate, and mitigate threats across their IT landscape. The platform uses advanced analytics and machine learning to detect anomalies and potential security incidents. Its user-friendly interface allows security professionals to visualize trends, generate reports, and drill down into specific events. 

This is part of a series of articles about Datadog APM


Key Features of Datadog Cloud SIEM 

Key Features of Datadog Cloud SIEM
Datadog Cloud SIEM Pricing
Quick Tutorial: Getting Started with Datadog Cloud SIEM
Coralogix: Ultimate Datadog SIEM Alternative

Datadog Cloud SIEM provides the following capabilities.

Visualization and Insights

Datadog Cloud SIEM’s visualization tools enable security teams to gain deep insights into their security data. The platform uses intuitive graph-based visualizations to display security insights and activity across cloud environments. Security professionals can view more than 15 months of historical data, allowing for detailed root cause analysis of suspicious activity. 

By connecting users and resources to security logs and telemetry, it offers context to better assess risk and urgency. These visualizations help in identifying trends and patterns that may indicate security threats.

Centralized Security Data

The platform ingests, normalizes, and enriches logs and third-party security alerts, ensuring that all relevant data is consolidated into a single, accessible location. With over 750 integrations, Datadog Cloud SIEM offers visibility into all network traffic, identity providers, endpoints, and SaaS applications. 

This centralized approach enables easier collaboration among security, development, and operations teams through integrations with ticketing portals, chat systems, and remediation tools. Unifying security data improves the ability to detect, investigate, and respond to threats.

Threat Detection and Response

Datadog Cloud SIEM can detect and respond to threats across dynamic environments. The platform is supported by a dedicated Datadog Security Research team that maintains over 400 detections, continuously updating them to address new and emerging threats. 

Using built-in threat intelligence and aligned with the MITRE ATT&CK framework, the platform provides extensive threat detection capabilities. Security teams can create custom detection rules tailored to their needs, ensuring coverage of potential attack vectors. 

Automation and Case Management

The platform automates routine security tasks and remediation processes through pre-configured workflows, reducing the manual effort required by security teams. With over 300 actions available to orchestrate security processes, it allows for customization of workflows to meet organizational needs. 

The Case Management feature supports the automatic or on-demand creation of cases, supporting collaborative and centralized investigations. By sharing visibility into rich observability context, teams can accelerate their response to security incidents, reducing the overall operational overhead.


Datadog Cloud SIEM Pricing

The platform’s pricing starts at $5 per million events analyzed, per month. This base price allows organizations to access Datadog Cloud SIEM’s security features without incurring prohibitive costs. Datadog Cloud SIEM also supports annual and on-demand billing options, providing further flexibility for budgeting and financial planning.

It’s important to note that workflows are billed separately, which helps ensure that organizations only pay for the automation features they actually use. This modular approach to pricing allows for customization based on the scale of the organization’s security operations. 

Learn more in our detailed guide to Datadog pricing 


Quick Tutorial: Getting Started with Datadog Cloud SIEM 

Here’s an overview of how to use Datadog Cloud SIEM.

Setup

To get started with Cloud SIEM:

  1. Users first need to configure log ingestion. This involves collecting logs from various sources using out-of-the-box integration pipelines or creating custom log pipelines. Datadog Cloud SIEM supports hundreds of integrations, including cloud audit logs, identity provider logs, SaaS and workspace logs, and third-party security integrations like Amazon GuardDuty.
  2. Once log ingestion is configured, enable Cloud SIEM by selecting and configuring Content Packs. These packs provide out-of-the-box content for critical security log sources. Additionally, configure any other log sources that Cloud SIEM needs to analyze.
  3. After configuring the necessary settings, click on Activate to create a custom Cloud SIEM log index. 
  4. Ensure that the Cloud SIEM index is in the first position within the log configuration. If the setup page indicates that the index is not in the correct position, follow the steps to reorder it. This involves selecting the new position for the index and confirming the changes. 
  5. Once the index is correctly positioned, review and fix any warnings or errors for the Content Packs and other log sources.

Source: Datadog

Exploring Signals

After setup: 

  1. Explore the out-of-the-box detection rules that start detecting threats in the environment immediately. These rules apply to all processed logs to maximize detection coverage. 
  2. Review the generated security signals to understand detected threats. 
  3. Configure notification rules to alert the team when signals are generated, using integrations such as Slack, Jira, email, and webhooks. 
  4. Additionally, subscribe to weekly threat digest reports to stay informed about the most important security threats discovered.

Investigating Signals

When a security signal alerts the team to suspicious activity, the investigation phase begins. Common questions during an investigation include:

  • Is the user accessing other accounts?
  • What actions did the user take around the specific time frame?
  • What actions were taken on a resource by the user?
  • What users have interacted with this resource?

For example, if a security signal indicates that an Amazon S3 bucket configuration was changed to be accessible by everyone, investigate who took this action and their recent activities to determine if credentials were compromised.

Datadog Cloud SIEM’s Investigator provides a graphical interface to switch from one affected entity to another, allowing users to visualize user behavior and its impact on the environment. To use Investigator:

  1. Go to the Security, then Cloud SIEM, and then select the Investigator tab.
  2. Choose an entity type, and explore the activities associated with the entity. 
  3. Use the interface to view related logs or filter actions for detailed analysis. 
  4. It is also possible to access the Investigator directly from a security signal panel for targeted investigations.


Coralogix: Ultimate Datadog SIEM Alternative

Coralogix sets itself apart in observability with its modern architecture, enabling real-time insights into logs, metrics, and traces with built-in cost optimization. Coralogix’s straightforward pricing covers all its platform offerings including APM, RUM, SIEM, infrastructure monitoring and much more. With unparalleled support that features less than 1 minute response times and 1 hour resolution times, Coralogix is a leading choice for thousands of organizations across the globe.

Learn more about the Coralogix platform

Book a demo

Complete this form to speak with one of our sales representatives.