Amanda Quach
Vera Chan
Managing dynamic cloud environments is an ongoing challenge for organizations as they scale and innovate. Protecting assets, data, and reputations is more important than ever, yet detecting insider threats, compromised accounts, and unusual behavior in an environment remains complex. Traditional SIEM solutions often focus on reactive, event-driven insights, but to meet today’s evolving needs, many teams are embracing proactive approaches like user and entity behavior analytics (UEBA).
Datadog Cloud SIEM now integrates UEBA to identify emerging threats earlier and enrich security signals with detailed context. By correlating alerts with key identity attributes and applying heuristic risk scores, Datadog Cloud SIEM helps reduce alert fatigue, streamline investigations, and prioritize threats. This centralized approach not only minimizes false positives but also enables security teams to allocate resources where they matter most—leading to stronger, more efficient security practices.
Building on these capabilities, Datadog Cloud SIEM Risk Insights is now generally available for AWS, GCP, Azure, GitHub, and Okta entities, offering security teams deeper behavioral and environmental context for their investigations. Risk Insights enhances Cloud SIEM signals by integrating data from Datadog Cloud Security—misconfigurations, identity risks, and configuration attributes—to assess the risk level of entities effectively.
In this post, we’ll walk through how Datadog helps teams:
Traditional SIEMs aim to close gaps in cloud security coverage, but they often generate an overwhelming number of alerts. For security teams, this can make it difficult to pinpoint the most urgent risks and determine where to begin their investigations.
Risk Insights helps security teams tackle this challenge by enabling them to consolidate correlated signals. Powered by an opinionated risk model, Risk Insights offers an intuitive breakdown of an entity’s risk so teams can streamline their workflows and improve the speed and precision of their investigations.
Let’s say you’re a security analyst starting your daily review of new activity. You can begin with the Entities Explorer, which provides a prioritized list of risky entities and their corresponding risk score. Datadog Cloud SIEM’s risk score incorporates multiple variables, emphasizing the most relevant signals and the duration of their threat. To help analysts quickly assess their environment, risk scores are grouped into severity thresholds, offering a clear, actionable view of potential risks.
To refine your focus, you can apply filters or use the search bar to dive into specific entity attributes.
This targeted approach helps security teams focus on high-risk insights, improving their ability to respond promptly and effectively to real threats.
In today’s monitoring landscape, many SIEMs are often isolated from other observability and security platforms. In order to conduct efficient investigations, teams need rich context and the ability to correlate data across user attributes and their entity models. Let’s take a closer look at how Datadog Cloud SIEM achieves this by exploring a specific entity in detail.
After navigating to the Entities Explorer, you can use intuitive filters or the search bar to explore specific entity attributes in depth. Datadog Cloud SIEM supports a broad range of human and non-human entities, including:
This expanded coverage ensures that security teams have the context they need to investigate efficiently across complex environments.
Once you’ve identified the entity to investigate, select it to open the Entity Side Panel, which provides detailed metadata, such as the entity’s risk score, recent risk changes, and entity type. Additionally, you can examine existing correlated signals to gain deeper insights into related misconfigurations and identity risks.
To understand how specific events have impacted the entity, the side panel also allows you to search relevant logs, visualize the entity’s permissions via Cloud SIEM Investigator, and review a timeline of associated events. The risk score timeline, for example, provides insights into which generated signals—like one for removing a public access block—affected an entity’s risk score over time, helping teams conduct more in-depth investigations. It also displays the status of each signal so teams can avoid duplicating work.
With this information, you can quickly take action by creating a case to collaborate with cross-functional teams and continue the investigation. You have the flexibility to assign the selected signals to yourself or escalate and reassign them to teammates as needed. Additionally, you can address misconfigurations and identity risk signals directly—by adding them to a new case, for example—to close the loop between investigation and response efficiently.
Alternatively, if you determine that the entity does not pose a risk, you can close the signals and review the updated risk score, which will be automatically adjusted.
Building on the success of our entity analytics for AWS, Datadog Cloud SIEM Risk Insights now offers comprehensive visibility into security risks across GCP environments. As with AWS, GCP users have detailed risk assessments and actionable insights that improve their cloud security posture, optimize incident response, and ensure compliance throughout their cloud infrastructure. These capabilities empower security teams to adopt a unified, proactive approach to risk management across diverse cloud environments.
Datadog Cloud SIEM Risk Insights now extends its support to Microsoft Azure and Microsoft 365, complementing our existing AWS and GCP entity analytics. This enhancement provides security teams with deep visibility into their Microsoft environments so they can identify suspicious activity, misconfigurations, and identity risks in real time. With Datadog’s detailed risk assessments and entity-based insights, security teams now have richer context for effectively prioritizing threats across their Azure workloads, as well as in their multi-cloud environments.
Risk Insights also provides support for GitHub, enhancing entity analytics with user and repository events. Security teams now have visibility into potential risks in their repositories, along with associated GitHub entities. Examples of these risks include mass repository cloning or downloads (which might signal data exfiltration), disabling secret scanning, and modifying repository visibility and access tokens. By correlating this behavior with broader user and cloud context, Datadog enables teams to better prioritize high-risk events in their GitHub repositories.
To monitor access and life cycle events, Risk Insights enriches entity analytics with Okta identity data. Security teams can quickly find suspicious activity within Okta’s user authentication and access events, such as brute-force attacks, phishing attempts flagged by FastPass origin checks, and administrative console access immediately following MFA resets. By correlating Okta events with other cloud activity, Risk Insights enables teams to quickly detect and remediate unauthorized access attempts, account compromise, and identity misuse.
Efficient threat detection and response relies on identity and activity context. With Risk Insights, Datadog Cloud SIEM prioritizes the most severe threats by correlating signals with misconfiguration and identity risk data from AWS, GCP, Azure, GitHub, and Okta entities. This integrated approach provides a clearer understanding of potential threats, reducing alert noise and signal volume to help security teams investigate effectively.
You can check out our documentation for more information or get started now. If you don’t already have a Datadog account, you can sign up for a 14-day free trial.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。