DataDog · maycmlee · Jul 17, 2025 · Jul 17, 2025 · Aug 7, 2025 · Aug 7, 2025
@@ -6005,66 +6005,126 @@ menu:
       parent: security_platform_heading
       identifier: cloud_siem
       weight: 20000
-    - name: Content Packs
-      url: security/cloud_siem/content_packs
+    - name: Ingest and Enrich
+      url: security/cloud_siem/ingest_and_enrich/
       parent: cloud_siem
-      identifier: cloud_siem_content_packs
+      identifier: cloud_siem_ingest_and_enrich
       weight: 1
-    - name: Detection Rules
-      url: security/cloud_siem/detection_rules
+    - name: Content Packs
+      url: security/cloud_siem/ingest_and_enrich/content_packs
+      parent: cloud_siem_ingest_and_enrich
+      identifier: cloud_siem_content_packs
+      weight: 101
+    - name: Threat Intelligence
+      url: security/cloud_siem/ingest_and_enrich/threat_intelligence
+      parent: cloud_siem_ingest_and_enrich
+      identifier: cloud_siem_threat_intelligence
+      weight: 102
+    - name: Open Cybersecurity Schema Framework
+      url: security/cloud_siem/ingest_and_enrich/open_cybersecurity_schema_framework
+      parent: cloud_siem_ingest_and_enrich
+      identifier: cloud_siem_open_cybersecurity_schema_framework
+      weight: 103
+    - name: Detect and Monitor
+      url: security/cloud_siem/detect_and_monitor/
       parent: cloud_siem
-      identifier: cloud_siem_detection_rules
+      identifier: cloud_siem_detect_and_monitor
       weight: 2
-    - name: Signal Correlation Rules
-      url: security/cloud_siem/detection_rules/signal_correlation_rules
-      parent: cloud_siem_detection_rules
+    - name: Custom Detection Rules
+      url: security/cloud_siem/detect_and_monitor/custom_detection_rules
+      parent: cloud_siem_detect_and_monitor
+      identifier: cloud_siem_custom_detection_rules
+      weight: 201
+    - name: Create Rule
+      url: security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/real_time_rule
+      parent: cloud_siem_custom_detection_rules
+      identifier: cloud_siem_real_time_rule
+      weight: 2011
+    - name: Threshold
+      url: security/cloud_siem/detect_and_monitor/custom_detection_rules/threshold
+      parent: cloud_siem_custom_detection_rules
+      identifier: cloud_siem_threshold_rule
+      weight: 2012
+    - name: New Value
+      url: security/cloud_siem/detect_and_monitor/custom_detection_rules/new_value
+      parent: cloud_siem_custom_detection_rules
+      identifier: cloud_siem_new_value_rule
+      weight: 2013
+    - name: Anomaly
+      url: security/cloud_siem/detect_and_monitor/custom_detection_rules/anomaly
+      parent: cloud_siem_custom_detection_rules
+      identifier: cloud_siem_anomaly_rule
+      weight: 2014
+    - name: Content Anomaly
+      url: security/cloud_siem/detect_and_monitor/custom_detection_rules/content_anomaly
+      parent: cloud_siem_custom_detection_rules
+      identifier: cloud_siem_content_anomaly_rule
+      weight: 2015
+    - name: Impossible Travel
+      url: security/cloud_siem/detect_and_monitor/custom_detection_rules/impossible_travel
+      parent: cloud_siem_custom_detection_rules
+      identifier: cloud_siem_impossible_travel_rule
+      weight: 2016
+    - name: Third Party
+      url: security/cloud_siem/detect_and_monitor/custom_detection_rules/third_party
+      parent: cloud_siem_custom_detection_rules
+      identifier: cloud_siem_third_party_rule
+      weight: 2017
+    - name: Signal Correlation
+      url: security/cloud_siem/detect_and_monitor/custom_detection_rules/signal_correlation_rules
+      parent: cloud_siem_custom_detection_rules
       identifier: cloud_siem_signal_correlation_rules
-      weight: 20500
-    - name: MITRE ATT&CK Map
-      url: security/cloud_siem/detection_rules/mitre_attack_map
-      parent: cloud_siem_detection_rules
-      identifier: cloud_siem_mitre_attack_map
-      weight: 20510
+      weight: 2018
     - name: OOTB Rules
       url: /security/default_rules/#cat-cloud-siem-log-detection
-      parent: cloud_siem
+      parent: cloud_siem_detect_and_monitor
       identifier: cloud_siem_default_rules
-      weight: 4
-    - name: Threat Intelligence
-      url: /security/cloud_siem/threat_intelligence
-      parent: cloud_siem
-      identifier: cloud_siem_threat_intelligence
-      weight: 5
-    - name: Open Cybersecurity Schema Framework
-      url: /security/cloud_siem/open_cybersecurity_schema_framework
+      weight: 202
+    - name: Suppressions
+      url: security/cloud_siem/detect_and_monitor/suppressions
+      parent: cloud_siem_detect_and_monitor
+      identifier: cloud_siem_suppressions
+      weight: 203
+    - name: Historical Jobs
+      url: security/cloud_siem/detect_and_monitor/historical_jobs
+      parent: cloud_siem_detect_and_monitor
+      identifier: cloud_siem_log_historical_jobs
+      weight: 204
+    - name: MITRE ATT&CK Map
+      url: security/cloud_siem/detect_and_monitor/mitre_attack_map
+      parent: cloud_siem_detect_and_monitor
+      identifier: cloud_siem_mitre_attack_map
+      weight: 205
+    - name: Triage and Investigate
+      url: security/cloud_siem/triage_and_investigate
       parent: cloud_siem
-      identifier: cloud_siem_open_cybersecurity_schema_framework
-      weight: 5
+      identifier: cloud_siem_triage_and_investigate
+      weight: 3
     - name: Investigate Security Signals
-      url: /security/cloud_siem/investigate_security_signals
-      parent: cloud_siem
+      url: security/cloud_siem/triage_and_investigate/investigate_security_signals
+      parent: cloud_siem_triage_and_investigate
       identifier: cloud_siem_investigate_security_signals
-      weight: 6
+      weight: 301
+    - name: Risk Insights
+      url: security/cloud_siem/triage_and_investigate/entities_and_risk_scoring
+      parent: cloud_siem_triage_and_investigate
+      identifier: cloud_siem_entities_and_risk_scoring
+      weight: 302
     - name: Investigator
-      url: security/cloud_siem/investigator
-      parent: cloud_siem
+      url: security/cloud_siem/triage_and_investigate/investigator
+      parent: cloud_siem_triage_and_investigate
       identifier: cloud_siem_investigator
-      weight: 7
-    - name: Historical Jobs
-      url: security/cloud_siem/historical_jobs
-      parent: cloud_siem
-      identifier: cloud_siem_log_historical_jobs
-      weight: 8
-    - name: Risk Insights
-      url: security/cloud_siem/entities_and_risk_scoring
+      weight: 303
+    - name: Respond and Report
+      url: security/cloud_siem/respond_and_report
       parent: cloud_siem
-      identifier: cloud_siem_entities_and_risk_scoring
-      weight: 9
+      identifier: cloud_siem_respond_and_report
+      weight: 4
     - name: Security Operational Metrics
-      url: security/cloud_siem/security_operational_metrics/
-      parent: cloud_siem
+      url: security/cloud_siem/respond_and_report/security_operational_metrics
+      parent: cloud_siem_respond_and_report
       identifier: siem_security_operational_metrics
-      weight: 10
+      weight: 401
     - name: Guides
       url: security/cloud_siem/guide/
       parent: cloud_siem

@@ -132,6 +132,9 @@ code_language_ids:
     ibm: "IBM HTTP Server"
     gcp-service-extensions: "GCP Service Extensions"
     apigateway: "Amazon API Gateway"
+    real_time_rule: "Real-Time Rule"
+    scheduled_rule: "Scheduled Rule"
+    historical_job: "Historical Job"
 branch: ""
 
 signupclass: sign-up-trigger

@@ -1,4 +1,12 @@
 
+<<<<<<< HEAD
+# THIS IS A GENERATED FILE. Manual edits will be overwritten. 
+
+# To ignore a content file manually, add it to the .gitignore file in the root of the documentation repository: https://github.com/DataDog/documentation/blob/master/.gitignore
+
+# This file lists compiled Cdocs files to keep them out of version control. For more information, see the internal Cdocs documentation: https://datadoghq.atlassian.net/wiki/spaces/docs4docs/pages/4898063037/Cdocs+Build
+
+=======
 # This file lists compiled Cdocs files to keep them out of version control. For more information, see the internal Cdocs documentation: https://datadoghq.atlassian.net/wiki/spaces/docs4docs/pages/4898063037/Cdocs+Build
 
 # For the list of files to ignore in the documentation repo, see the version in the root of the documentation repository: https://github.com/DataDog/documentation/blob/master/.gitignore
@@ -19,6 +27,7 @@
 # For the list of files to ignore in the documentation repo, see the version in the root of the documentation repository: https://github.com/DataDog/documentation/blob/master/.gitignore
 
 
+>>>>>>> may/cloud-siem-nav-restructure
 /en/product_analytics/session_replay/mobile/setup_and_configuration.md
 /en/real_user_monitoring/guide/proxy-mobile-rum-data.md
 /en/real_user_monitoring/guide/proxy-rum-data.md

@@ -279,7 +279,7 @@ If you encounter the error `Datadog is not authorized to perform sts:AssumeRole`
 [49]: /watchdog/
 [50]: /getting_started/cloud_siem/
 [51]: /security/default_rules/#cat-log-detection
-[52]: /security/cloud_siem/investigate_security_signals
+[52]: /security/cloud_siem/triage_and_investigate/investigate_security_signals
 [53]: /security/notifications/rules/
 [54]: /security/cloud_security_management/setup/
 [55]: /security/default_rules/#cat-posture-management-cloud

@@ -132,15 +132,15 @@ Contact [support][26] to disable Cloud SIEM.
 [12]: /security/default_rules/#cat-cloud-siem-log-detection
 [13]: /security/detection_rules/
 [14]: https://app.datadoghq.com/security?query=%40workflow.rule.type%3A%28%22Log%20Detection%22%20OR%20%22Signal%20Correlation%22%29&column=time&order=desc&product=siem&view=signal&viz=stream&start=1676321431953&end=1676407831953&paused=false
-[15]: /security/cloud_siem/investigate_security_signals
+[15]: /security/cloud_siem/triage_and_investigate/investigate_security_signals
 [16]: https://app.datadoghq.com/security/configuration/notification-rules
 [17]: /security/notifications/rules/
 [18]: https://app.datadoghq.com/security/configuration/reports
 [19]: https://app.datadoghq.com/security/investigator/
-[20]: /security/cloud_siem/investigator
+[20]: /security/cloud_siem/triage_and_investigate/investigator
 [21]: https://app.datadoghq.com/dashboard/lists/preset/100
 [22]: /dashboards/#overview
 [23]: /security/suppressions/
-[24]: /security/cloud_siem/detection_rules/
+[24]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/
 [25]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/
 [26]: /help/
@@ -76,10 +76,10 @@ To create a rule, navigate to the in-app [Rule Setup and Configuration][13] page
 [5]: /logs/guide/send-aws-services-logs-with-the-datadog-lambda-function/?tab=awsconsole#set-up-triggers
 [6]: https://console.aws.amazon.com/lambda/home#/functions
 [7]: https://app.datadoghq.com/logs
-[8]: /security/cloud_siem/detection_rules/
+[8]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/
 [9]: /getting_started/cloud_siem/#phase-2-signal-exploration
 [10]: https://app.datadoghq.com/security
 [11]: /security/default_rules/#cat-cloud-siem
 [12]: /security/detection_rules/#creating-and-managing-detection-rules
 [13]: https://app.datadoghq.com/security/configuration/rules/new?product=siem
-[14]: /security/cloud_siem/detection_rules/?tab=threshold#choose-a-detection-method
+[14]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/?tab=threshold#choose-a-detection-method
@@ -258,6 +258,11 @@ See which rules are the noisiest by calculating the percentage of signals that a
 
 {{< partial name="whats-next/whats-next.html" >}}
 
+<<<<<<< HEAD
+[1]: /security/cloud_siem/triage_and_investigate/investigate_security_signals
+[2]: /security/default_rules#cat-cloud-siem
+[3]: /security/detection_rules
+=======
 [1]: https://securitylabs.datadoghq.com/
 [2]: https://www.datadoghq.com/product/cloud-siem/
 [3]: https://app.datadoghq.com/security/home?
@@ -268,4 +273,5 @@ See which rules are the noisiest by calculating the percentage of signals that a
 [8]: /logs/log_configuration/archives/
 [9]: /security/cloud_siem/content_packs/
 [10]: /logs/explorer/search_syntax/
-[11]: /logs/explorer/
+[11]: /logs/explorer/
+>>>>>>> master
@@ -0,0 +1,6 @@
+---
+title: Detect and Monitor
+disable_toc: false
+---
+
+TKTK
@@ -0,0 +1,111 @@
+---
+title: Custom Detection Rules
+type: documentation
+aliases:
+ - /security_platform/detection_rules/cloud_siem
+ - /security_platform/detection_rules/security_monitoring
+ - /security_platform/detection_rules/create_a_new_rule
+ - /security_platform/cloud_siem/log_detection_rules/
+ - /cloud_siem/detection_rules/security_monitoring/
+ - /security/detection_rules/cloud_siem/
+ - /security/detection_rules/security_monitoring
+ - /security/detection_rules/create_a_new_rule
+ - /security/cloud_siem/log_detection_rules/
+ - /security/cloud_siem/detection_rules/
+further_reading:
+- link: "/security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/real_time_rule/"
+  tag: "Documentation"
+  text: "Create a custom detection rule"
+- link: "/cloud_siem/default_rules/"
+  tag: "Documentation"
+  text: "Configure default Cloud SIEM detection rules"
+- link: "/cloud_siem/explorer/"
+  tag: "Documentation"
+  text: "Learn about the Security Signals Explorer"
+- link: "https://www.datadoghq.com/blog/detect-unauthorized-third-parties-aws/"
+  tag: "Blog"
+  text: "Detect unauthorized third parties in your AWS account"
+- link: "https://www.datadoghq.com/blog/anomaly-detection-rules-datadog/"
+  tag: "Blog"
+  text: "Detect security threats with anomaly detection rules"
+- link: "/security/notifications/variables/"
+  tag: "Documentation"
+  text: "Learn more about Security notification variables"
+- link: "https://www.datadoghq.com/blog/monitor-cloudflare-zero-trust/"
+  tag: "Blog"
+  text: "Monitor Cloudflare Zero Trust with Datadog Cloud SIEM"
+- link: "https://www.datadoghq.com/blog/monitor-1password-datadog-cloud-siem/"
+  tag: "Blog"
+  text: "Monitor 1Password with Datadog Cloud SIEM"
+- link: "https://www.datadoghq.com/blog/content-anomaly-detection-cloud-siem/"
+  tag: "Blog"
+  text: "Detect anomalies beyond spikes and new values with Content Anomaly Detection in Cloud SIEM"
+---
+
+## Overview
+
+Out-of-the-box detection rules help you cover the majority of threat scenarios, but you can also create custom detection rules for your specific use cases. See [Create Rule][1] for instructions on how to create a custom rule.
+
+## Rule types
+
+You can create the following types of custom detection rules:
+
+- Real-time rule, which continuously monitors and analyzes incoming logs.
+- Scheduled rule, which runs at pre-scheduled intervals to analyze log data.
+- Historical job, which backtests detections by running them against historical logs.
+
+## Detection methods
+
+The following detection methods are available for custom detection rule or historical job:
+
+- [Threshold][3]: Detects when events exceed a user-defined threshold.
+- [New value][4]: Detects when an attributes changes to a brand new value.
+- [Anomaly][5]: Detects when a behavior deviates from its historical baseline.
+- [Content anomaly][6]: Detects when an event's content is an anomaly compared to the historical baseline
+- [Impossible travel][7]: Detects if impossible speed is detected in user activity logs.
+- [Third party][8]: Maps third-party security logs to signals, setting the severity based on log attributes.
+- [Signal correlation][9]: Combines multiple signals together to generate a new signal so you can alert on more complex use cases and reduce alert fatigue.
+
+## Filter logs based on Reference Tables
+
+<div class="alert alert-warning">Reference Tables containing over 1,000,000 rows cannot be used to filter events. See <a href="https://docs.datadoghq.com/integrations/guide/reference-tables/">Add Custom Metadata with Reference Tables</a> for more information on how to create and manage Reference Tables. </div>
+
+Reference Tables allow you to combine metadata with logs, providing more information to resolve application issues. When you define a query for a rule, you can add a query filter based on a Reference Table to perform lookup queries. For more information on creating and managing this feature, see the [Reference Tables][10] guide.
+
+In the following example, a Reference Table containing product information is used to filter and enrich logs:
+
+{{< img src="/security/security_monitoring/detection_rules/filter-by-reference-table.png" alt="The log detection rule query editor with the reference table search options highlighted" style="width:100%;" >}}
+
+## Rule Version History
+
+{{< img src="/security/security_monitoring/detection_rules/rule_version_history_20250207.png" alt="The version history for a GitHub OAuth access token compromise showing" style="width:80%;" >}}
+
+Use Rule Version History to:
+- See past versions of a detection rule and understand the changes over time.
+- See who made the changes for improved collaboration.
+- Compare versions with diffs to analyze the modifications and impact of the changes.
+
+To see the version history of a rule:
+1. Navigate to [Detection Rules][2].
+1. Click on the rule you are interested in.
+1. In the rule editor, click **Version History** to see past changes.
+1. Click a specific version to see what changes were made.
+1. Click **Open Version Comparison** to see what changed between versions.
+1. Select the two versions you want to compare.
+    - Data highlighted in red indicates data that was modified or removed.
+    - Data highlighted in green indicates data that was added.
+1. Click **Unified** if you want to see the comparison in the same panel.
+
+## Further Reading
+{{< partial name="whats-next/whats-next.html" >}}
+
+[1]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/create_rule/real_time_rule/
+[2]: https://app.datadoghq.com/security/rules
+[3]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/threshold/
+[4]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/new_value/
+[5]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/anomaly/
+[6]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/content_anomaly/
+[7]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/impossible_travel/
+[8]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/third_party/
+[9]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/signal_correlation_rules/
+[10]: /integrations/guide/reference-tables/
@@ -0,0 +1,8 @@
+---
+title: Anomaly
+disable_toc: false
+---
+
+## Overview
+
+When configuring a specific threshold isn't an option, you can define an anomaly detection rule instead. With anomaly detection, a dynamic threshold is automatically derived from the past observations of the events.