Security Information and Event Management

We are using datadog to handle our security information and event management. Datadog collects events and information through the aws integration and host agent, then uses a ruleset to filter and alert on them. We have a set of notification rules in datadog that send alerts to our alerts channel in slack when a new Finding, or a Signal is detected. Signals also trigger an incident in incident.io.

A finding is a misconfiguration, identity risk or attack path, where as a signal is potential suspicious activity - an active threat in the system.

Findings should be immidiately investigated, classified and worked on to be resolved in a timely manner (depending on severity).

A signal should be considered an incident, as it may be an active attack. It will create an incident.io incident, and it should be triaged immidiately, and escalated if needed.