Accelerate Investigations With Datadog Cloud SIEM Risk-Based Insights for AWS Entities | Datadog

Accelerate investigations with Datadog Cloud SIEM Risk-based Insights for AWS Entities

Author Amanda Quach
Author Vera Chan

Last updated: December 2, 2024

Managing dynamic cloud environments is an ongoing challenge for organizations as they scale and innovate. Protecting assets, data, and reputations is more important than ever, yet detecting insider threats, compromised accounts, and unusual behavior in an environment remains complex. Traditional SIEM solutions often focus on reactive, event-driven insights, but to meet today’s evolving needs, many teams are embracing proactive approaches like User and Entity Behavior Analytics (UEBA).

Datadog Cloud SIEM now integrates UEBA to identify emerging threats earlier and enrich security signals with detailed context. By correlating alerts with key identity attributes and applying heuristic risk scores, Datadog Cloud SIEM helps reduce alert fatigue, streamline investigations, and prioritize threats. This centralized approach not only minimizes false positives but also enables security teams to allocate resources where they matter most—leading to stronger, more efficient security practices.

Building on these capabilities, Datadog Cloud SIEM Risk-based Insights for AWS Entities is now generally available, offering security teams deeper behavioral and environmental context for their investigations. Risk-based Insights enhances Cloud SIEM signals by integrating data from Datadog Cloud Security Management (CSM), including misconfigurations, identity risks, and configuration attributes, to assess the risk level of entities effectively.

With an intuitive breakdown of an entity’s risk—powered by an opinionated risk model—users can track changes over time and take prompt, informed actions to remediate issues. Risk-based Insights for AWS Entities enable security teams to streamline their workflows and improve the speed and precision of their investigations. In this post, we’ll walk through how Datadog Cloud SIEM Risk-based Insights for AWS Entities help security teams:

Start investigations with Risk-based Insights

Traditional SIEMs aim to close gaps in cloud security coverage, but they often generate an overwhelming number of alerts. For security teams, this can make it difficult to pinpoint the most urgent risks and determine where to begin their investigations.

Risk-based Insights helps teams tackle this challenge by enabling them to consolidate correlated signals. Let’s say you’re a security analyst starting your daily review of new activity. You can begin with the Entities Explorer, which provides a prioritized list of risky entities and their corresponding risk score. Datadog Cloud SIEM’s risk score incorporates multiple variables, emphasizing the most relevant signals and the duration of their threat. To help analysts quickly assess their environment, risk scores are grouped into severity thresholds, offering a clear, actionable view of potential risks.

To refine your focus, you can apply filters or use the search bar to dive into specific entity attributes.

Entities List
To prioritize your investigations, you can easily filter by specific entities and view their risks.

This targeted approach helps security teams focus on high-risk insights, improving their ability to respond promptly and effectively to real threats.

Get deeper context with AWS Entity Analytics

In today’s monitoring landscape, many SIEM solutions do not integrate seamlessly with observability and security platforms. Efficient investigations require solutions that deliver rich context and correlation across user attributes and their entity models. Let’s take a closer look at how Datadog Cloud SIEM achieves this by exploring a specific entity in detail.

After navigating to the Entities Explorer, you can use intuitive filters or the search bar to explore specific entity attributes in depth. Datadog Cloud SIEM supports a broad range of human and non-human entities, including:

  • IAM users, assumed roles, and SAML users
  • Users authenticating through service providers or web applications via methods such as MFA, OIDC, OAuth, cookies, or username/password logins
  • AWS services and accounts
  • Machine identities, such as S3 buckets and EC2 instances

This expanded coverage ensures that security teams have the context they need to investigate efficiently across complex environments.

Once you’ve identified the entity to investigate, select it to open the Entity Side Panel, which provides detailed metadata, such as the entity’s risk score, recent risk changes, and entity type. Additionally, you can examine existing correlated signals to gain deeper insights into related misconfigurations and identity risks.

Datadog Entities Explorer
Use the Entity Side Panel to review an entity's context and risk score breakdown.

To understand how specific events have impacted the entity, the side panel also allows you to search relevant logs, visualize the entity’s permissions via Cloud SIEM Investigator, and review a timeline of associated events. The Risk Score Timeline, for example, provides insights into which generated signals—like one for removing a public access block—affected an entity’s risk score over time, helping teams conduct more in-depth investigations. It also displays the status of each signal so teams can avoid duplicating work.

Datadog Entities Explorer
The Risk Score Timeline provides a clear view of how specific events have contributed to an entity’s overall risk.

With this information, you can quickly take action by creating a case to collaborate with cross-functional teams and continue the investigation. You have the flexibility to assign the selected signals to yourself or escalate and reassign them to teammates as needed. Additionally, you can address misconfigurations and identity risk signals directly—by adding them to a new case, for example—which closes the loop between investigation and response efficiently.

Entities Side Panel
You can execute bulk actions on entities for faster remediation.

Alternatively, if you determine that the entity does not pose a risk, you can close the signals and review the updated risk score, which will be automatically adjusted.

Increase investigation efficiency with Datadog Risk-based Insights for AWS Entities

In today’s complex security landscape, efficient threat detection and response are essential. With Risk-based Insights for AWS Entities, Datadog Cloud SIEM prioritizes the most severe threats while offering rich context, including misconfiguration and identity risk data. This integrated approach provides a clearer understanding of potential threats, reducing alert noise and signal volume to help security teams investigate effectively.

You can check out our documentation for more information or get started now. If you don’t already have a Datadog account, you can sign up for a .