Datadog Cloud SIEM

Details
Content
Dependencies
Version History

Datadog Cloud SIEM is a scalable, cloud-native SIEM that analyzes telemetry from cloud and on-premises systems to surface actionable security signals, with out-of-the-box detection rules and dashboards to help teams investigate and respond faster.

Datadog Cloud SIEM elevates organizations’ threat detection and investigation for dynamic, cloud-scale environments.

With Datadog Cloud SIEM, you can augment your existing SIEM investments and deliver better cloud security outcomes. Datadog Cloud SIEM analyzes operational and security logs in real time—regardless of their volume—while utilizing curated, out-of-the-box integrations and rules to detect threats and investigate them. Developers, security, and operations teams can also leverage detailed observability data to accelerate security investigations in a single, unified platform.

Pack Contributors:

Martin GUYARD martin.guyard@datadoghq.com

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Datadog Cloud SIEM elevates organizations’ threat detection and investigation for dynamic, cloud-scale environments.

Pack Contributors:

Martin GUYARD martin.guyard@datadoghq.com

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Automations

Name	Description
DatadogSyncIncidentFields	Fetches the latest Datadog Security Signal data and updates incident fields.

Classifiers

Name	Description
Datadog Cloud SIEM V2	Classifier for Datadog Cloud SIEM security signals
Datadog Cloud SIEM - Incoming Mapper	Maps incoming Datadog incidents.
Datadog Cloud SIEM V2 - Incoming Mapper	Maps incoming Datadog Cloud SIEM security signals to XSOAR incident fields

Incident Fields

Name	Description
Datadog Cloud SIEM V2 Security Signal Title	Title of the security signal.
Datadog Cloud SIEM V2 Security Signal Message	Message describing the security signal.
Datadog Cloud SIEM Root Cause
Datadog Cloud SIEM
Datadog Cloud SIEM V2 Security Signal Triage Archive Reason	Reason for the triage decision (e.g., false_positive, expected_behavior).
Datadog Cloud SIEM Display Name	The name of the notified handle.
Datadog Cloud SIEM Customer Impact Scope
Datadog Cloud SIEM Resolution Time	The amount of time in seconds to resolve the incident after it was created. Equals the difference between created and resolved.
Datadog Cloud SIEM Public ID	The monotonically increasing integer ID for the incident.
Datadog Cloud SIEM Other Org User Id
Datadog Cloud SIEM Attachment User ID	A unique identifier that represents the user.
Datadog Cloud SIEM Title	The title of the incident, which summarizes what happened.
Datadog Cloud SIEM Duration	Length of the incident's customer impact in seconds. Equals the difference between customer_impact_start and customer_impact_end.
Datadog Cloud SIEM Modified	Timestamp when the incident was last modified.
Datadog Cloud SIEM Integrations ID
Datadog Cloud SIEM Detect and Create Duration
Datadog Cloud SIEM V2 Security Signal Triage Assignee Name	The user assigned to triage this security signal.
Datadog Cloud SIEM V2 Security Signal ID	The unique identifier of the Datadog Cloud SIEM V2 security signal.
Datadog Cloud SIEM V2 Security Signal Tags	Tags associated with the security signal.
Datadog Cloud SIEM User Last Modified
Datadog Cloud SIEM V2 Security Signal Rule ID	The unique identifier of the detection rule that triggered this signal.
Datadog Cloud SIEM Relationships User ID
Datadog Cloud SIEM V2 Security Signal URL	The URL to view the security signal in the Datadog Cloud SIEM V2 console.
Datadog Cloud SIEM Detected	Timestamp when the incident was detected.
Datadog Cloud SIEM Repair Time
Datadog Cloud SIEM Last Modified By	A unique identifier that represents the user.
Datadog Cloud SIEM User Verified
Datadog Cloud SIEM V2 Security Signal Event ID	The unique internal identifier of the Datadog Cloud SIEM V2 security signal.
Datadog Cloud SIEM Detected Method
Datadog Cloud SIEM V2 Security Signal Timestamp	Timestamp when the security signal was generated.
Datadog Cloud SIEM Customer Impacted
Datadog Cloud SIEM V2 Security Signal Triage State	The current triage state of the security signal (open, under_review, archived).
Datadog Cloud SIEM V2 Security Signal Rule URL	URL for viewing the security rule in the Datadog Cloud SIEM V2 console.
Datadog Cloud SIEM V2 Security Signal Triggering Log ID	The ID of the log that triggered this security signal.
Datadog Cloud SIEM V2 Security Signal Severity	The severity level of the Datadog security signal (info, low, medium, high, critical).
Datadog Cloud SIEM Commander User
Datadog Cloud SIEM Resolved	Timestamp when the incident's state was last changed from active or stable to resolved or completed.
Datadog Cloud SIEM Other Org Id
Datadog Cloud SIEM User Creation Time
Datadog Cloud SIEM User Is Service
Datadog Cloud SIEM User Status
Datadog Cloud SIEM User Title
Datadog Cloud SIEM Notification Email	The email address used for the notification.
Datadog Cloud SIEM V2 Security Signal Host	The host associated with the security signal.
Datadog Cloud SIEM V2 Security Signal Triage Archive Comment	Comment explaining the triage decision for this security signal.

Incident Types

Name	Description
Datadog Cloud SIEM
Datadog Cloud SIEM V2

Integrations

Name	Description
Datadog (Partner Contribution)	Deprecated. Datadog is an observability service for cloud-scale applications, providing monitoring of servers, databases, tools, and services, through a SaaS-based data analytics platform. The SaaS platform integrates and automates infrastructure monitoring, application performance monitoring and log management to provide unified, real-time observability of our customers' entire technology stack.
Datadog Cloud SIEM (Partner Contribution)	Datadog Cloud SIEM integration for XSOAR provides security signal management capabilities. This integration allows you to retrieve, filter, and manage security signals from Datadog's Cloud SIEM platform, enabling security teams to investigate threats, manage signal triage states, and assign signals to team members. Supports incoming mirroring of signals to XSOAR incidents.

Name

Description

Datadog (Partner Contribution)

Deprecated. Datadog is an observability service for cloud-scale applications, providing monitoring of servers, databases, tools, and services, through a SaaS-based data analytics platform.

The SaaS platform integrates and automates infrastructure monitoring, application performance monitoring and log management to provide unified, real-time observability of our customers' entire technology stack.

Datadog Cloud SIEM (Partner Contribution)

Datadog Cloud SIEM integration for XSOAR provides security signal management capabilities. This integration allows you to retrieve, filter, and manage security signals from Datadog's Cloud SIEM platform, enabling security teams to investigate threats, manage signal triage states, and assign signals to team members. Supports incoming mirroring of signals to XSOAR incidents.

Layouts

Name	Description
Datadog Cloud SIEM Layout	Datadog Cloud SIEM Incident Layout
Datadog Cloud SIEM V2 Layout	Datadog Cloud SIEM V2 Incident Layout - Enhanced layout for security signal investigation and triage

Automations

Name	Description
DatadogSyncIncidentFields	Fetches the latest Datadog Security Signal data and updates incident fields.
DatadogSyncAlertFields	Fetches the latest Datadog Security Signal data and updates alert fields.

Classifiers

Name	Description
Datadog Cloud SIEM V2	Classifier for Datadog Cloud SIEM security signals
Datadog Cloud SIEM - Incoming Mapper	Maps incoming Datadog incidents.
Datadog Cloud SIEM V2 - Incoming Mapper	Maps incoming Datadog Cloud SIEM security signals to XSOAR incident fields

Incident Fields

Name	Description
Datadog Cloud SIEM V2 Security Signal Triage Archive Comment	Comment explaining the triage decision for this security signal.
Datadog Cloud SIEM
Datadog Cloud SIEM V2 Security Signal Tags	Tags associated with the security signal.
Datadog Cloud SIEM V2 Security Signal Triage Archive Reason	Reason for the triage decision (e.g., false_positive, expected_behavior).
Datadog Cloud SIEM V2 Security Signal URL	The URL to view the security signal in the Datadog Cloud SIEM V2 console.
Datadog Cloud SIEM Modified	Timestamp when the incident was last modified.
Datadog Cloud SIEM Other Org User Id
Datadog Cloud SIEM User Creation Time
Datadog Cloud SIEM Relationships User ID
Datadog Cloud SIEM V2 Security Signal Host	The host associated with the security signal.
Datadog Cloud SIEM V2 Security Signal Triggering Log ID	The ID of the log that triggered this security signal.
Datadog Cloud SIEM V2 Security Signal Timestamp	Timestamp when the security signal was generated.
Datadog Cloud SIEM Resolved	Timestamp when the incident's state was last changed from active or stable to resolved or completed.
Datadog Cloud SIEM Detected Method
Datadog Cloud SIEM V2 Security Signal Event ID	The unique internal identifier of the Datadog Cloud SIEM V2 security signal.
Datadog Cloud SIEM User Is Service
Datadog Cloud SIEM Detect and Create Duration
Datadog Cloud SIEM Integrations ID
Datadog Cloud SIEM User Title
Datadog Cloud SIEM Public ID	The monotonically increasing integer ID for the incident.
Datadog Cloud SIEM Last Modified By	A unique identifier that represents the user.
Datadog Cloud SIEM Commander User
Datadog Cloud SIEM User Last Modified
Datadog Cloud SIEM V2 Security Signal Triage State	The current triage state of the security signal (open, under_review, archived).
Datadog Cloud SIEM V2 Security Signal Triage Assignee Name	The user assigned to triage this security signal.
Datadog Cloud SIEM Title	The title of the incident, which summarizes what happened.
Datadog Cloud SIEM V2 Security Signal Message	Message describing the security signal.
Datadog Cloud SIEM Display Name	The name of the notified handle.
Datadog Cloud SIEM Resolution Time	The amount of time in seconds to resolve the incident after it was created. Equals the difference between created and resolved.
Datadog Cloud SIEM Duration	Length of the incident's customer impact in seconds. Equals the difference between customer_impact_start and customer_impact_end.
Datadog Cloud SIEM Repair Time
Datadog Cloud SIEM Customer Impact Scope
Datadog Cloud SIEM Attachment User ID	A unique identifier that represents the user.
Datadog Cloud SIEM V2 Security Signal Severity	The severity level of the Datadog security signal (info, low, medium, high, critical).
Datadog Cloud SIEM User Verified
Datadog Cloud SIEM Root Cause
Datadog Cloud SIEM V2 Security Signal Title	Title of the security signal.
Datadog Cloud SIEM V2 Security Signal Rule ID	The unique identifier of the detection rule that triggered this signal.
Datadog Cloud SIEM Detected	Timestamp when the incident was detected.
Datadog Cloud SIEM User Status
Datadog Cloud SIEM Notification Email	The email address used for the notification.
Datadog Cloud SIEM V2 Security Signal ID	The unique identifier of the Datadog Cloud SIEM V2 security signal.
Datadog Cloud SIEM V2 Security Signal Rule URL	URL for viewing the security rule in the Datadog Cloud SIEM V2 console.
Datadog Cloud SIEM Other Org Id
Datadog Cloud SIEM Customer Impacted

Incident Types

Name	Description
Datadog Cloud SIEM
Datadog Cloud SIEM V2

Integrations

Name	Description
Datadog Cloud SIEM (Partner Contribution)	Datadog Cloud SIEM integration for XSOAR provides security signal management capabilities. This integration allows you to retrieve, filter, and manage security signals from Datadog's Cloud SIEM platform, enabling security teams to investigate threats, manage signal triage states, and assign signals to team members. Supports incoming mirroring of signals to XSOAR incidents.
Datadog (Partner Contribution)	Deprecated. Datadog is an observability service for cloud-scale applications, providing monitoring of servers, databases, tools, and services, through a SaaS-based data analytics platform. The SaaS platform integrates and automates infrastructure monitoring, application performance monitoring and log management to provide unified, real-time observability of our customers' entire technology stack.

Name

Description

Datadog Cloud SIEM (Partner Contribution)

Datadog (Partner Contribution)

Deprecated. Datadog is an observability service for cloud-scale applications, providing monitoring of servers, databases, tools, and services, through a SaaS-based data analytics platform.

Layouts

Name	Description
Datadog Cloud SIEM V2 Layout	Datadog Cloud SIEM V2 Incident Layout - Enhanced layout for security signal investigation and triage
Datadog Cloud SIEM Layout	Datadog Cloud SIEM Incident Layout

Required Content Packs (1)

Pack Name	Pack By
Base	By: Cortex XSOAR

Optional Content Packs (1)

Pack Name	Pack By
Common Types	By: Cortex XSOAR

All level dependencies (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR

1.1.1 - 6758702 (January 18, 2026)

Integrations

Added the provider field to the DatadogCloudSIEMV2 integration.

Related pull requests:
- 42677

Download

1.1.0 - R6672079 (January 13, 2026)

Classifiers

Datadog Cloud SIEM V2

Classifier for routing Datadog security signals to the correct incident type.

Incident Fields

Datadog Cloud SIEM V2 Security Signal ID
Unique identifier for the security signal.
Datadog Cloud SIEM V2 Security Signal Event ID
Event ID of the security signal.
Datadog Cloud SIEM V2 Security Signal Title
Title of the security signal.
Datadog Cloud SIEM V2 Security Signal Message
Detailed message describing the security signal.
Datadog Cloud SIEM V2 Security Signal Timestamp
When the security signal was generated.
Datadog Cloud SIEM V2 Security Signal Severity
Severity level (info, low, medium, high, critical).
Datadog Cloud SIEM V2 Security Signal Host
Host associated with the security signal.
Datadog Cloud SIEM V2 Security Signal Tags
Tags associated with the security signal.
Datadog Cloud SIEM V2 Security Signal URL
Direct link to the signal in Datadog UI.
Datadog Cloud SIEM V2 Security Signal Triggering Log ID
ID of the log that triggered the signal.
Datadog Cloud SIEM V2 Security Signal Rule ID
ID of the detection rule.
Datadog Cloud SIEM V2 Security Signal Rule URL
Link to the detection rule in Datadog UI.
Datadog Cloud SIEM V2 Security Signal Triage State
Current triage state (open, under_review, archived).
Datadog Cloud SIEM V2 Security Signal Triage Assignee Name
Name of the assigned analyst.
Datadog Cloud SIEM V2 Security Signal Triage Archive Reason
Reason for archiving the signal.
Datadog Cloud SIEM V2 Security Signal Triage Archive Comment
Comments explaining the archive decision.

Incident Types

Datadog Cloud SIEM V2
New incident type for Datadog Cloud SIEM security signals.

Integrations

Datadog Cloud SIEM

Breaking Change: Major version update with new integration structure.
Enhanced security signal management and triage capabilities.

Layouts

Datadog Cloud SIEM V2 Layout
Custom layout for visualizing and managing Datadog security signals in XSOAR.

Mappers

Datadog Cloud SIEM V2 - Incoming Mapper

Maps incoming Datadog security signal data to XSOAR incident fields.

Scripts

DatadogSyncIncidentFields

Script to fetch and sync the latest security signal data from Datadog to XSOAR incident fields.

Related pull requests:
- 41456
- 42543

Download

1.0.19 - 6372857 (December 21, 2025)

Incident Fields

Datadog Cloud SIEM User Is Service
Fixed a typo in Datadog Cloud SIEM User Is Service incident field.

Related pull requests:
- 42349

Download

1.0.18 - 6314563 (December 17, 2025)

Incident Fields

Datadog Cloud SIEM
Updated incident field.
Datadog Cloud SIEM Attachment User ID
Updated incident field.
Datadog Cloud SIEM Commander User
Updated incident field.
Datadog Cloud SIEM Customer Impact Scope
Updated incident field.
Datadog Cloud SIEM Customer Impacted
Updated incident field.
Datadog Cloud SIEM Detect and Create Duration
Updated incident field.
Datadog Cloud SIEM Detected
Updated incident field.
Datadog Cloud SIEM Detected Method
Updated incident field.
Datadog Cloud SIEM Display Name
Updated incident field.
Datadog Cloud SIEM Duration
Updated incident field.
Datadog Cloud SIEM Integrations ID
Updated incident field.
Datadog Cloud SIEM Last Modified By
Updated incident field.
Datadog Cloud SIEM Modified
Updated incident field.
Datadog Cloud SIEM Notification Email
Updated incident field.
Datadog Cloud SIEM Other Org Id
Updated incident field.
Datadog Cloud SIEM Other Org User Id
Updated incident field.
Datadog Cloud SIEM Public ID
Updated incident field.
Datadog Cloud SIEM Relationships User ID
Updated incident field.
Datadog Cloud SIEM Repair Time
Updated incident field.
Datadog Cloud SIEM Resolution Time
Updated incident field.
Datadog Cloud SIEM Resolved
Updated incident field.
Datadog Cloud SIEM Root Cause
Updated incident field.
Datadog Cloud SIEM Title
Updated incident field.
Datadog Cloud SIEM User Creation Time
Updated incident field.
Datadog Cloud SIEM User Last Modified
Updated incident field.
Datadog Cloud SIEM User Status
Updated incident field.
Datadog Cloud SIEM User Title
Updated incident field.
Datadog Cloud SIEM User Verified
Updated incident field.
DatadoDatadog Cloud SIEMg User Is Service
Updated incident field.

Incident Types

Datadog Cloud SIEM
Updated incident type.

Integrations

Datadog

We are releasing a new Datadog Cloud SIEM integration. This update aligns the integration with Cloud SIEM best practices for security alerting.
Deprecation Notice: The legacy integration is now deprecated. It will remain available for a transition period of 6 months and will be removed entirely on June 30, 2026. We encourage users to migrate to the new integration immediately to ensure continued support.
If this change impacts your workflows, please use this form to let us know. Our team will review your requirements and work with you on a solution, including adding specific commands or functionality to the supported Datadog integration if needed.

Layouts

Datadog Cloud SIEM Layout
Updated layout.

Mappers

Datadog Cloud SIEM - Incoming Mapper

Updated mapper.

Related pull requests:
- 42282
- 42311

Download

1.0.17 - 5636304 (October 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 42149
- 42311
- 42282

Download

1.0.16 - R3444919 (May 18, 2025)

Integrations

Datadog Cloud SIEM

Metadata and documentation improvements.

Related pull requests:
- 39089

Download

1.0.15 - R2988287 (March 26, 2025)

Integrations

Datadog Cloud SIEM

Documentation and metadata improvements.

Related pull requests:
- 37886

Download

1.1.1 - 6758702 (January 18, 2026)

Integrations

Datadog Cloud SIEM

Added the provider field to the DatadogCloudSIEMV2 integration.

Related pull requests:
- 42677

Download

1.1.0 - R6672079 (January 13, 2026)

Classifiers

Datadog Cloud SIEM V2

Classifier for routing Datadog security signals to the correct incident type.

Incident Fields

Datadog Cloud SIEM V2 Security Signal ID
Unique identifier for the security signal.
Datadog Cloud SIEM V2 Security Signal Event ID
Event ID of the security signal.
Datadog Cloud SIEM V2 Security Signal Title
Title of the security signal.
Datadog Cloud SIEM V2 Security Signal Message
Detailed message describing the security signal.
Datadog Cloud SIEM V2 Security Signal Timestamp
When the security signal was generated.
Datadog Cloud SIEM V2 Security Signal Severity
Severity level (info, low, medium, high, critical).
Datadog Cloud SIEM V2 Security Signal Host
Host associated with the security signal.
Datadog Cloud SIEM V2 Security Signal Tags
Tags associated with the security signal.
Datadog Cloud SIEM V2 Security Signal URL
Direct link to the signal in Datadog UI.
Datadog Cloud SIEM V2 Security Signal Triggering Log ID
ID of the log that triggered the signal.
Datadog Cloud SIEM V2 Security Signal Rule ID
ID of the detection rule.
Datadog Cloud SIEM V2 Security Signal Rule URL
Link to the detection rule in Datadog UI.
Datadog Cloud SIEM V2 Security Signal Triage State
Current triage state (open, under_review, archived).
Datadog Cloud SIEM V2 Security Signal Triage Assignee Name
Name of the assigned analyst.
Datadog Cloud SIEM V2 Security Signal Triage Archive Reason
Reason for archiving the signal.
Datadog Cloud SIEM V2 Security Signal Triage Archive Comment
Comments explaining the archive decision.

Incident Types

Datadog Cloud SIEM V2
New incident type for Datadog Cloud SIEM security signals.

Integrations

Datadog Cloud SIEM

Breaking Change: Major version update with new integration structure.
Enhanced security signal management and triage capabilities.

Layouts

Datadog Cloud SIEM V2 Layout
Custom layout for visualizing and managing Datadog security signals in XSOAR.

Mappers

Datadog Cloud SIEM V2 - Incoming Mapper

Maps incoming Datadog security signal data to XSOAR incident fields.

Scripts

DatadogSyncIncidentFields

Script to fetch and sync the latest security signal data from Datadog to XSOAR incident fields.

Related pull requests:
- 41456
- 42543

Download

1.0.19 - 6372857 (December 21, 2025)

Incident Fields

Datadog Cloud SIEM User Is Service
Fixed a typo in Datadog Cloud SIEM User Is Service incident field.

Related pull requests:
- 42349

Download

1.0.18 - 6314563 (December 17, 2025)

Incident Fields

Datadog Cloud SIEM
Updated incident field.
Datadog Cloud SIEM Attachment User ID
Updated incident field.
Datadog Cloud SIEM Commander User
Updated incident field.
Datadog Cloud SIEM Customer Impact Scope
Updated incident field.
Datadog Cloud SIEM Customer Impacted
Updated incident field.
Datadog Cloud SIEM Detect and Create Duration
Updated incident field.
Datadog Cloud SIEM Detected
Updated incident field.
Datadog Cloud SIEM Detected Method
Updated incident field.
Datadog Cloud SIEM Display Name
Updated incident field.
Datadog Cloud SIEM Duration
Updated incident field.
Datadog Cloud SIEM Integrations ID
Updated incident field.
Datadog Cloud SIEM Last Modified By
Updated incident field.
Datadog Cloud SIEM Modified
Updated incident field.
Datadog Cloud SIEM Notification Email
Updated incident field.
Datadog Cloud SIEM Other Org Id
Updated incident field.
Datadog Cloud SIEM Other Org User Id
Updated incident field.
Datadog Cloud SIEM Public ID
Updated incident field.
Datadog Cloud SIEM Relationships User ID
Updated incident field.
Datadog Cloud SIEM Repair Time
Updated incident field.
Datadog Cloud SIEM Resolution Time
Updated incident field.
Datadog Cloud SIEM Resolved
Updated incident field.
Datadog Cloud SIEM Root Cause
Updated incident field.
Datadog Cloud SIEM Title
Updated incident field.
Datadog Cloud SIEM User Creation Time
Updated incident field.
Datadog Cloud SIEM User Last Modified
Updated incident field.
Datadog Cloud SIEM User Status
Updated incident field.
Datadog Cloud SIEM User Title
Updated incident field.
Datadog Cloud SIEM User Verified
Updated incident field.
DatadoDatadog Cloud SIEMg User Is Service
Updated incident field.

Incident Types

Datadog Cloud SIEM
Updated incident type.

Integrations

Datadog

Layouts

Datadog Cloud SIEM Layout
Updated layout.

Mappers

Datadog Cloud SIEM - Incoming Mapper

Updated mapper.

Related pull requests:
- 42282
- 42311

Download

1.0.17 - 5636304 (October 29, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 42149
- 42282
- 42311

Download

1.0.16 - R3444919 (May 18, 2025)

Integrations

Datadog Cloud SIEM

Metadata and documentation improvements.

Related pull requests:
- 39089

Download

1.0.15 - R2988287 (March 26, 2025)

Integrations

Datadog Cloud SIEM

Documentation and metadata improvements.

Related pull requests:
- 37886

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	May 16, 2023
Last Release	January 18, 2026

Incident Response

Threat Intelligence Management

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.