SYSTEM Cited by 1 source

Datadog Cloud SIEM

Datadog Cloud SIEM is Datadog's Security Information and Event Management product: a Datadog-native SIEM that ingests security-relevant events from customer + internal telemetry streams, applies detection rules, and generates security signals that feed a case-management + incident-declaration workflow.

Datadog uses Cloud SIEM on itself: verdicts from BewAIre's malicious-PR classifier forward to Cloud SIEM, where a detection rule generates enriched signals that Datadog's Security Incident Response Team (SIRT) triages as cases and escalates to incidents when warranted.

Pipeline shape (Datadog dogfood)

GitHub event → BewAIre LLM classifier → verdict {malicious, rationale}
    → Cloud SIEM → detection rule → enriched security signal
        → SIRT case → (escalate if needed) → incident

This is the standard pattern for integrating a custom detector with Cloud SIEM: a detector emits structured verdicts via the logs/events API, a detection rule matches on verdict + context, and the rule's signal output is what humans triage.

Seen in

• sources/2026-03-09-datadog-when-an-ai-agent-came-knocking — canonical wiki instance of Cloud SIEM-as-triage-path for BewAIre's malicious-PR verdicts in the hackerbot-claw campaign.

Related

• systems/datadog — Cloud SIEM is part of the broader Datadog platform; other products feed into the same signal pipeline.
• systems/bewaire — an upstream detector.
• concepts/observability — adjacent discipline sharing the same event-ingest + query substrate.
• companies/datadog — operator / vendor.

Stub

This page records Cloud SIEM's role as the triage substrate for BewAIre verdicts; a dedicated architecture page for Cloud SIEM's internals (rule engine, signal storage, SIRT workflow integration) would need a dedicated ingested source.