Cloud SIEM custom detection rules Cdocsification#35279
Cloud SIEM custom detection rules Cdocsification#35279
Conversation
github-actions
bot
added
Architecture
janine-c
changed the title
Preview links (active after the
|
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 43de641f0e
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| 1. {% if equals($cloud_siem_detection_rule_type, "real_time_rule") %}Select **Real-Time Rule**.{% /if %} | ||
| {% if equals($cloud_siem_detection_rule_type, "scheduled_rule") %}Select **Scheduled Rule**.{% /if %} | ||
| {% if equals($cloud_siem_detection_rule_type, "historical_job") %}Select **Historical job**, then select the **Logs Index** and **Timerange** for the job.{% /if %} | ||
| 1. {% if equals($cloud_siem_detection_rule_search_query, "threshold") %}Select the **Threshold** detection method.{% /if %} | ||
| {% if equals($cloud_siem_detection_rule_search_query, "new_value") %}Select the **New value** detection method.{% /if %} |
There was a problem hiding this comment.
The numbered steps in "Create a rule" place 1. outside the {% if ... %} blocks, so non-default variants render an empty list item followed by plain text instead of a proper numbered step (for example, scheduled_rule and any search query other than threshold). This breaks the procedural flow for most filter combinations and makes the instructions harder to follow.
Useful? React with 👍 / 👎.
| - These parameters help to identify field content that is both unusual and rare, filtering out minor or common variations. | ||
| - See [Anomaly detection parameters][601] for more information. | ||
|
|
||
| [601]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/content_anomaly/#anomaly-detection-parameters No newline at end of file |
There was a problem hiding this comment.
This partial defines link reference [601], but unit_testing.mdoc.md also defines [601] to a different URL and both partials are included in the content-anomaly render paths of create_rule/_index.mdoc.md. Because markdown reference labels are document-scoped, this collision makes at least one of the links resolve to the wrong destination depending on parser behavior.
Useful? React with 👍 / 👎.
1 participant
What does this PR do? What is the motivation?
Converts the Cloud SIEM page about creating custom detection rules into Cdocs!
Merge instructions
Merge readiness:
For Datadog employees:
Your branch name MUST follow the
<name>/<description>convention and include the forward slash (/). Without this format, your pull request will not pass CI, the GitLab pipeline will not run, and you won't get a branch preview. Getting a branch preview makes it easier for us to check any issues with your PR, such as broken links.If your branch doesn't follow this format, rename it or create a new branch and PR.
[6/5/2025] Merge queue has been disabled on the documentation repo. If you have write access to the repo, the PR has been reviewed by a Documentation team member, and all of the required checks have passed, you can use the Squash and Merge button to merge the PR. If you don't have write access, or you need help, reach out in the #documentation channel in Slack.
AI assistance
Additional notes