How we use Datadog for detection as code

Detection as Code (DaC) is a methodology that applies software engineering best practices to implement and manage detection rules and response runbooks in threat detection logic and security operations processes. It addresses pain points associated with traditional security operations, such as version control, consistency of review and approval, and maintenance at scale. Datadog has adopted the DaC methodology using its Threat Detection team and products like Cloud SIEM, Application Security Management (ASM), and Cloud Security Management (CSM). The company uses Terraform to write detection rules as resources, with a repository structure that includes directories for rules, organizations, and tests. A CI/CD pipeline is used for linting, testing, and deploying the rules, while the detection development flow involves creating a Log Search query, validating it with test data or Stratus Red Team, and then exporting the rule as a Terraform file before merging it into the repository.