From bb24995ca8608e02a5c095beb496f83e66691dc2 Mon Sep 17 00:00:00 2001 From: Janine Chan Date: Wed, 15 Jul 2026 17:37:43 -0600 Subject: [PATCH 1/2] Get notifications for complete Bits security investigations --- content/en/bits_ai/bits_security_analyst.md | 5 +++++ content/en/security/notifications/rules.md | 3 ++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/content/en/bits_ai/bits_security_analyst.md b/content/en/bits_ai/bits_security_analyst.md index a8294185a42..32acb20224e 100644 --- a/content/en/bits_ai/bits_security_analyst.md +++ b/content/en/bits_ai/bits_security_analyst.md @@ -120,6 +120,10 @@ Rule eligibility depends on whether Datadog has built the investigation capabili {{< /collapse-content >}} +### Get notifications for completed investigations + +You can create security notification rules to get a notification when Bits Security Analyst completes an investigation. To do so, follow the instructions in [Create notification rules][7]. When you're specifying the tags and attributes that must be present for the notification rule to be triggered, add the tag `@workflow.bits_investigator.state:*`. + ## Disable Bits Security Analyst 1. In Datadog, go to {{< ui >}}Security{{< /ui >}} > {{< ui >}}Settings{{< /ui >}} > [{{< ui >}}Bits Security Analyst{{< /ui >}}][3]. @@ -136,3 +140,4 @@ Rule eligibility depends on whether Datadog has built the investigation capabili [4]: /actions/connections/ [5]: https://app.datadoghq.com/security/siem/signals [6]: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html +[7]: /security/notifications/rules/#create-notification-rules diff --git a/content/en/security/notifications/rules.md b/content/en/security/notifications/rules.md index 6a5d8ab65ec..96bae76620d 100644 --- a/content/en/security/notifications/rules.md +++ b/content/en/security/notifications/rules.md @@ -47,7 +47,8 @@ To create a notification rule, specify the conditions under which the rule shoul - **Finding**: A potential security flaw in your infrastructure. - **Signal**: Suspicious activity that poses an active threat against your infrastructure. 1. Select one or more severity levels. -1. Specify the tags and attributes that must be present in order for the notification rule to be triggered. +1. Specify the tags and attributes that must be present for the notification rule to be triggered. +
If you selected Signal in step 3, you can get notifications for completed Bits Security Analyst investigations by adding the tag @workflow.bits_investigator.state:*.
1. If you selected **Finding** in step 3, select the frequency of the notifications: - **Aggregate results over**: Select this option, followed by a time frame from the list, to only get one notification for detections that occurred over that time frame. - **Trigger immediately for each individual issue meeting the criteria**: Select this option to get one notification for each detection.
**Note**: Selecting this option can result in a large number of notifications. From 1152784e5b9c9239cc1c7a22fa3238c7a5d3b041 Mon Sep 17 00:00:00 2001 From: Janine Chan <64388808+janine-c@users.noreply.github.com> Date: Thu, 16 Jul 2026 12:49:04 -0400 Subject: [PATCH 2/2] Apply suggestion from @evazorro Co-authored-by: Eva Parish --- content/en/bits_ai/bits_security_analyst.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/bits_ai/bits_security_analyst.md b/content/en/bits_ai/bits_security_analyst.md index 32acb20224e..eb5ad2ce11f 100644 --- a/content/en/bits_ai/bits_security_analyst.md +++ b/content/en/bits_ai/bits_security_analyst.md @@ -122,7 +122,7 @@ Rule eligibility depends on whether Datadog has built the investigation capabili ### Get notifications for completed investigations -You can create security notification rules to get a notification when Bits Security Analyst completes an investigation. To do so, follow the instructions in [Create notification rules][7]. When you're specifying the tags and attributes that must be present for the notification rule to be triggered, add the tag `@workflow.bits_investigator.state:*`. +You can create security notification rules to get a notification when Bits Security Analyst completes an investigation. To do so, follow the instructions in [Create notification rules][7]. When specifying the tags and attributes that must be present for the notification rule to be triggered, add the tag `@workflow.bits_investigator.state:*`. ## Disable Bits Security Analyst