DataDog · maycmlee · Dec 12, 2023 · Dec 11, 2023 · Dec 11, 2023 · Dec 11, 2023
@@ -63,26 +63,51 @@
 3. Select and configure [Content Packs][9], which provide out-of-the-box content for critical security log sources.
 4. Select and configure [additional log sources][10] you want Cloud SIEM to analyze.
 5. Click **Activate**. A custom Cloud SIEM log index (`cloud-siem-xxxx`) is created.
-6. Navigate to the [Logs Indexes configuration][11] page.
-7. Move the Cloud SIEM index to the top of the index list. Cloud SIEM analyzes all logs going into the Cloud SIEM index. You can configure the index to filter for specific log events. See the [Log Index documentation][12] for more information.
+6. If the Cloud SIEM setup page shows the warning "The Cloud SIEM index is not in the first position", follow the steps in the [Reorder the Cloud SIEM index](#reorder-the-cloud-siem-index) section.
+
+### Reorder the Cloud SIEM index
+
+{{< img src="getting_started/cloud_siem/cloud-siem-setup-warning.png" alt="A yellow warning box saying that the index configuration needs attention" style="width:80%;">}}
+
+1. Click **Reorder index in Logs Configuration**.
+
+2. Confirm the modal title says "Move cloud-siem-xxxx to..." and that the `cloud-siem-xxxx` text in the index column is light purple.
+
+{{< img src="getting_started/cloud_siem/move-index-modal.png" alt="The Move cloud-siem-xxxx modal showing the list of indexes with cloud-siem-xxxx index as the last index" style="width:60%;">}}
+
+3. To select the new placement of your index, click the top line of the index where you want `cloud-siem-xxxx` to go. For example, if you want to make the `cloud-siem-xxxx` index the first index, click on the line *above* the current first index. The new position is highlighted with a thick blue line.
+
+{{< img src="getting_started/cloud_siem/move-index-highlight.png" alt="The Move cloud-siem-xxxx modal showing a blue line at the top of the first index" style="width:65%;">}}
+
+4. The text confirms the position selected: "Select the new placement of your index: Position 1". Click **Move**.
+
+5. Review the warning text. If you are satisfied with the change, click **Reorder**.
+
+6. Review the index order and confirm that the `cloud-siem-xxxx` index is where you want it. If you want to move the index, click the **Move to** icon and follow steps 3 to 5.
+
+7. Navigate back to the [Cloud SIEM setup page][11].
+
+The Cloud SIEM index should be in the first index position now. If the setup page still displays a warning about the index position, wait a few minutes and refresh the browser.
+
+After the index is moved to the first index position, review the settings and statuses for the [Content Packs][11] and [other log sources][11]. For each integration that shows a warning or an error, click on the integration and follow the instructions to fix it.
 
 ## Phase 2: Signal exploration
 
-1. Review the [out-of-the-box detection rules][13] that begin detecting threats in your environment immediately. Detection rules apply to all processed logs to maximize detection coverage. See the [detection rules][14] documentation for more information.
+1. Review the [out-of-the-box detection rules][12] that begin detecting threats in your environment immediately. Detection rules apply to all processed logs to maximize detection coverage. See the [detection rules][13] documentation for more information.
 
-2. Explore [security signals][15]. When a threat is detected with a detection rule, a security signal is generated. See the [security signals][16] documentation for more information.
+2. Explore [security signals][14]. When a threat is detected with a detection rule, a security signal is generated. See the [security signals][15] documentation for more information.
 
-    - [Set up notification rules][17] to alert when signals are generated. You can alert using Slack, Jira, email, webhooks, and other integrations. See the [notification rules][18] documentation for more information.
+    - [Set up notification rules][16] to alert when signals are generated. You can alert using Slack, Jira, email, webhooks, and other integrations. See the [notification rules][17] documentation for more information.
 
 ## Phase 3: Investigation
 
-1. Explore the [Investigator][19] for faster remediation. See the [Investigator][20] documentation for more information.
-2. Use [out-of-the-box-dashboards][21] or [create your own dashboards][22] for investigations, reporting, and monitoring.
+1. Explore the [Investigator][18] for faster remediation. See the [Investigator][19] documentation for more information.
+2. Use [out-of-the-box-dashboards][20] or [create your own dashboards][21] for investigations, reporting, and monitoring.
 
 ## Phase 4: Customization
 
-1. Set up [suppression rules][23] to reduce noise. 
-2. Create [custom detection rules][24]. Review [Best Practices for Creating Detection Rules][25].
+1. Set up [suppression rules][22] to reduce noise. 
+2. Create [custom detection rules][23]. Review [Best Practices for Creating Detection Rules][24].
 
 ## Further Reading
 
@@ -96,20 +121,19 @@
 [6]: https://www.datadoghq.com/blog/monitoring-cloudtrail-logs/
 [7]: https://www.datadoghq.com/blog/how-to-monitor-authentication-logs/
 [8]: https://app.datadoghq.com/security/landing
-[9]: https://app.datadoghq.com/security/content-packs
+[9]: https://app.datadoghq.com/security/onboarding?contentPacks=&logSources=&step=0
 [10]: https://app.datadoghq.com/security/onboarding?contentPacks=&logSources=&step=1
-[11]: https://app.datadoghq.com/logs/pipelines/indexes
-[12]: /logs/log_configuration/indexes/
-[13]: /security/default_rules/#cat-cloud-siem-log-detection
-[14]: /security/detection_rules/
-[15]: https://app.datadoghq.com/security?query=%40workflow.rule.type%3A%28%22Log%20Detection%22%20OR%20%22Signal%20Correlation%22%29&column=time&order=desc&product=siem&view=signal&viz=stream&start=1676321431953&end=1676407831953&paused=false
-[16]: /security/explorer
-[17]: https://app.datadoghq.com/security/configuration/notification-rules
-[18]: /security/notifications/rules/
-[19]: https://app.datadoghq.com/security/investigator/
-[20]: /security/cloud_siem/investigator
-[21]: https://app.datadoghq.com/dashboard/lists/preset/100
-[22]: /dashboards/#overview
-[23]: /security/cloud_siem/log_detection_rules/?tab=threshold#advanced-options
-[24]: /security/cloud_siem/log_detection_rules/
-[25]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/
+[11]: https://app.datadoghq.com/security/configuration/siem/setup
+[12]: /security/default_rules/#cat-cloud-siem-log-detection
+[13]: /security/detection_rules/
+[14]: https://app.datadoghq.com/security?query=%40workflow.rule.type%3A%28%22Log%20Detection%22%20OR%20%22Signal%20Correlation%22%29&column=time&order=desc&product=siem&view=signal&viz=stream&start=1676321431953&end=1676407831953&paused=false
+[15]: /security/explorer
+[16]: https://app.datadoghq.com/security/configuration/notification-rules
+[17]: /security/notifications/rules/
+[18]: https://app.datadoghq.com/security/investigator/
+[19]: /security/cloud_siem/investigator
+[20]: https://app.datadoghq.com/dashboard/lists/preset/100
+[21]: /dashboards/#overview
+[22]: /security/cloud_siem/log_detection_rules/?tab=threshold#advanced-options
+[23]: /security/cloud_siem/log_detection_rules/
+[24]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/