Riot Games is a leading global video game developer and publisher, managing massive infrastructure across hybrid and multi-cloud environments. Its security team faced a daunting challenge: processing enormous volumes of security data efficiently while maintaining fast, accurate threat detection across complex systems.
Before adopting their current approach with Datadog Cloud SIEM, Riot Games’ security engineers relied on multiple tools and manual processes to manage logs and alerts. Ingesting custom application logs and integrating disparate data sources proved slow and error-prone. “The fact of the matter is some SIEMs don’t have all the integrations, and honestly, it’s not possible for a SIEM to have every log integration. Some logs come from custom applications unique to our setup, and ingesting those can be tricky and time-consuming,” says Nathan Pitchaikani, Senior Security Engineer at Riot Games.
The team also struggled with alert noise and delayed investigations. Historical log rehydration could take 6 to 8 hours, slowing down response times and leaving gaps in coverage. Analysts spent excessive time triaging low-value alerts like port scanning or routine behavioral detections, which diverted attention from true threats.
To address these challenges, Riot Games migrated to Datadog Cloud SIEM to consolidate logs, streamline alert management, and automate triage and response. Datadog’s correlation capabilities and SOAR integrations allowed the team to enrich alerts with context, prioritize high-fidelity threats, and automate repetitive investigative tasks. “Before, rehydration of historical logs could take 6 to 8 hours. By the time we had the data, threat actors could have already moved laterally in our environment. With Datadog, we can now rehydrate logs in minutes, targeting only the relevant user or time period,” Pitchaikani notes.
The impact has been significant. Analysts now focus on critical threats rather than manual triage, investigations that once took hours can be completed in minutes, and alert noise has been reduced dramatically. Automated enrichment and correlation save time while preserving high security standards. “By combining correlation and automation, we save so much time. Instead of triaging the same alert repeatedly, our automations handle it, allowing analysts to focus on critical threats,” Pitchaikani explains.
Riot Games’ security team has built an investigation and automation workflow that makes the most of the data they ingest. Pitchaikani explained that they begin with Datadog detection signals, then forward them to their SOAR to enrich and automate response, and then pull in additional context from Datadog via API when deeper investigation is needed. “Datadog has tons of data in it. We start with detection signals, send them to our SOAR, and when appropriate, grab additional data from Datadog through the API,” he says.
By standardizing on consistent fields and using Datadog’s signal explorer as a high-fidelity telemetry source, Riot Games’ analysts can quickly correlate identity, endpoint, cloud, and network activity without jumping across tools—freeing them to hone their detection engineering and focus on the threats that matter most.
Riot Games’ security team has streamlined investigations and incident response by using Datadog Cloud SIEM as their central source of security telemetry and integrating it deeply with their SOAR. With correlation rules, targeted log rehydration, and automation reducing the manual load, the team can devote more time to higher-value work—advancing their detection engineering practice, running purple teaming exercises, and using tools like Stratus Red Team to emulate real-world cloud attack techniques and validate their defenses.
