Threat Intelligence

This product is not supported for your selected Datadog site. ().
This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Overview

This topic describes threat intelligence for App and API Protection (AAP).

Datadog provides built-in threat intelligence datasets for AAP. This provides additional evidence when acting on security activity and reduces detection thresholds for some business logic detections.

Additionally, AAP supports bring your own threat intelligence. This functionality enriches detections with business-specific threat intelligence.

Best practices

Datadog recommends the following methods for consuming threat intelligence:

  1. Reducing detection rule thresholds for business logic threats such as credential stuffing. Users can clone the default Credential Stuffing rule and modify it to meet their needs.
  2. Using threat intelligence as a indicator of reputation with security activity.

Datadog recommends against the following:

  1. Blocking threat intelligence traces without corresponding security activity. IP addresses might have many hosts behind them. Detection of a residential proxy means that the associated activity has been observed by a host behind that IP. It does not guarantee that the host running the malware or proxy is the same host communicating with your services.
  2. Blocking on all threat intelligence categories, as this is inclusive of benign traffic from corporate VPNs and blocks unmalicious traffic.

Filtering on threat intelligence in AAP

Users can filter threat intelligence on the Signals and Traces explorers using facets and the search bar.

To search for all traces flagged by a specific source, use the following query with the source name:

@threat_intel.results.source.name:<SOURCE_NAME>

To query for all traces containing threat intelligence from any source, use the following query:

@appsec.threat_intel:true

Bring your own threat intelligence

AAP supports enriching and searching traces with threat intelligence indicators of compromise stored in Datadog reference tables. Reference Tables allow you to combine metadata with information already in Datadog.

For more information, see the Bring Your Own Threat Intelligence guide.

Threat intelligence in the user interface

When viewing the traces in the AAP Traces Explorer, you can see threat intelligence data under the @appsec attribute. The category and security_activity attributes are both set.

Under @threat_intel.results you can always see the full details of what was matched from which source.