Auditoría de eventos de seguridad de Datadog
Disponible para:
Cloud SIEM
|
Cloud Security Management
|
Application Security Management
Como administrador o miembro de un equipo de seguridad, puedes utilizar Audit Trail para ver qué acciones está realizando tu equipo en Datadog Security. Como individuo, puedes ver un flujo (stream) de tus propias acciones. En el caso de los administradores de seguridad o los equipos de InfoSec, los eventos de Audit Trail ayudan con los checks de cumplimiento y el mantenimiento de pistas de auditoría de quién ha hecho qué, y cuándo en tus recursos Datadog.
Para ver logs de auditoría generados por acciones realizadas en Datadog Security, ve a la página de Audit Trail en Datadog. Los siguientes eventos específicos de productos están disponibles para Datadog Security:
| Name | Description of audit event | Query in audit explorer |
|---|
| CWS agent rule | A user accessed (fetched) a CWS agent rule in the Cloud Security Platform. | @evt.name:"Cloud Security Platform" @asset.type:cws_agent_rule @action:accessed |
| Notification profile | A user created, updated, or deleted a notification profile in the Cloud Security Platform. | @evt.name:"Cloud Security Platform" @asset.type:notification_profile |
| Security rule | A user validated, updated, deleted, or created a security rule and the previous and new values for the rule. | @evt.name:"Cloud Security Platform" @asset.type:security_rule |
| Security signal | A user modified the state of a signal or assigned the signal to a user, and the previous and new values for the signal. | @evt.name:"Cloud Security Platform" @asset.type:security_signal @action:modified |
| Report subscription | A user subscribed or unsubscribed from a K9 email report. | @evt.name:"Cloud Security Platform" @asset.type:report_subscription |
Application Security Management
| Name | Description of audit event | Query in audit explorer |
|---|
| One-click Activation | A user activated or de-activated ASM on a service. | @evt.name:"Application Security" @asset.type:compatible_services |
| Protection | A user enabled or disabled the ASM protection. | @evt.name:"Application Security" @asset.type:blocking_configuration |
| Denylist | A user blocked, unblocked, or extended the blocking duration of an IP address or a user ID. | @evt.name:"Application Security" @asset.type:ip_user_denylist |
| Passlist | A user added, modified, or deleted an entry to the passlist. | @evt.name:"Application Security" @asset.type:passlist_entry |
| In-App WAF Policy | A user created, modified, or deleted an In-App WAF policy. | @evt.name:"Application Security" @asset.type:policy_entry |
| In-App WAF Custom Rule | A user validated, created, modified, or deleted an In-App WAF custom rule. | @evt.name:"Application Security" @asset.type:waf_custom_rule |
Referencias adicionales
Más enlaces, artículos y documentación útiles:
