Auditoría de eventos de seguridad de Datadog

Disponible para:

Cloud SIEM | Cloud Security Management | Application Security Management

Como administrador o miembro de un equipo de seguridad, puedes utilizar Audit Trail para ver qué acciones está realizando tu equipo en Datadog Security. Como individuo, puedes ver un flujo (stream) de tus propias acciones. En el caso de los administradores de seguridad o los equipos de InfoSec, los eventos de Audit Trail ayudan con los checks de cumplimiento y el mantenimiento de pistas de auditoría de quién ha hecho qué, y cuándo en tus recursos Datadog.

Para ver logs de auditoría generados por acciones realizadas en Datadog Security, ve a la página de Audit Trail en Datadog. Los siguientes eventos específicos de productos están disponibles para Datadog Security:

Cloud Security Platform

NameDescription of audit eventQuery in audit explorer
CWS agent ruleA user accessed (fetched) a CWS agent rule in the Cloud Security Platform.@evt.name:"Cloud Security Platform" @asset.type:cws_agent_rule @action:accessed
Notification profileA user created, updated, or deleted a notification profile in the Cloud Security Platform.@evt.name:"Cloud Security Platform" @asset.type:notification_profile
Security ruleA user validated, updated, deleted, or created a security rule and the previous and new values for the rule.@evt.name:"Cloud Security Platform" @asset.type:security_rule
Security signalA user modified the state of a signal or assigned the signal to a user, and the previous and new values for the signal.@evt.name:"Cloud Security Platform" @asset.type:security_signal @action:modified
Report subscriptionA user subscribed or unsubscribed from a K9 email report.@evt.name:"Cloud Security Platform" @asset.type:report_subscription

Application Security Management

NameDescription of audit eventQuery in audit explorer
One-click ActivationA user activated or de-activated ASM on a service.@evt.name:"Application Security" @asset.type:compatible_services
ProtectionA user enabled or disabled the ASM protection.@evt.name:"Application Security" @asset.type:blocking_configuration
DenylistA user blocked, unblocked, or extended the blocking duration of an IP address or a user ID.@evt.name:"Application Security" @asset.type:ip_user_denylist
PasslistA user added, modified, or deleted an entry to the passlist.@evt.name:"Application Security" @asset.type:passlist_entry
In-App WAF PolicyA user created, modified, or deleted an In-App WAF policy.@evt.name:"Application Security" @asset.type:policy_entry
In-App WAF Custom RuleA user validated, created, modified, or deleted an In-App WAF custom rule.@evt.name:"Application Security" @asset.type:waf_custom_rule

Referencias adicionales