- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
This topic explains how to use the CSM Threats Active Protection feature to block crypto mining threats automatically.
By default, all OOTB Agent threat detection rules are enabled and actively monitoring for crypto threats.
Active Protection enables you to proactively block and terminate crypto mining threats identified by the Datadog Agent threat detection rules.
Active Protection streamlines threat detection and targeted response, resulting in risk reduction, allowing DevSecOps and security teams to tackle evolving crypto mining threats effectively:
The end result is crypto mining threat detection followed by immediate surgical mitigation against high confidence, true positive attacks.
Here are some important [role and permissions][11] to use for custom rules and Active Protection RBAC:
security_monitoring_cws_agent_rules_actions
permission can be used to turn on and configure the Active Protection feature.security_monitoring_cws_agent_rules_actions
permission, a user with the Datadog Admin role must create a role containing the security_monitoring_cws_agent_rules_actions
permission and then add only those users that manage Active Protection to this role.You have three options for Agent rules:
Active Protection is enabled at the organization level.
To check if Active Protection is already enabled in your organization, go to Agent Configuration. If Active Protection is enabled, a Protection column is displayed in the Agent rule list.
If Active Protection is available for a crypto mining rule, then Monitoring or Blocking is listed in the Protection column.
If there is no Monitoring or Blocking in the Protection column, then Active Protection is not available for that crypto mining rule yet.
When Active Protection is enabled, and applies to a crypto mining rule that generated a signal, you can see it by doing the following:
If Active Protection is enabled and available for an Agent crypto mining rule, you can see it by looking at the rule:
When you enable Active Protection, you are enabling the Active Protection capability for your entire Datadog org. Active Protection is not limited to individual users.
By default, all OOTB Agent crypto mining rules are in a monitoring state. Enabling Active Protection does not immediately change the default state. Enabling Active Protection allows you to change the state of a crypto mining rule from monitoring to blocking.
Consequently, you do not need to worry that enabling Active Protection immediately changes the state of threat detection.
To enable Active Protection:
Go to CSM Agent Configuration rules.
Select Enable Active Protection.
After Active Protection is enabled, the Agent Configuration rules list contains a Protection column.
The Protection column indicates if a rule is in the Monitoring or Blocking state. When you first enable Active Protection, rules are only in a monitoring state. You must configure the blocking option manually.
After Active Protection is enabled, you can disable it on each Agent Configuration rule.
After Active Protection is enabled, you can configure the Blocking option on an Agent crypto mining rule and the Agent will terminate the corresponding crypto mining actions instantly.
To enable blocking on an Agent rule:
In Agent Configuration, open a crypto mining rule that has Monitoring in the Protection column. If there is no Monitoring or Blocking in the Protection column, then Active Protection is not available for that rule yet.
In the Agent rule, in Protection, select Blocking.
In Where, select Everywhere or Custom. For details on these options, see Scoping the Agent rule below.
Select Save Changes.
In Agent Configuration, select Deploy Agent Policy.
When you create or edit an Agent crypto mining rule after Active Protection is enabled, you can select Blocking in the rule Protection setting.
When you select Blocking, you can scope where Datadog should apply the rule using the Everywhere and Custom options.
The rule applies to all services, hosts, and images.
In Custom, you can specify services or tags to automatically generate an expression for where to apply blocking protection.
You can use services and tags to generate an expression. Datadog matches the rule using the services or tags you provide.
a*
generates the expression process.envp in ["DD_SERVICE=a*"]
.image_tag
: The image tag only. For example, stable-perl
.short_image
: The image name without a tag. For example, nginx
.ghcr.io/MY_NAMESPACE/MY_IMAGE:2.5
can be referenced using:image_tag
: 2.5
.short_image
: MY_IMAGE
.After Active Protection is enabled and set to Blocking for an Agent rule, blocked threats appear in Signals.
A signal for a blocked threat contains the messages SECURITY RESPONSE
and The malicious process <THREAT NAME> has automatically been killed.
: