- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
Datadog Workflow Automation allows you to orchestrate and automate your end-to-end processes by building workflows made up of actions that connect to your infrastructure and tools.
Use Workflow Automation with Cloud Security Management (CSM) to automate your security-related workflows. For example, you can create workflows that allow you to block access to a public Amazon S3 bucket via an interactive Slack message, or automatically create a Jira issue and assign it to a team.
Workflow Automation allows you to trigger a workflow manually or automatically. In the example workflows in this article, the workflows are triggered manually by clicking the Actions > Run Workflow button on the side panels.
When you trigger a workflow, the source ID of the trigger event must be passed on to the next step in the workflow. In the examples in this article, the trigger events are a new security finding. In both cases, the source IDs are specified in the initial step of the workflow using source object variables.
You can build a workflow using a preconfigured flow from an out-of-the-box blueprint, or by creating a custom workflow. For detailed instructions on how to create a workflow, see the Workflow Automation docs.
This example creates a remediation workflow that sends an interactive Slack message when a public Amazon S3 bucket is detected. By clicking Approve or Reject, you can automatically block access to the S3 bucket or decline to take action.
Note: To build this workflow, you must configure the Slack integration.
To retrieve the security misconfiguration and pass it into the workflow, use the Get security finding action. The action uses the {{ Source.securityFinding.id }}
source object variable to retrieve the misconfiguration’s details from the Get a finding API endpoint.
{{ Source.securityFinding.id }}
.Next, add the JavaScript Data Transformation Function action to the canvas and configure it to return the region name from the misconfiguration’s tags.
+
) icon on the workflow canvas to add another step. // Gets the region info from the misconfiguration tags
// Use `$` to access Trigger or Steps data.
// Use `_` to access Lodash.
// See https://lodash.com/ for reference.
let tags = $.Steps.Get_security_finding.tags
let region = tags.filter(t => t.includes('region:'))
if(region.length == 1){
return region[0].split(':')[1]
} else {
return '';
}
+
) icon on the workflow canvas to add another step.{{ Steps.Get_security_finding.resource }}
in region {{ Steps.GetRegion.data }}
?”+
) icon to add another step.{{ Steps.GetRegion.data }}
{{ Steps.Get_security_finding.resource }}
+
) icon to add another step. S3 bucket `{{ Steps.Get_security_finding.resource }}` successfully blocked. AWS API response:
```{{ Steps.Block_public_access }}```
The issue will be marked as fixed the next time the resource is scanned, which can take up to one hour.
+
) icon to add another step.This example creates an automated ticket routing workflow that creates and assigns a Jira issue to the appropriate team when a security finding is detected.
Note: To build this workflow, you must configure the Jira integration.
To retrieve the finding and pass it into the workflow, use the Get security finding action. The action uses the {{ Source.securityFinding.id }}
source object variable to retrieve the finding’s details from the Get a finding API endpoint.
{{ Source.securityFinding.id }}
.+
) icon on the workflow canvas to add another step.{{ Source.securityFinding.tags_value.team }}
{{ Source.securityFinding.rule.name }}
You can trigger an existing workflow from the finding, misconfiguration, and resource side panels.
In the side panel, click Actions > Run Workflow, and select a workflow to run. The workflow must have a security trigger to appear in the list. Depending on the workflow, you may be required to enter additional input parameters, such as incident details and severity, the name of the impacted S3 bucket, or the Slack channel you want to send an alert to.
After running the workflow, additional information is shown on the side panel. You can click the link to view the workflow.
추가 유용한 문서, 링크 및 기사: