Overview

Cloud SIEM allows you to set Detection Rules that trigger auto-remediation workflows. With Datadog’s webhook integration, set up webhooks to deliver payloads to the services you want to automate whenever a Detection Rule is triggered. Every webhook payload contains information about the triggering event and a custom message that can be used to initiate services downstream. Automate commands for any service that has a webhook URL. Security orchestration and automation response tools accept incoming HTTP requests and these webhooks initiate any workflow you have defined.

Choose a security scenario below to begin automating remediation.

Delete misconfigured security groups

In a cloud environment, it’s important to delete a misconfigured resource as soon as it is created. In this scenario, you can configure a webhook integration to send a webhook to your cloud provider’s API management service.

Once configured, if an AWS user creates a poorly configured resource (for example, an overly permissive security group, or user role) within your AWS environment, Datadog Log Management ingests the related log, which triggers a security group-based Detection Rule. This process automatically sends the webhook’s JSON payload to the designated Amazon API Gateway URL, which in turn activates an AWS Lambda function that automatically deletes the offending resource.

Ban a suspicious IP address

A sign-in from an unrecognized IP address might represent an attacker manipulating a trusted user’s credentials, with which they can then access your data and gain persistence in your environment.

To combat this type of attack, you can use the New Value detection method, which analyzes your account’s historical data over a chosen period of time and alerts on previously unseen values in your cloud logs.

First, set up a new Detection Rule using the New Value detection method.

Then, set up a webhook that sends a payload to your cloud’s identity and access management (IAM) service to ban the unknown IP when this rule is triggered.

The following example illustrates what the relevant webhook payload could look like when a security signal is produced by Datadog:

{
  "SECURITY_RULE_NAME": "Request from unexpected IP address",
  "SECURITY_SIGNAL_ID": "abcd1234",
  "SECURITY_SIGNAL_ATTRIBUTES": {
    "network": {
      "client": {
        "ip": [
          "1.2.3.4"
        ]
      }
    }
  }
}

Application abuse and fraud

With Datadog Cloud SIEM, you can uncover patterns of abuse or fraud across your application. For example, set up a Detection Rule that is triggered when a user repeatedly attempts to purchase something in your application with invalid credit card details. Then, set up a webhook that sends a payload with remediation instructions to a service that will disable the user’s credentials.

The following example illustrates what the relevant webhook payload could look like when a security signal is produced by Datadog:

{
  "SECURITY_RULE_NAME": "Fraudulent Credit Card Authorizations",
  "SECURITY_SIGNAL_ID": "efgh5678",
  "SECURITY_SIGNAL_ATTRIBUTES": {
    "usr": {
      "id": "john.doe@your_domain.com"
    },
    "evt": {
      "name": "credit_card_authorization",
      "outcome": "fail"
    },
    "network": {
      "client": {
        "ip": [
          "1.2.3.4"
        ]
      }
    }
  }
}

Datadog generates the Security Signal, which details the offense as well as the suspicious user’s information, such as their IP address and user ID, and the webhook payload sends remediation instructions to a service to disable the user’s credentials.

Further Reading

Additional helpful documentation, links, and articles:

Start investigating signals in the Signals ExplorerDOCUMENTATION