- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
Cloud SIEM allows you to set Detection Rules that trigger auto-remediation workflows. With Datadog’s webhook integration, set up webhooks to deliver payloads to the services you want to automate whenever a Detection Rule is triggered. Every webhook payload contains information about the triggering event and a custom message that can be used to initiate services downstream. Automate commands for any service that has a webhook URL. Security orchestration and automation response tools accept incoming HTTP requests and these webhooks initiate any workflow you have defined.
Choose a security scenario below to begin automating remediation.
In a cloud environment, it’s important to delete a misconfigured resource as soon as it is created. In this scenario, you can configure a webhook integration to send a webhook to your cloud provider’s API management service.
Once configured, if an AWS user creates a poorly configured resource (for example, an overly permissive security group, or user role) within your AWS environment, Datadog Log Management ingests the related log, which triggers a security group-based Detection Rule. This process automatically sends the webhook’s JSON payload to the designated Amazon API Gateway URL, which in turn activates an AWS Lambda function that automatically deletes the offending resource.
A sign-in from an unrecognized IP address might represent an attacker manipulating a trusted user’s credentials, with which they can then access your data and gain persistence in your environment.
To combat this type of attack, you can use the New Value detection method, which analyzes your account’s historical data over a chosen period of time and alerts on previously unseen values in your cloud logs.
First, set up a new Detection Rule using the New Value detection method.
Then, set up a webhook that sends a payload to your cloud’s identity and access management (IAM) service to ban the unknown IP when this rule is triggered.
The following example illustrates what the relevant webhook payload could look like when a security signal is produced by Datadog:
webhook-payload.json
{
"SECURITY_RULE_NAME": "Request from unexpected IP address",
"SECURITY_SIGNAL_ID": "abcd1234",
"SECURITY_SIGNAL_ATTRIBUTES": {
"network": {
"client": {
"ip": [
"1.2.3.4"
]
}
}
}
}
With Datadog Cloud SIEM, you can uncover patterns of abuse or fraud across your application. For example, set up a Detection Rule that is triggered when a user repeatedly attempts to purchase something in your application with invalid credit card details. Then, set up a webhook that sends a payload with remediation instructions to a service that will disable the user’s credentials.
The following example illustrates what the relevant webhook payload could look like when a security signal is produced by Datadog:
webhook-payload.json
{
"SECURITY_RULE_NAME": "Fraudulent Credit Card Authorizations",
"SECURITY_SIGNAL_ID": "efgh5678",
"SECURITY_SIGNAL_ATTRIBUTES": {
"usr": {
"id": "john.doe@your_domain.com"
},
"evt": {
"name": "credit_card_authorization",
"outcome": "fail"
},
"network": {
"client": {
"ip": [
"1.2.3.4"
]
}
}
}
}
Datadog generates the Security Signal, which details the offense as well as the suspicious user’s information, such as their IP address and user ID, and the webhook payload sends remediation instructions to a service to disable the user’s credentials.
추가 유용한 문서, 링크 및 기사: