Datadog suspicious login

audit

Classification:

threat-intel

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects bruteforce attacks and high-risk logins against Datadog: successful logins from malicious IPs, failed bruteforce attempts from threat-intel-tagged IPs, and successful bruteforce (many failures then at least one success) from any IP.

Strategy

This rule monitors Datadog authentication events where @action is login. It uses three detection paths. First, it identifies successful logins (@http.status_code:200) from IPs tagged in threat intelligence as malicious (@threat_intel.results.intention:malicious). Second, it detects failed login attempts (@http.status_code:403) from IPs tagged as suspicious or malicious, triggering when an IP has at least 10 failures in the evaluation window. Third, it detects successful bruteforce from any IP using the standard bruteforce logic: at least 10 failed attempts and at least 1 successful attempt per client IP. Datadog enriches audit logs with threat intelligence that flags IPs associated with malicious infrastructure, botnets, anonymous proxies, and active attack campaigns.

Triage and response

  • Verify if the user account {{@usr.email}} is aware of the login from IP address {{@network.client.ip}} and determine if credentials may be compromised.
  • Review @threat_intel.results.category and intention to understand what type of malicious or suspicious activity is associated with the client IP.
  • Check @network.client.geoip for the client IP to see if the location matches expected user locations or known attacker regions.
  • Examine authentication logs for the same @network.client.ip to confirm the failed-versus-success pattern and count of attempts.
  • Investigate actions performed by {{@usr.email}} after any successful login to identify configuration changes, data access, or privilege escalations.
  • Force password reset and enable or enforce multi-factor authentication for affected accounts if the activity appears malicious or the account shows signs of compromise.