- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
Threat Intelligence is reputation information that helps responders make informed decisions on attacks and compromises.
Datadog curates commercial, open-source, and in-house threat intelligence indicators of compromise into categories and intents. Threat intelligence is updated at least once per day, per source. This data is used to enrich your logs and traces with relevant reputation information.
Datadog collects threat intelligence across the following entity types. Each entity type has unique characteristics and a useful timeframe. This timeframe, or lifecycle, requires consideration when assessing the importance of a threat intelligence match on your data.
File hashes function as unique digital fingerprints for specific files. When a file hash is marked as malware, it signifies the file’s exact content is harmful. The immutability of a hash, which is tied to its file’s content, ensures its consistent identification. As a result, a file hash tagged as malware retains this identification, provided the identification was a true positive.
Unlike immutable file hashes, application packages can vary in content and security, even under the same version number. Malicious actors may upload harmful packages mimicking legitimate ones, or they might compromise existing packages by introducing malware. The lifecycle of malicious packages is frequently long-lived, but not immutable.
Unlike file hashes, domains identified as malicious are subject to change. They may undergo processes such as remediation, reassignment, or repurposing by various entities. While the lifecycle of malicious or suspicious domains is somewhat prolonged compared to IP addresses, it remains temporary and variable.
IP addresses represent the most volatile element in threat intelligence, often changing reputations within a 24-hour cycle. Given their dynamic nature, particularly in residential and mobile networks where multiple hosts may be involved, it’s crucial to regularly reassess their status. Not all hosts connected to a low-reputation IP address are inherently malicious, underscoring the need for correlation.
With threat intelligence, reputation is key, but it must be weighed alongside other evidence. Relying solely on IP and domain intelligence for blocking traffic is not recommended, with few exceptions. A balanced, evidence-based approach is essential.
Threat intelligence used in Detection Rules should reference the Datadog keys such as category (@threat_intel.results.category
) and intent (@threat_intel.results.intention
). Other keys should not be used.
Datadog ensures transparency by providing external links to external threat intelligence sources associated with a detection. Threat intelligence curated by Datadog is ingested into the Datadog platform for enrichment and detection. Datadog does not send customer data to threat intelligence sources.
The detections and enrichments are accessible in the UI and event JSON.
Sources, categories, and intents are available as facets and filters on relevant product explorers.
Source | Category | Source Use Cases | Primary Products |
---|---|---|---|
Datadog Threat Research | scanners, Redis exploitation, Docker exploitation, malware, bruteforcer | Honeypots focused on software specific threats | ASM, CWS and Cloud SIEM |
Spur | residential_proxy | Proxies associated credential stuffing and fraud | ASM and Cloud SIEM |
Spur | malware_proxy | Proxies associated with malware command and control | Cloud SIEM |
Abuse.ch Malware Bazaar | malware | Malware on hosts | CWS |
Minerstat | malware | Coinminer activity with known mining pools | CWS |
Tor | tor | Policy violations for user activity | ASM, Cloud SIEM, and CWS |
Threatfox | attack | Indicators of compromise (IOCs) associated with malware | Cloud SIEM, and CWS |
Category | Intention | Entity Types | Product Use Cases | Primary Products |
---|---|---|---|---|
residential_proxy | suspicious | IP addresses | Reputation for credential stuffing and fraud | ASM and Cloud SIEM |
botnet_proxy | suspicious | IP addresses | Reputation for being part of a botnet and contributing to distributed attacks | ASM and Cloud SIEM |
malware | malicious | application library versions, file hashes | Malicious packages and communication with mining pools | CWS |
scanner | suspicious | IP addresses | Reputation for scanners | ASM and Cloud SIEM |
hosting_proxy | suspicious | IP addresses | Datacenter IPs with a reputation of abuse, such as for distributed credential stuffing attacks | ASM and Cloud SIEM |
Tor | suspicious | IP addresses | Corporate policy violations for user activity | ASM and Cloud SIEM |
Intent | Use Case |
---|---|
benign | Corporate VPNs and informational enrichments |
suspicious | Low reputation |
malicious | Malicious reputation |
Entity Type | Example | Use Cases |
---|---|---|
IP addresses | 128.66.0.1 | Identify IP addresses associated with attacks, command and control, and scanning activity |
domains | example.com, subdomain.example.com | Domains associated with malicious use. Often used with malware as a command and control |
application packages versions | (example_package, 1.0.0) | Identify malicious packages downloaded from PyPi |
file hashes [SHA1, SHA256] | 5f7afeeee13aaee6874a59a510b75767156f75d14db0cd4e1725ee619730ccc8 | Identify a distinct file associated with malware or compromise |
Note: Threat intelligence sources and categories are not configurable at this time.
추가 유용한 문서, 링크 및 기사: