Application Threat Management
Application Security Management is not supported for your selected
Datadog site (
).
Datadog’s Application Security Management (ASM) Threat Management protects web applications and APIs from a wide range of security threats, including:
- Exploit attempts
- Application abuse and fraud
- API abuse
Integrated into the Datadog platform, ASM Threat Management leverages Datadog’s extensive observability data (logs and traces) to provide full-stack visibility and security in a unified platform.
ASM Threat Management enables teams to identify and remediate threats quickly. Its key differentiator is bridging the gap between security and DevOps, promoting collaboration between development, security, and operations teams.
Use cases
Discover the ways Datadog ASM Threat Management helps common use cases:
| You want to… | How Datadog ASM can help |
|---|
| Web Application Protection: Prevent vulnerability exploits such as SQL Injection, Server-side Request Forgery, and Local File Inclusion. | Enable Exploit Prevention on your services. ASM Threat Management blocks exploits in real-time and generates signals for further investigation. |
| Application and API abuse: Protect applications against application and API abuse such as credential stuffing and Account Takeover attacks. | Leverage OOTB detection rules for notifications such as unusual account creations or password resets from an IP, or distributed credential stuffing campaigns. Review the benefits of OOTB Account TakeOver Protection. |
| API Security: Learn about your organization’s APIs, understand the posture and actions needed to reduce risk using a prioritized list of API endpoints. | ASM Threat Management:- Inventories all your API endpoints.- Gives you visibility into your API traffic, including API abuse.- Highlights risk across your API endpoints. For example, vulnerable or unauthenticated endpoints processing sensitive data. |
Security signals
Security signals raised by Threat Monitoring are summarized and surfaced in views you already commonly visit to monitor service health and performance. The Service Catalog and individual Service Pages in APM provide insights into application threat signals, allowing you to investigate vulnerabilities, block attackers, and review attack exposures.
For additional information about how Threat Management works, read How ASM Works.
Explore threat signals
When threat data for your services is coming into Datadog, ASM Overview shows a summary of what’s happening. Here, you can enable vulnerability detection, review attacks, customize alerting and reporting, and enable ASM on your services. To investigate signals of suspicious activity, click a service’s Review link.
In the Signals Explorer, filter by attributes and facets to find critical threats. Click into a signal to see details for it, including the user information and their IP address, what rule they triggered, attack flow, and related traces and other security signals. From this page you can also click to create a case and declare an incident. For more information see Investigate Security Signals.
Create In-App WAF rules for identifying attack patterns
You can create In-App WAF rules that define what suspicious behavior looks like in your application, augmenting the default rules that come with ASM. Then specify custom rules to generate security signals from the attack attempts triggered from these rules, raising them in the Threat Monitoring views for your investigation.
Slow down attacks and attackers with ASM Protect
If your service is running an Agent with Remote Configuration enabled and a tracing library version that supports it, you can block attacks and attackers from the Datadog UI without additional configuration of the Agent or tracing libraries.
ASM Protect goes beyond Threat Detection and enables you to take blocking action to slow down attacks and attackers. Unlike perimeter WAFs that apply a broad range of rules to inspect traffic, ASM uses the full context of your application—its databases, frameworks, and programming language—to narrowly apply the most efficient set of inspection rules.
ASM leverages the same tracing libraries as Application Performance Monitoring (APM) to protect your applications against:
- Attacks: ASM’s In-App WAF inspects all incoming traffic and uses pattern-matching to detect and block malicious traffic (security traces).
- Attackers: IP addresses and authenticated users that are launching attacks against your applications are detected from the insights collected by the libraries and flagged in Security Signals.
Security traces are blocked in real time by the Datadog tracing libraries. Blocks are saved in Datadog, automatically and securely fetched by the Datadog Agent, deployed in your infrastructure, and applied to your services. For details, read How Remote Configuration Works.
To start leveraging Protection capabilities—In-App WAF, IP blocking, User blocking and more—read Protection.
Further reading
Additional helpful documentation, links, and articles:
