Overview
Datadog provides built-in threat intelligence datasets for Application Security Management (ASM) and Cloud SIEM (Security Information and Event Management). This provides additional evidence to take action when security activity is observed.
Datadog curates threat intelligence into a standardized list of categories and intents. Intents include benign, suspicious, and malicious. Categories of threat intelligence include benign detections such as corp_vpn and malicious categories like malware. Upstream threat intelligence information is passed through for all threat intelligence sources, with limits based on threat intelligence payload size.
Datadog recommends the following methods for consuming threat intelligence:
- Reducing detection rule thresholds for business logic threats such as credential stuffing. Users can clone the default Credential Stuffing rule and modify it to meet their needs.
- Using threat intelligence as a indicator of reputation with security activity.
Datadog recommends against the following:
- Blocking threat intelligence traces without corresponding security activity. IP addresses may have many hosts behind them. Detection of malware or a residential proxy means that the associated activity has been observed by a host behind that IP. It does not guarantee that the host running the malware or proxy is the same host communicating with your services.
- Blocking on all threat intelligence categories, as this is inclusive of benign traffic from corporate VPNs and will block non-malicious traffic.
Which sources are surfaced in ASM
To search for all traces flagged by a specific source, use the following query with the source name:
@threat_intel.results.source.name:<SOURCE_NAME>
To query for all traces containing threat intelligence from any source, use the following query:
@appsec.threat_intel:true
The query @appsec.threat_intel:true in the ASM traces tab is not equivalent to @threat_intel.indicators_matched:*. The @threat_intel.indicators_matched:* query contains values for every threat intelligence match, but the overall trace may not be resurfaced in ASM if there is no attack present and the source does not match one of the sources mentioned in the Which sources are surfaced in ASM section.
Availability across Cloud SIEM, APM, and ASM
The table below shows the availability of threat intelligence information for Datadog services:
| Service | Other services in use | Description |
|---|
| APM | None or Cloud SIEM | Threat intelligence is not present. |
| APM | ASM | Threat intelligence is present the same way as in ASM. |
| Cloud SIEM | Any | Threat intelligence is present in matching logs. |
| ASM | Any | Only traces with attacks or @appsec.threat_intel:true are present. Every trace that matches a threat intelligence source contains the @threat_intel attribute. |
As seen in the table above, APM requires ASM to display threat intelligence. Also, Cloud SIEM may display logs with threat intelligence data, which are not surfaced in ASM for the same IP addresses.
Threat intelligence in the user interface
When viewing the traces in the ASM Traces Explorer, you can see threat intelligence data under the @appsec attribute. The category and security_activity attributes are both set.
Under @threat_intel.results you can always see the full details of what was matched from which source:
Further Reading
Additional helpful documentation, links, and articles:
