Setting up Cloud Security Management on Windows
Use the following instructions to enable Threat Detection and Vulnerability scanning on Windows.
Datadog Cloud Security Management on Windows includes host vulnerability detection as well as built-in threat detection for Windows process and network events. The out-of-the-box Windows ruleset includes the following default rules:
- Certutil used to transmit or decode a file
- Process memory was dumped using the minidump functions of comsvcs.dll
- NTDS file referenced in command line
- Suspicious ntdsutil usage
- Procdump used to dump process memory
- Scheduled task created
- Bitsadmin used to download or execute a file
- WMI used to remotely execute content
- Known pentesting tool crackmapexec executed
Prerequisites
- Agent versions 7.52 and later.
- Access to hosts running Windows Server 2016 or newer.
- (Optional) For network events, NPM must be enabled on the hosts.
Limitations
- Windows containerized workloads are not supported.
- Datadog detects vulnerabilities in Windows by identifying the Windows version and installed security knowledge base (KB) updates to address vulnerabilities associated with that version. However, some KB updates are cumulative and contain other KB updates, which might cause Datadog to misidentify which updates have been installed.
- Datadog can’t track vulnerability fixes that Windows applies outside of KB updates.
- Datadog can’t track vulnerabilities associated with third-party software.
Installation
Installer
- Install the Datadog Windows Agent.
- Right-click the downloaded
.msi
file and select Run as administrator. - Follow the prompts, accept the license agreement, and enter your Datadog API key. If you are upgrading from an existing version of the Agent, the installer may not prompt you for an API key.
It can take up to 15 minutes to complete the installation. In certain cases, Microsoft Defender may cause slow installation progress. When the install finishes, you are given the option to launch the Datadog Agent Manager.
Command line
- Download the Datadog Agent installer.
- Follow the instructions for command line installation using command prompts or PowerShell.
Configuration
Enable CSM
- Ensure you have access to
C:\ProgramData
, which is a hidden folder.- In File Explorer, click the View tab, and clear the Hidden items checkbox. The ProgramData folder should now be visible when navigating to the
C:
drive. The transparent icon indicates it is a hidden folder.
- In
C:\ProgramData\Datadog\system-probe.yaml
, set the runtime_security_config
flag:
runtime_security_config:
enabled: true
- In
C:\ProgramData\Datadog\security-agent.yaml
, set the runtime_security_config
flag:
runtime_security_config:
enabled: true
- Restart the Datadog Agent to enable CSM.
Verify that the Agent is sending events to CSM
When you enable CSM on Windows, the Agent sends a log to Datadog to confirm that the Windows default ruleset has been successfully deployed. To view the log, navigate to the Logs page in Datadog and search for @agent.rule_id:ruleset_loaded
.
Another method to verify that the Agent is sending events to CSM is to manually trigger a Windows security signal.
- In Windows, open a command prompt as Administrator and run the command
schtasks /create /?
. - In Datadog, navigate to the CSM Signals Explorer to view the generated Windows signals.
- To view signals originating from configured Windows hosts, filter the signals by hostname using the Hosts > Hostnames facet.
- To filter by Windows rules, use the Workflow > Rule Name facet.
To get alerts whenever a Windows signal is created, create a Notification Rule that focuses on the host
tag specifically for configured Windows hosts.
Enable FIM and Registry Monitoring
- Ensure you have access to
C:\ProgramData
, which is a hidden folder.- In File Explorer, click the View tab, and clear the Hidden items checkbox. The ProgramData folder should now be visible when navigating to the
C:
drive. The transparent icon indicates it is a hidden folder.
- In
C:\ProgramData\Datadog\system-probe.yaml
, set the fim_enabled
flag:
runtime_security_config:
fim_enabled: true
- In
C:\ProgramData\Datadog\security-agent.yaml
, set the fim_enabled
flag:
runtime_security_config:
fim_enabled: true
- Restart the Datadog Agent to enable CSM.
Enable Vulnerability scanning
- Update your Datadog Agent to 7.58 or later.
- Ensure you have access to
C:\ProgramData
, which is a hidden folder.- In File Explorer, click the View tab, and clear the Hidden items checkbox. The ProgramData folder should now be visible when navigating to the
C:
drive. The transparent icon indicates it is a hidden folder.
- In
C:\ProgramData\Datadog\datadog.yaml
, set the sbom
and host
flags:
sbom:
enabled: true
host:
enabled: true
- Restart the Datadog Agent to enable CSM Vulnerability Management.
Collecting events using Cloud Security Management will affect your billing. For more information, see
Datadog Pricing.