Use the following instructions to enable CSM Threats on Windows. To learn more about the supported deployment types for each CSM feature, see Setting Up Cloud Security Management.

Datadog Cloud Security Management on Windows includes built-in threat detection for Windows process and network events. The out-of-the-box Windows ruleset includes the following default rules:

• Certutil used to transmit or decode a file
• Process memory was dumped using the minidump functions of comsvcs.dll
• NTDS file referenced in command line
• Suspicious ntdsutil usage
• Procdump used to dump process memory
• Scheduled task created
• Bitsadmin used to download or execute a file
• WMI used to remotely execute content
• Known pentesting tool crackmapexec executed

Prerequisites

• Agent versions 7.52 and later.
• Access to hosts running Windows Server 2016 or newer.
• (Optional) For network events, NPM must be enabled on the hosts.

Note: Windows containerized workloads are not supported.

Installation

Installer

1. Install the Datadog Windows Agent.
2. Right-click the downloaded .msi file and select Run as administrator.
3. Follow the prompts, accept the license agreement, and enter your Datadog API key. If you are upgrading from an existing version of the Agent, the installer may not prompt you for an API key.

It can take up to 15 minutes to complete the installation. In certain cases, Microsoft Defender may cause slow installation progress. When the install finishes, you are given the option to launch the Datadog Agent Manager.

Command line

1. Download the Datadog Agent installer.
2. Follow the instructions for command line installation using command prompts or PowerShell.

Configuration

Enable CSM

1. Ensure you have access to C:\ProgramData, which is a hidden folder.
   • In File Explorer, click the View tab, and clear the Hidden items checkbox. The ProgramData folder should now be visible when navigating to the C: drive. The transparent icon indicates it is a hidden folder.
2. In C:\ProgramData\Datadog\system-probe.yaml, set the runtime_security_config flag:
   
   

   runtime_security_config:
     enabled: true
   

3. In C:\ProgramData\Datadog\security-agent.yaml, set the runtime_security_config flag:
   
   

   runtime_security_config:
     enabled: true
   

4. Restart the Datadog Agent to enable CSM.

Verify that the Agent is sending events to CSM

When you enable CSM on Windows, the Agent sends a log to Datadog to confirm that the Windows default ruleset has been successfully deployed. To view the log, navigate to the Logs page in Datadog and search for @agent.rule_id:ruleset_loaded.

Another method to verify that the Agent is sending events to CSM is to manually trigger a Windows security signal.

1. In Windows, open a command prompt as Administrator and run the command schtasks.
2. In Datadog, navigate to the CSM Signals Explorer to view the generated Windows signals.
   • To view signals originating from configured Windows hosts, filter the signals by hostname using the Hosts > Hostnames facet.
   • To filter by Windows rules, use the Workflow > Rule Name facet.

To get alerts whenever a Windows signal is created, create a Notification Rule that focuses on the host tag specifically for configured Windows hosts.

Enable FIM and Registry Monitoring

1. Ensure you have access to C:\ProgramData, which is a hidden folder.
   • In File Explorer, click the View tab, and clear the Hidden items checkbox. The ProgramData folder should now be visible when navigating to the C: drive. The transparent icon indicates it is a hidden folder.
2. In C:\ProgramData\Datadog\system-probe.yaml, set the fim_enabled flag:
   
   

   runtime_security_config:
     fim_enabled: true
   

3. In C:\ProgramData\Datadog\security-agent.yaml, set the fim_enabled flag:
   
   

   runtime_security_config:
     fim_enabled: true
   

4. Restart the Datadog Agent to enable CSM.