Setting Up CSM Enterprise

The Cloud Security Management (CSM) Enterprise package includes CSM Threats, CSM Misconfigurations (cloud accounts and Agent), CSM Identity Risks, and CSM Vulnerabilities (container images and hosts). To learn more about the available CSM packages, see Setting up Cloud Security Management.

Prerequisites

  • Datadog Agent 7.44 or later.
  • Data collection is done using eBPF, so Datadog minimally requires platforms that have underlying Linux kernel versions of 4.15.0+ or have eBPF features backported. CSM Threats supports the following Linux distributions:
    • Ubuntu LTS (18.04, 20.04, and 22.04)
    • Debian 10 or later
    • Amazon Linux 2 (kernels 4.15, 5.4, and 5.10) and 2023
    • SUSE Linux Enterprise Server 12 and 15
    • Red Hat Enterprise Linux 7, 8, and 9
    • Oracle Linux 7, 8, and 9
    • CentOS 7
    • Custom kernel builds are not supported.
  • For compatibility with a custom Kubernetes network plugin like Cilium or Calico, see the Troubleshooting page.

Enable resource scanning for cloud accounts

To enable resource scanning for your cloud accounts, you must first set up the integration and then enable CSM for each AWS account, Azure subscription, and Google Cloud project.

    Set up the Datadog AWS integration

    If you haven’t already, set up the Amazon Web Services integration. You must also add the required permissions for resource collection.

    Enable CSM for your AWS accounts

    Use one of the following methods to enable CSM for your AWS accounts:

    CSM Setup page

    1. On the Cloud Security Management Setup page, click Cloud accounts.
    2. Expand the AWS section.
    3. To enable resource collection for an account, click the Resource Scanning toggle.
    4. Click Done.

    Amazon Web Services integration page

    1. On the Amazon Web Services Integration page, select an AWS account.
    2. On the Resource Collection tab, select the Cloud Security Posture Management Collection checkbox.
    3. Click Save.

    Exclude resources from evaluation

    You can use resource tags to create filters that include or exclude resources from being evaluated by CSM. The filters must be specified as a comma-separated list of key:value pairs.

    Note: Resource evaluation filters can only be used with hosts that are scanned by cloud integrations.

    FormatValue
    Allowlistkey:value
    Blocklist!key:value
    Single character wildcard?
    Multiple characters wildcard*

    The allowlist enables you to specify tags that must be applied to a resource in order for CSM to evaluate it. Allowlist tags are evaluated as OR statements. In other words, at least one of the allowlist tags must be present in order for a resource to be evaluated. In contrast, blocklisted tags are evaluated as AND statements and take precedence over allowlist tags.

    Examples:

    • !env:staging excludes resources that have the env:staging tag.
    • datadog:monitored, env:prod* collects metrics for resources that have at least one of these tags.
    • !env:staging, !testing excludes resources that have both the env:staging and testing tags.
    • datadog:monitored !region:us-east1 collects metrics for resources that have the datadog:monitored tag, so long as the resource does not have the region:us-east1 tag applied to it.
    1. On the Cloud Security Management Setup page, click Cloud accounts.
    2. Expand the AWS section.
    3. Under Resource Evaluation Filters (Optional), click the Plus (+) icon.
    4. Enter a comma-separated list of key:value pairs for the tags you want to allowlist or blocklist.
    5. Click Save.

    Set up the Datadog Azure integration

    If you haven’t already, set up the Microsoft Azure integration.

    Note: To access the full set of Azure compliance rules for CSM Misconfigurations, you must enable the Application.Read.All, Directory.Read.All, Group.Read.All, Policy.Read.All, and User.Read.All permissions for the Microsoft Graph API.

    Enable CSM for your Azure subscriptions

    Use one of the following methods to enable CSM for your Azure subscriptions:

    CSM Setup page

    1. On the Cloud Security Management Setup page, click Cloud accounts.
    2. Expand the Azure section.
    3. To enable resource collection for a subscription, click the Resource Scanning toggle.
    4. Click Done.

    Azure integration page

    1. On the Azure Integration page, select an Azure app registration.
    2. Under Resource Collection, select the Collect resources for Cloud Security Posture Management checkbox.
    3. Click Submit Changes.

    Exclude resources from evaluation

    You can use resource tags to create filters that include or exclude resources from being evaluated by CSM. The filters must be specified as a comma-separated list of key:value pairs.

    Note: Resource evaluation filters can only be used with hosts that are scanned by cloud integrations.

    FormatValue
    Allowlistkey:value
    Blocklist!key:value
    Single character wildcard?
    Multiple characters wildcard*

    The allowlist enables you to specify tags that must be applied to a resource in order for CSM to evaluate it. Allowlist tags are evaluated as OR statements. In other words, at least one of the allowlist tags must be present in order for a resource to be evaluated. In contrast, blocklisted tags are evaluated as AND statements and take precedence over allowlist tags.

    Examples:

    • !env:staging excludes resources that have the env:staging tag.
    • datadog:monitored, env:prod* collects metrics for resources that have at least one of these tags.
    • !env:staging, !testing excludes resources that have both the env:staging and testing tags.
    • datadog:monitored !region:us-east1 collects metrics for resources that have the datadog:monitored tag, so long as the resource does not have the region:us-east1 tag applied to it.
    1. On the Cloud Security Management Setup page, click Cloud accounts.
    2. Expand the Azure section.
    3. Under Resource Evaluation Filters (Optional), click the Plus (+) icon.
    4. Enter a comma-separated list of key:value pairs for the tags you want to allowlist or blocklist.
    5. Click Save.

    Set up the Datadog Google Cloud Platform integration

    The Datadog Google Cloud Platform integration uses service accounts to create an API connection between Google Cloud and Datadog. To enable metric collection, create a service account, and then provide Datadog with the service account credentials to begin making API calls on your behalf.

    Note: Google Cloud billing, the Cloud Monitoring API, the Compute Engine API, and the Cloud Asset API must all be enabled for the projects you wish to monitor.

    Google Cloud

    1. Navigate to the Google Cloud Credentials page for the Google Cloud project where you would like to set up the Datadog integration.
    2. Click Create credentials and select Service account.
    3. Give the service account a unique name and click Create and Continue.
    4. Add the following roles to the service account, then click Continue:
      • Compute Viewer
      • Monitoring Viewer
      • Cloud Asset Viewer
    5. Select the service account at the bottom of the page.
    6. On the Keys tab, click New Key, then select Create new key.
    7. Select JSON and click Create to download the JSON key.

    Datadog

    1. In Datadog, navigate to the Google Cloud Platform Integration page.
    2. On the Configuration tab, locate the service account and select Upload Private Key File to integrate the project with Datadog.
    3. Upload the JSON file, then click Update Configuration.
    4. To monitor multiple projects, use one of the following methods:
      • Repeat the process above to use multiple service accounts.
      • Use the same service account by updating the project_id in the downloaded JSON file. Then, upload the file to Datadog as described in steps 1-3.

    Enable CSM for your Google Cloud projects

    Use one of the following methods to enable CSM for your Google Cloud projects:

    CSM Setup page

    1. On the Cloud Security Management Setup page, click Cloud accounts.
    2. Expand the GCP section.
    3. To enable resource collection for a project, click the Resource Scanning toggle.
    4. Click Done.

    Google Cloud Platform integration page

    1. On the Google Cloud Platform Integration page, select a Google Cloud project.
    2. Under Resource Collection, select the Enable Cloud Security Posture Management checkbox.
    3. Click Save.

    Exclude resources from evaluation

    You can use resource tags to create filters that include or exclude resources from being evaluated by CSM. The filters must be specified as a comma-separated list of key:value pairs.

    Note: Resource evaluation filters can only be used with hosts that are scanned by cloud integrations.

    FormatValue
    Allowlistkey:value
    Blocklist!key:value
    Single character wildcard?
    Multiple characters wildcard*

    The allowlist enables you to specify tags that must be applied to a resource in order for CSM to evaluate it. Allowlist tags are evaluated as OR statements. In other words, at least one of the allowlist tags must be present in order for a resource to be evaluated. In contrast, blocklisted tags are evaluated as AND statements and take precedence over allowlist tags.

    Examples:

    • !env:staging excludes resources that have the env:staging tag.
    • datadog:monitored, env:prod* collects metrics for resources that have at least one of these tags.
    • !env:staging, !testing excludes resources that have both the env:staging and testing tags.
    • datadog:monitored !region:us-east1 collects metrics for resources that have the datadog:monitored tag, so long as the resource does not have the region:us-east1 tag applied to it.
    1. On the Cloud Security Management Setup page, click Cloud accounts.
    2. Expand the GCP section.
    3. Under Resource Evaluation Filters (Optional), click the Plus (+) icon.
    4. Enter a comma-separated list of key:value pairs for the tags you want to allowlist or blocklist.
    5. Click Save.

    Configure CSM on the Agent for hosts and containers

    Enable Remote Configuration

    Remote Configuration for CSM Threats is not supported for your selected Datadog site ().

    Remote Configuration for CSM Threats is in beta. If you have any feedback or questions, contact Datadog support.

    Remote Configuration is a Datadog capability that allows you to remotely configure the behavior of Datadog resources deployed in your infrastructure. For CSM Threats, enabling Remote Configuration allows you to receive new and updated Agent rules automatically when they’re released.

    To use Remote Configuration with CSM Threats, add the Remote Configuration scope to a new or existing API key, and then update your Datadog Agent configuration. See the Remote Configuration setup instructions for more information.

    Note: Without Remote Configuration, Agent rules must be manually deployed to the Datadog Agent.

    Configure the Agent

    To enable CSM on the Agent, navigate to the Cloud Security Management Setup page and click Hosts and containers.

    The Hosts and containers section on the Cloud Security Management Setup page

    For each version of the Agent that is installed, click Enable and follow the step-by-step instructions to enable CSM Workload Security.

    Alternatively, use the following examples to enable CSM Enterprise:

      1. Add the following to the datadog section of the values.yaml file:

        # values.yaml file
datadog:
  remoteConfiguration:
    enabled: true
  securityAgent:
    runtime:
      enabled: true
    compliance:
      enabled: true

      2. Optional: To enable Runtime Anomaly Detection, add the following to the values.yaml file:

        # values.yaml file
datadog:
  securityAgent:
    runtime:
      securityProfile:
        enabled: true

      3. Restart the Agent.

      1. Add the following to the spec section of the values.yaml file:

        # values.yaml file
spec:
  features:
    remoteConfiguration:
      enabled: true
    cws:
      enabled: true
    cspm:
      enabled: true

      2. Restart the Agent.

      Use the following command to start the Runtime Security Agent and system-probe in a Docker environment:

      docker-runtime-security.sh

      docker run -d --name dd-agent \
  --cgroupns host \
  --pid host \
  --security-opt apparmor:unconfined \
  --cap-add SYS_ADMIN \
  --cap-add SYS_RESOURCE \
  --cap-add SYS_PTRACE \
  --cap-add NET_ADMIN \
  --cap-add NET_BROADCAST \
  --cap-add NET_RAW \
  --cap-add IPC_LOCK \
  --cap-add CHOWN \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  -v /proc/:/host/proc/:ro \
  -v /sys/fs/cgroup/:/host/sys/fs/cgroup:ro \
  -v /etc/passwd:/etc/passwd:ro \
  -v /etc/group:/etc/group:ro \
  -v /:/host/root:ro \
  -v /sys/kernel/debug:/sys/kernel/debug \
  -v /etc/os-release:/etc/os-release \
  -e DD_COMPLIANCE_CONFIG_ENABLED=true \
  -e DD_RUNTIME_SECURITY_CONFIG_ENABLED=true \
  -e DD_RUNTIME_SECURITY_CONFIG_NETWORK_ENABLED=true \ # to enable the collection of CSM Threats network events
  -e DD_RUNTIME_SECURITY_CONFIG_REMOTE_CONFIGURATION_ENABLED=true \
  -e HOST_ROOT=/host/root \
  -e DD_API_KEY=<API KEY> \
  gcr.io/datadoghq/agent:7

      Add the following settings to the env section of security-agent and system-probe in the daemonset.yaml file:

        # Source: datadog/templates/daemonset.yaml
  apiVersion:app/1
  kind: DaemonSet
  [...]
  spec:
  [...]
  spec:
      [...]
        containers:
        [...]
          - name: agent
            [...]
            env:
              - name: DD_REMOTE_CONFIGURATION_ENABLED
                value: "true"
          - name: system-probe
            [...]
            env:
              - name: DD_RUNTIME_SECURITY_CONFIG_ENABLED
                value: "true"
              - name: DD_RUNTIME_SECURITY_CONFIG_REMOTE_CONFIGURATION_ENABLED
                value: "true"
              - name: DD_COMPLIANCE_CONFIG_ENABLED
                value: "true"
          [...]

      For a package-based deployment, install the Datadog package with your package manager, and then update the datadog.yaml, security-agent.yaml, and system-probe.yaml files.

      By default, Runtime Security is disabled. To enable it, both the security-agent.yaml and system-probe.yaml files need to be updated.

      # /etc/datadog-agent/datadog.yaml file
remote_configuration:
  ## @param enabled - boolean - optional - default: false
  ## Set to true to enable remote configuration.
  enabled: true

runtime_security_config:
  ## @param enabled - boolean - optional - default: false
  ## Set to true to enable full CSM Threats.
  enabled: true

compliance_config:
 ## @param enabled - boolean - optional - default: false
 ## Set to true to enable CIS benchmarks for CSPM.
 #
 enabled: true

      # /etc/datadog-agent/security-agent.yaml file
runtime_security_config:
  ## @param enabled - boolean - optional - default: false
  ## Set to true to enable full CSM Threats.
  enabled: true

compliance_config:
 ## @param enabled - boolean - optional - default: false
 ## Set to true to enable CIS benchmarks for CSPM.
 #
 enabled: true

      # /etc/datadog-agent/system-probe.yaml file
runtime_security_config:
  ## @param enabled - boolean - optional - default: false
  ## Set to true to enable full CSM Threats.
  enabled: true

  remote_configuration:
    ## @param enabled - boolean - optional - default: false
    enabled: true

      Optional: To enable Runtime Anomaly Detection, add the following to the system-probe.yaml file:

      # /etc/datadog-agent/system-probe.yaml file
runtime_security_config:
  security_profile:
    ## @param enabled - boolean - optional - default: false
    ## Set to true to enable Runtime Anomaly Detection.
    enabled: true

      The following deployment can be used to start the Runtime Security Agent and system-probe in an AWS Elastic Beanstalk environment with multiple Docker containers:

      {
    "AWSEBDockerrunVersion": 2,
    "volumes": [
        {
            "name": "docker_sock",
            "host": {
                "sourcePath": "/var/run/docker.sock"
            }
        },
        {
            "name": "proc",
            "host": {
                "sourcePath": "/proc/"
            }
        },
        {
            "name": "cgroup",
            "host": {
                "sourcePath": "/cgroup/"
            }
        },
        {
            "name": "debug",
            "host": {
                "sourcePath": "/sys/kernel/debug"
            }
        },
        {
           "name": "os_release",
           "host": {
                "sourcePath": "/etc/os-release"
        }
        },
        {
           "name": "etc_passwd",
           "host": {
             "sourcePath": "/etc/passwd"
           }
        },
        {
           "name": "etc_group",
           "host": {
             "sourcePath": "/etc/group"
           }
        }
    ],
    "containerDefinitions": [
        {
            "image": "gcr.io/datadoghq/agent:7",
            "environment": [
                {
                    "name": "DD_API_KEY",
                    "value": "<YOUR_DD_API_KEY>"
                },
                {
                    "name": "DD_SITE",
                    "value": "<YOUR_DD_SITE>"
                },
                {
                    "name": "DD_TAGS",
                    "value": "<SIMPLE_TAG>, <KEY:VALUE_TAG>"
                },
                {
                   "name": "DD_RUNTIME_SECURITY_CONFIG_ENABLED",
                   "value": "true"
                },
                {
                    "name": "DD_REMOTE_CONFIGURATION_ENABLED",
                    "value": "true"
                },
                {
                    "name": "DD_RUNTIME_SECURITY_CONFIG_REMOTE_CONFIGURATION_ENABLED",
                    "value": "true"
                },
                {
                      "name": "DD_COMPLIANCE_CONFIG_ENABLED",
                      "value": "true"
                  }
            ],
            "memory": 256,
            "dockerSecurityOptions": ["apparmor:unconfined"],
            "linuxParameters": {
             "capabilities": {
               "add": [
                 "SYS_ADMIN",
                 "SYS_RESOURCE",
                 "SYS_PTRACE",
                 "NET_ADMIN",
                 "NET_BROADCAST",
                 "NET_RAW",
                 "IPC_LOCK",
                 "CHOWN"
               ]
              }
            },
            "mountPoints": [
                {
                    "sourceVolume": "docker_sock",
                    "containerPath": "/var/run/docker.sock",
                    "readOnly": false
                },
                {
                    "sourceVolume": "proc",
                    "containerPath": "/host/proc",
                    "readOnly": true
                },
                {
                    "sourceVolume": "cgroup",
                    "containerPath": "/host/sys/fs/cgroup",
                    "readOnly": true
                },
                {
                    "containerPath": "/sys/kernel/debug",
                    "sourceVolume": "debug"
                },
                {
                    "sourceVolume": "os_release",
                    "containerPath": "/host/etc/os-release",
                    "readOnly": false
                },
                {
                    "sourceVolume": "etc_passwd",
                    "containerPath": "/etc/passwd",
                    "readOnly": false
                },
                {
                    "sourceVolume": "etc_group",
                    "containerPath": "/etc/group",
                    "readOnly": false
                }
            ]
        }
    ]
}

      Further reading

      Additional helpful documentation, links, and articles:

      Setting up Cloud Security ManagementDOCUMENTATION more more Cloud Security Management ThreatsDOCUMENTATION more more Cloud Security Management MisconfigurationsDOCUMENTATION more more Cloud Security Management Identity RisksDOCUMENTATION more more Cloud Security Management VulnerabilitiesDOCUMENTATION more more Remote ConfigurationDOCUMENTATION more more