Cloud Security Management is not supported for your selected Datadog site ().
Datadog Workflow Automation allows you to orchestrate and automate your end-to-end processes by building workflows made up of actions that connect to your infrastructure and tools.
Workflow Automation allows you to trigger a workflow manually or automatically from a monitor, security signal, or custom schedule. In the example workflows in this article, the workflows are triggered manually by clicking the Actions > Run Workflow button on the side panels.
When you trigger a workflow, the source ID of the trigger event must be passed on to the next step in the workflow. In the examples in this article, the trigger events are a new security finding. In both cases, the source IDs are specified in the initial step of the workflow using source object variables.
Build a workflow
You can build a workflow using a preconfigured flow from an out-of-the-box blueprint, or by creating a custom workflow. For detailed instructions on how to create a workflow, see the Workflow Automation docs.
Block access to Amazon S3 bucket via Slack
This example creates a remediation workflow that sends an interactive Slack message when a public Amazon S3 bucket is detected. By clicking Approve or Reject, you can automatically block access to the S3 bucket or decline to take action.
Note: To build this workflow, you must configure the Slack integration.
Click Add a step to get started to start adding steps to your workflow using the workflow builder. Alternatively, click Edit JSON Spec to build the workflow using the JSON editor.
Get security misconfiguration
To retrieve the security misconfiguration and pass it into the workflow, use the Get security finding action. The action uses the {{ Source.securityFinding.id }} source object variable to retrieve the misconfiguration’s details from the Get a finding API endpoint.
Click Add a step to get started to add the first step to your workflow.
Search for the Get security finding action and select it to add it as a step on your workflow canvas.
Click the step in the workflow canvas to configure it.
For Finding ID, enter {{ Source.securityFinding.id }}.
Add JS function
Next, add the JavaScript Data Transformation Function action to the canvas and configure it to return the region name from the misconfiguration’s tags.
Click the plus (+) icon on the workflow canvas to add another step.
Search for the JS Function action and select it to add it as a step on your workflow canvas.
Click the step in the workflow canvas and paste the following in the script editor:
// Gets the region info from the misconfiguration tags
// Use `$` to access Trigger or Steps data.
// Use `_` to access Lodash.
// See https://lodash.com/ for reference.
lettags=$.Steps.Get_security_finding.tagsletregion=tags.filter(t=>t.includes('region:'))if(region.length==1){returnregion[0].split(':')[1]}else{return'';}
Add Slack action
Click the plus (+) icon on the workflow canvas to add another step.
Search for the Make a decision action for Slack and select it to add it as a step on your workflow canvas.
Click the step in the workflow canvas and enter the following information:
Workspace: The name of your Slack workspace.
Channel: The channel to send the Slack message to.
Prompt text: The text that will appear immediately above the choice buttons in the Slack message, for example, “Would you like to block public access for {{ Steps.Get_security_finding.resource }} in region {{ Steps.GetRegion.data }}?”
Approve workflow
Under Approve on the workflow canvas, click the plus (+) icon to add another step.
Search for the Block Public Access action for Amazon S3 and select it to add it as a step on your workflow canvas.
Click the step in the workflow canvas and enter the following information:
Connection: The name of the workflow connection for the AWS integration.
Under the Block public access step on the workflow canvas, click the plus (+) icon to add another step.
Search for the Send message action for Slack and select it to add it as a step on your workflow canvas.
Click the step in the workflow canvas and enter the following information:
Workspace: The name of your Slack workspace.
Channel: The channel to send the Slack message to.
Message text: The text that appears in the Slack message. For example:
S3 bucket `{{ Steps.Get_security_finding.resource }}` successfully blocked. AWS API response:
```{{ Steps.Block_public_access }}```
The issue will be marked as fixed the next time the resource is scanned, which can take up to one hour.
Reject workflow
Under Reject on the workflow canvas, click the plus (+) icon to add another step.
Search for the Send message action for Slack and select it to add it as a step on your workflow canvas.
Click the step in the workflow canvas and enter the following information:
Workspace: The name of your Slack workspace.
Channel: The channel to send the Slack message to.
Message text: The text that appears in the Slack message, for example, “User declined the action”.
Click Save.
Automatically create and assign a Jira issue
This example creates an automated ticket routing workflow that creates and assigns a Jira issue to the appropriate team when a security finding is detected.
Note: To build this workflow, you must configure the Jira integration.
Click Add a step to get started to start adding steps to your workflow using the workflow builder. Alternatively, click Edit JSON Spec to build the workflow using the JSON editor.
Get security issue
To retrieve the finding and pass it into the workflow, use the Get security finding action. The action uses the {{ Source.securityFinding.id }} source object variable to retrieve the finding’s details from the Get a finding API endpoint.
Click Add a step to get started to add the first step to your workflow.
Search for the Get security finding action and select it to add it as a step on your workflow canvas.
Click the step in the workflow canvas to configure it.
For Security ID, enter {{ Source.securityFinding.id }}.
Add JS function
Next, add the JavaScript Data Transformation Function action to the canvas and configure it to return the team name from the finding’s tags.
Click the plus (+) icon on the workflow canvas to add another step.
Search for the JS Function action and select it to add it as a step on your workflow canvas.
Click the step in the workflow canvas and paste the following in the script editor:
// Gets the team info from the finding tags
// Use `$` to access Trigger or Steps data.
// Use `_` to access Lodash.
// See https://lodash.com/ for reference.
lettags=$.Steps.Get_security_finding.tagsletteam=tags.filter(t=>t.includes('team:'))if(region.length==1){returnteam[0].split(':')[1]}else{return'';}
Add Jira action
Click the plus (+) icon on the workflow canvas to add another step.
Search for the Create issue Jira action and select it to add it as a step on your workflow canvas.
Click the step in the workflow canvas and enter the following information:
You can trigger an existing workflow from the finding, misconfiguration, and resource side panels.
In the side panel, click Actions > Run Workflow, and select a workflow to run. Depending on the workflow, you may be required to enter additional input parameters, such as incident details and severity, the name of the impacted S3 bucket, or the Slack channel you want to send an alert to.
After running the workflow, additional information is shown on the side panel. You can click the link to view the workflow.
Further Reading
Additional helpful documentation, links, and articles:
