Cloud Workload Security

Datadog Cloud Workload Security (CWS) monitors file, network, and process activity across your environment to detect real-time threats to your infrastructure. As part of the Datadog platform, you can combine the real-time threat detection of CWS with metrics, logs, traces, and other telemetry to see the full context surrounding a potential attack on your workloads.

Detect threats to your production workloads in real-time

Monitor file and process activity at the kernel level to detect threats to your infrastructure, such as AWS EC2 instances, Docker containers, and Kubernetes clusters. Combine CWS with Network Performance Monitoring and detect suspicious activity at the network level before a workload is compromised.

Network threat detections is in private beta. Fill out this form to request access.

CWS uses the Datadog Agent to monitor your environment. If you don’t already have the Datadog Agent set up, start with setting up the Agent on a supported operating system. There are four types of monitoring that the Datadog Agent uses for Cloud Workload Security:

  1. Process Execution Monitoring to watch process executions for malicious activity on hosts or containers in real-time.
  2. File Integrity Monitoring to watch for changes to key files and directories on hosts or containers in real-time.
  3. DNS Activity Monitoring to watch network traffic for malicious activity on hosts and containers in real-time.
  4. Kernel Activity Monitoring to watch for kernel-layer attacks like process hijacking, container breakouts, and more in real-time.
Cloud Workload Security overview page

Manage out-of-the-box and custom detection rules

CWS comes with more than 50 out-of-the-box detection rules that are maintained by a team of security experts. The rules surface the most important risks so that you can immediately take steps to remediate. Agent expression rules define the workload activities to be collected for analysis while backend detection rules analyze the activities and identify attacker techniques and other risky patterns of behavior.

Use Remote Configuration to automatically deploy new and updated rules to the Agent. Customize the rules by defining how each rule monitors process, network, and file activity, create custom rules, and set up real-time notifications for new signals.

Cloud Workload Security detection rules in the Datadog app

Model expected workload behavior

Create a baseline of expected workload behavior with Workload Security Profiles. Workload Security Profiles uses a behavior learning model to help identify suspicious activity indicative of a threat or misconfiguration. It also generates suppression suggestions for any known, acceptable workload behavior. Use the insight gained from Security Profiles to investigate security alerts and to identify previously unseen, anomalous behavior.

Set up real-time notifications

Send real-time notifications when a threat is detected in your environment, so that your teams can take action to mitigate the risk. Notifications can be sent to Slack, email, PagerDuty, webhooks, and more.

Use template variables and Markdown to customize notification messages. Edit, disable, and delete existing notification rules, or create new rules and define custom logic for when a notification is triggered based on severity and rule type.

Investigate and remediate security signals

Investigate and triage security signals in the Security Signals Explorer. View detailed information about the impacted files or processes, related signals and logs, and remediation steps.

Cloud Workload Security signals in the Datadog app

Get started

Additional helpful documentation, links, and articles: