Excessive sensitive activity from an IP (WAF instrumented)

Goal

Detect excessive activity performed from an IP.

This may be caused by a malicious actor trying to cause issues in your platform, create spam content, or similar.

You can read more about the purpose of rate limiting in the official Google documentation.

Event tagging

This rule does note require the event to be tagged by the SDK. Instead, you can create a custom In-App WAF rule in the Protection tab of your Datadog account, from the Application Security product.
This enables the rollout of detection without code change. The rate limiting is applied by IP, across every event tagged, even if the event is tagged by different rules. Which means every event counts toward the same rate limit.

Strategy

Count the number of a given activity generated from a single IP.

Requires the activity to be flagged using a WAF rule named activity.sensitive. User authentication is not necessary.

A Medium signal is generated if more than 100 events from a single IP over 5 minutes are found. The threshold can be modified either globally, or for a single activity by cloning the rule.

Triage and response

  1. Investigate the IP activity and validate that it is legitimate.
  2. Consider blocking the IP if the activity are malicious.
  3. Consider introducing your own rate limiting features.