Excessive sensitive activity from an IP (SDK instrumented)

Goal

Detect excessive activity performed from an IP.

This may be caused by a malicious actor trying to cause issues in your platform, create spam content, or similar.

You can read more about the purpose of rate limiting there.

Required business logic events

Datadog auto-instruments many event types. Review your instrumented business logic events. This detection requires the following instrumented event:

  • activity.sensitive

Strategy

Count the number of a given activity generated coming from a single IP.

Require the activity to be flagged using a user event named activity.sensitive. User authentication isn’t necessary.

However, it is very important that the event be given a name in the metadata.

The rule will count the number of events sharing the same names. This enables you to rate limit multiple activities separately without one counting for another (60 activity named A + 60 activity named B won’t trigger the rate limit). The rule won’t run if no name is provided.

The rule determines the standard rate for IPs to trigger this activity. If an IP is seen significantly exceeding the normal rate, a Medium signal will be generated.

Note

This rule is using a new feature of ASM that isn’t yet available in custom detection rules.
This will prevent you from cloning this rule and having it work the same way as the Datadog version.
We’re working toward solving this limitation.

Triage and response

  1. Investigate the IP activity and validate that it is legitimate.
  2. Consider blocking the IP if the activity are malicious.
  3. Consider introducing your own rate limiting features.