Cloud Security Management Threats (CSM Threats) Runtime Anomaly Detection provides out-of-the-box detection of unusual behavior on your containerized workloads using a model based on Workload Security Profiles. It allows your security Agents to observe processes spawned by your applications, along with network traffic and file access. It can then alert you when the runtime behavior of your containers changes.

By profiling your application as it runs, Runtime Anomaly Detection can detect attacks within containerized environments. Designed to integrate seamlessly with rule-based detections, Anomaly Detection helps aggregate suspicious activity directly from your Agent, complementing rules that detect a wide array of attacks with detailed context on unusual behavior within your application’s environment. Anomaly Detection, unlike rule-based approaches, can identify when workloads:

  • launch new custom commands (such as cryptominers).
  • access local files for the first time.
  • make new DNS resolutions (for example, to exfiltrate data).


How it works

Once you activate Runtime Anomaly Detection, the security Agents start recording the normal behavior of your containerized workloads. This includes commands run, files accessed, and DNS resolutions. This behavior is aggregated across all running containers with the same short image name and stored as Security Profiles.

After a learning period, your Agents can begin detecting anomalies. The learning duration varies depending on the workload’s activity, by default taking between 48 and 120 hours.

As soon as the learning period is over, the Agent begins evaluating new anomalous behavior and sending anomaly events to Datadog. Datadog’s platform aggregates these events by container and confirms that the anomalous behavior is not present in the Security Profile.

If the behavior is not present in the security profile, the events are then surfaced as security signals. Signals are updated dynamically based on any newly detected anomalous behavior in the same container.

Inspect runtime anomaly signals

Runtime Anomaly Detection signals allow you to evaluate runtime behavior. When new anomalies are surfaced, you can escalate them using Case Management or Incidents. If you investigate and find they are benign, you can suppress similar signals and add the behavior to the service’s Security Profile, indicating that it is expected behavior for the application.

The Overview tab on Anomaly Detection Security signals has three main sections:

  • The What Happened section explains which container was impacted and describes how to evaluate the signal.
  • Suggested Next Steps provides essential pivots into Datadog observability tools such as Infrastructure Monitoring, access to the Security Profile to review known behavior for the service, and links to escalate the workflow using Case Management or Incidents, along with any custom-defined workflows. If the signal is benign, you can add it to the Security Profile of the workload to mark it as normal activity and avoid generating signals if the same behavior is observed again.
  • Anomaly Detected displays a list of Anomaly Events in chronological order.
A runtime anomaly detection signal with three parts described below.

Set up real-time notifications

You can set up security notification rules to alert you via Slack or email when anomaly signals are generated. Notifications can also be used to trigger webhooks or Datadog Workflows, enabling automated remediation pipelines. To target anomaly signals in a notification rule, use the rule criteria rule_id:anomaly_detection.

Use Audit Trail to track anomaly signal actions

As an administrator or security team member, you can use Datadog Audit Trail to see what actions your team is taking in Cloud Security Management. As an individual, you can see a stream of your own actions. Audit trails for security signals are provided without additional configuration.

To view audit logs generated by actions taken in Cloud Security Management, navigate to Organization Settings > Compliance > Audit Trail and do one of the following:

  • Create the following query:"Cloud Security Platform"
  • In the Event Name facet, select Cloud Security Platform.

To view audit logs generated by actions taken on security signals:

  • Create the following query: @asset.type:security_signal
  • In the Asset Type facet, select security_signal..

Further Reading

Additional helpful documentation, links, and articles: