Detect Security Threats With Anomaly Detection Rules | Datadog

Detect security threats with anomaly detection rules

Author Jordan Obey
Author Justin Massey

Published: August 18, 2021

Securing your environment requires being able to quickly detect abnormal activity that could represent a threat. But today’s modern cloud infrastructure is large, complex, and can generate vast volumes of logs. This makes it difficult to determine what activity is normal and harder to identify anomalous behavior. Now, in addition to threshold and new term–based Threat Detection Rules, Datadog Cloud SIEM provides the ability to create anomaly detection rules. With this detection method, Datadog will analyze relevant logs for the specific entities you query—hosts, IP addresses, users, etc.—to identify historical trends and determine baseline behavior. Then, when it detects any type of deviation from this baseline, Datadog will create a Security Signal that includes a timeseries graph to illustrate what happened, enabling you to triage the event and take any necessary action.

Spot anomalies in dynamic activity

Threshold-based detection rules can notify you if the frequency of certain activity exceeds a specific value (e.g., there are more than 100 access-denied requests from a user within a one-hour timeframe). For situations where you’re not able to establish a set threshold, you can use anomaly detection rules to dynamically generate thresholds based on historical behavior. This can be particularly helpful for monitoring unusual behavior across events like unique API calls, an influx in access denied requests, and more. In these cases, baseline activity is different entity to entity, so it can be difficult to define a set threshold that won’t potentially result in many false positives.

Let’s say you are monitoring your organization’s Google Cloud Platform service accounts. Service accounts connect to APIs to access the resources they need to run their workloads, so you expect to see API calls made regularly. If, however, a service account makes an unusual amount of API calls, it could mean that an account has been compromised and an attacker is attempting to access sensitive data. You can create an anomaly-based rule that monitors your audit logs for API activity and alerts you if an unusual volume of calls have been made.

anomaly-detection01.png
An anomaly detection rule that looks for an unusual number of API calls from a GCP service account.

Similarly, if you’re monitoring Salesforce user activity, Datadog provides an out-of-the-box Threat Detection Rule that notifies you of any anomalous spikes in query results. While there may be periods when spikes in Salesforce user activity is the norm, anomalous spikes can signal that an unauthorized user may be attempting to access protected data and may require further investigation.

Analyze Security Signals

If Datadog ingests logs that trigger an anomaly detection rule, Datadog will generate a Security Signal, notifying you of the nature of the anomaly as well as the window of time it occurred in so you can investigate further. Security Signals include key event data like IP addresses and usernames so you can, for instance, look at the user ID associated with an anomalous spike in Salesforce query results to determine if it is a recognized account or an attacker.

Any Security Signals that Datadog generates based on anomaly detection rules will remain “open” (i.e., continue to report data about the anomaly) as long as analyzed logs indicate the same anomalous behavior over a set interval, or until the anomaly exceeds a specified maximum signal duration (e.g., 24 hours), and has become the new baseline. This helps you determine when an anomaly first occurred, and whether it is still ongoing or has concluded.

Security signals can be generated by triggered anomaly detection rules.

Get started today

Datadog Cloud SIEM’s anomaly-based detection rules identify and alert on anomalous behavior in your dynamic environment, making it easier to identify and investigate suspicious behavior when it appears. If you’re currently a Datadog customer, you can learn more about creating security rules here. Otherwise, get started today with a 14-day