Visualize Activity in Your AWS Environment With Datadog Cloud SIEM Investigator | Datadog

Visualize activity in your AWS environment with Datadog Cloud SIEM Investigator

Author Mallory Mooney
Author Partha Naidu

Published: November 28, 2022

Investigating the origin of activity in cloud-native infrastructure—and understanding which activity is a potential threat—can be a challenging, time-consuming task for organizations. Cloud environments are complex by nature, comprising thousands of ephemeral, interconnected resources that generate large volumes of alerts, logs, metrics, and other data at any given time. Without adequate visibility into this activity, security teams and DevOps can easily overlook legitimate issues in their cloud environments.

To help these teams streamline their investigations, we are excited to announce Datadog Cloud SIEM Investigator for AWS environments (with support for other major cloud providers coming soon). The Investigator leverages AWS CloudTrail logs to help teams visualize activity associated with AWS entities, such as Identity and Access Management (IAM) users, roles, resources, and more.

Visualize AWS activity with Datadog Cloud SIEM Investigator

With this centralized view, DevOps and security teams have a deeper understanding of the who, what, when, and how behind changes in their cloud environments.

Chat with the Cloud SIEM team!

Visualize cloud activity and drill down to specific entities

AWS environments are made up of thousands of interconnected infrastructure resources, roles, and users, and lacking a complete view of their activity is a common pain point for teams during investigations. Datadog Cloud SIEM Investigator enables them to answer key questions about their environment while investigating changes, such as:

  • Which identities or users are interacting with a resource?
  • What actions did an IAM user take within a specified time period, and were they successful?
  • What operations were performed on a resource?

For example, security teams and DevOps can monitor all activity by a specific IAM user to determine if they are interacting with business-critical resources, such as an Amazon Simple Storage Service (Amazon S3) bucket or Amazon Elastic Compute Cloud (EC2) instance. The following screenshot shows an IAM user failing to execute an operation on an Amazon S3 bucket. S3 operations like get-bucket-policy could indicate that a threat actor is gathering information about a bucket’s configuration, so it’s important to investigate this kind of activity to ensure that it’s legitimate. Security teams can investigate further by reviewing associated Security Signals to ensure that the account should be performing these operations and isn’t compromised.

Review failed events with Datadog Cloud SIEM Investigator

Improve cross-team collaboration on investigations

Context is essential for distinguishing between legitimate threats and permitted activity in large-scale cloud environments. In these cases, DevOps may not have adequate security context while reviewing activity logs. Conversely, security teams often do not have access to infrastructure data while investigating security events. This disconnect makes it difficult to collaborate on investigations and determine if an event is permitted or a part of a larger attack.

Datadog Cloud SIEM Investigator is tightly integrated with both the Log Explorer and Security Signals, allowing disparate teams to work together on identifying the source of a flagged event or log, regardless of their entry point. For example, Datadog Cloud SIEM will generate a security signal when an IAM user removes an S3 bucket’s public access block—removing a block exposes the bucket to the public internet, so this kind of activity requires thorough investigation. As seen in the following screenshot, the generated signal will now include more details about which identity was involved.

Review activity via Security Signals

This information is also available in associated logs, so DevOps teams have more context for investigating the activity that led to the generated signal, such as multiple operations on the same S3 bucket. Having this context enables both DevOps and security teams to quickly pivot from their respective views to the Cloud SIEM Investigator in order to analyze the complete path of the event. Both teams can then work together to determine whether or not the event is a part of an authorized deployment or a sign of malicious activity. If it is permitted activity, security teams can update their suppression lists in order to reduce the number of generated false positive alerts on that bucket.

Start using Datadog Cloud SIEM Investigator today

With Datadog Cloud SIEM Investigator, organizations can now visualize activity among IAM users, services, and resources within AWS environments. This visibility provides shared context for teams to improve collaboration on investigations and effectively identify the root cause of changes faster. Check out our documentation to learn more, or sign up for a today.