From 74d5618e4e35fb050d4dbc70bb0c798397f74ffd Mon Sep 17 00:00:00 2001 From: Michael Cretzman Date: Thu, 24 Apr 2025 10:33:32 -0700 Subject: [PATCH 1/6] moving some Threat Mgmt topics to top level --- config/_default/menus/main.en.yaml | 35 +- .../how-it-works/add-user-info.md | 818 ++++++++++++++++++ .../how-it-works/protection.md | 126 +++ .../how-it-works/threat-intelligence.md | 176 ++++ .../how-it-works/trace_qualification.md | 47 + .../application_security/overview/_index.md | 42 + .../security_signals/_index.md | 159 ++++ 7 files changed, 1398 insertions(+), 5 deletions(-) create mode 100644 content/en/security/application_security/how-it-works/add-user-info.md create mode 100644 content/en/security/application_security/how-it-works/protection.md create mode 100644 content/en/security/application_security/how-it-works/threat-intelligence.md create mode 100644 content/en/security/application_security/how-it-works/trace_qualification.md create mode 100644 content/en/security/application_security/overview/_index.md create mode 100644 content/en/security/application_security/security_signals/_index.md diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml index 818e1f0617036..fd05dc082f735 100644 --- a/config/_default/menus/main.en.yaml +++ b/config/_default/menus/main.en.yaml @@ -6400,6 +6400,36 @@ menu: parent: application_security identifier: appsec_howitworks weight: 3 + - name: Threat Intelligence + url: security/application_security/how-it-works/threat-intelligence + parent: appsec_howitworks + identifier: threats_threat_intelligence + weight: 1 + - name: Trace Qualification + url: security/application_security/how-it-works/trace_qualification + parent: appsec_howitworks + identifier: trace_qualification + weight: 2 + - name: User Monitoring and Protection + url: security/application_security/how-it-works/add-user-info + parent: appsec_howitworks + identifier: user_monitoring_and_protection + weight: 3 + - name: Protection + url: security/application_security/how-it-works/protection + parent: appsec_howitworks + identifier: protection + weight: 4 + - name: Attack Summary + url: security/application_security/overview + parent: application_security + identifier: application_security_overview + weight: 5 + - name: Security Signals + url: security/application_security/security_signals + parent: application_security + identifier: application_security_security_signals + weight: 6 - name: Threat Management url: security/application_security/threats/ parent: application_security @@ -6465,11 +6495,6 @@ menu: parent: appsec_threats identifier: threats_security_signals weight: 719 - - name: Threat Intelligence - url: security/application_security/threats/threat-intelligence/ - parent: appsec_threats - identifier: threats_threat_intelligence - weight: 720 - name: Trace Qualification url: security/application_security/threats/trace_qualification/ parent: appsec_threats diff --git a/content/en/security/application_security/how-it-works/add-user-info.md b/content/en/security/application_security/how-it-works/add-user-info.md new file mode 100644 index 0000000000000..ecd68df0d1d5e --- /dev/null +++ b/content/en/security/application_security/how-it-works/add-user-info.md @@ -0,0 +1,818 @@ +--- +title: User Monitoring and Protection +aliases: + - /security_platform/application_security/add-user-info + - /security/application_security/add-user-info +further_reading: +- link: "/security/application_security/" + tag: "Documentation" + text: "Protect against threats with Datadog App and API Protection" +- link: "/security/application_security/threats/library_configuration/" + tag: "Documentation" + text: "Other setup considerations and configuration options" +--- + +## Overview + +Instrument your services and track user activity to detect and block bad actors. + +[Add authenticated user information on traces](#adding-authenticated-user-information-to-traces-and-enabling-user-blocking-capability) to identify and block bad actors targeting your authenticated attack surface. To do this, set the user ID tag on the running APM trace, providing the necessary instrumentation for AAP to block authenticated attackers. This allows AAP to associate attacks and business logic events to users. + +[Track user logins and activity](#adding-business-logic-information-login-success-login-failure-any-business-logic-to-traces) to detect account takeovers and business logic abuse with out-of-the-box detection rules, and to ultimately block attackers. + +The custom user activity for which out-of-the-box detection rules are available are as follow: + +| Built-in event names | Required metadata | Related rules | +|------------------------|------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `activity.sensitive` | `{ "name": "coupon_use", "required_role": "user" }` | [Rate limited activity from IP][4]
[Unauthorized activity detected][5] | +| `users.login.success` | User ID is mandatory, optional metadata can be added | [Credential Stuffing attack][6]
[Bruteforce attack][12]
[Distributed Credential Stuffing][13] | +| `users.login.failure` | User ID and `usr.exists` are mandatory, optional metadata can be added | [Credential Stuffing attack][6]
[Bruteforce attack][12]
[Distributed Credential Stuffing][13] | +| `users.signup` | `{ "usr.id": "12345" }` | [Excessive account creations from an IP][7] | +| `users.delete` | `{ "usr.id": "12345" }` | [Excessive account deletion from an IP][8] | +| `users.password_reset` | `{ "usr.id": "12345", "usr.login": "user@email.com", "exists": true }` | [Password reset brute force attempts][9] | +| `payment.failure` | None | [Excessive payment failures from IP][10] | + +## Adding authenticated user information to traces and enabling user blocking capability + +
+Automated Detection of User Activity: Datadog Tracing Libraries attempt to detect and report user activity events automatically. For more information, see Disabling automatic user activity event tracking. +
+ +You can [add custom tags to your root span][3], or use the instrumentation functions described below. + +{{< programming-lang-wrapper langs="java,dotnet,go,ruby,php,nodejs,python" >}} + +{{< programming-lang lang="java" >}} + +Use the Java tracer's API for adding custom tags to a root span and add user information so that you can monitor authenticated requests in the application. + +User monitoring tags are applied on the root span and start with the prefix `usr` followed by the name of the field. For example, `usr.name` is a user monitoring tag that tracks the user's name. + +**Note**: Check that you have added [necessary dependencies to your application][1]. + +The example below shows how to obtain the root span, add the relevant user monitoring tags, and enable user blocking capability: + +```java +import io.opentracing.Span; +import io.opentracing.util.GlobalTracer; +import datadog.appsec.api.blocking.Blocking; +import datadog.trace.api.interceptor.MutableSpan; + +// Get the active span +final Span span = GlobalTracer.get().activeSpan(); +if ((span instanceof MutableSpan)) { + MutableSpan localRootSpan = ((MutableSpan) span).getLocalRootSpan(); + // Setting the mandatory user id tag + localRootSpan.setTag("usr.id", "d131dd02c56eec4"); + // Setting optional user monitoring tags + localRootSpan.setTag("usr.name", "Jean Example"); + localRootSpan.setTag("usr.email", "jean.example@example.com"); + localRootSpan.setTag("usr.session_id", "987654321"); + localRootSpan.setTag("usr.role", "admin"); + localRootSpan.setTag("usr.scope", "read:message, write:files"); +} + +Blocking + .forUser("d131dd02c56eec4") + .blockIfMatch(); +``` + +[1]: /tracing/trace_collection/custom_instrumentation/opentracing/java#setup +{{< /programming-lang >}} + +{{< programming-lang lang="dotnet" >}} + +The .NET tracer package provides the `SetUser()` function, which allows you to monitor authenticated requests by adding user information to the trace. + +The example below shows how to add the relevant user monitoring tags and enable user blocking capability: + +```csharp + +using Datadog.Trace; + +// ... + + var userDetails = new UserDetails() + { + // the systems internal identifier for the users + Id = "d41452f2-483d-4082-8728-171a3570e930", + // the email address of the user + Email = "test@adventure-works.com", + // the user's name, as displayed by the system + Name = "Jane Doh", + // the user's session id + SessionId = "d0632156-132b-4baa-95b2-a492c5f9cb16", + // the role the user is making the request under + Role = "standard", + }; + Tracer.Instance.ActiveScope?.Span.SetUser(userDetails); +``` + +For information and options, read [the .NET tracer documentation][1]. + +[1]: https://github.com/DataDog/dd-trace-dotnet/tree/master/docs/Datadog.Trace#user-identification + +{{< /programming-lang >}} + +{{< programming-lang lang="go" >}} + +The Go tracer package provides the `SetUser()` function, which allows you to monitor authenticated requests by adding user information to the trace. For more options, see [the Go tracer documentation][1] (or [v2 documentation][2]). + +This example shows how to retrieve the current tracer span, use it to set user monitoring tags, and enable user blocking capability: + +```go +import ( + "gopkg.in/DataDog/dd-trace-go.v1/appsec" // 1.x + // "github.com/DataDog/dd-trace-go/v2/appsec // 2.x +) + +func handler(w http.ResponseWriter, r *http.Request) { + if appsec.SetUser(r.Context(), "my-uid") != nil { + // The user must be blocked by aborting the request handler asap. + // The blocking response is automatically handled and sent by the appsec middleware. + return + } +} +``` + +[1]: https://pkg.go.dev/gopkg.in/DataDog/dd-trace-go.v1/ddtrace/tracer#SetUser +[2]: https://pkg.go.dev/github.com/DataDog/dd-trace-go/v2/ddtrace/tracer#SetUser +{{< /programming-lang >}} + +{{< programming-lang lang="ruby" >}} + +Use one of the following APIs to add user information to a trace so that you can monitor authenticated requests in the application: + +{{< tabs >}} + +{{% tab "set_user" %}} + +Starting with `ddtrace` 1.1.0, the `Datadog::Kit::Identity.set_user` method is available. This is the recommended API for adding user information to traces: + +```ruby +# Get the active trace +trace = Datadog::Tracing.active_trace + +# Set mandatory user id tag +Datadog::Kit::Identity.set_user(trace, id: 'd131dd02c56eeec4') + +# Or set any of these optional user monitoring tags +Datadog::Kit::Identity.set_user( + trace, + + # mandatory id + id: 'd131dd02c56eeec4', + + # optional tags with known semantics + name: 'Jean Example', + email:, 'jean.example@example.com', + session_id:, '987654321', + role: 'admin', + scope: 'read:message, write:files', + + # optional free-form tags + another_tag: 'another_value', +) +``` + +{{% /tab %}} + +{{% tab "set_tag" %}} + +If `Datadog::Kit::Identity.set_user` does not meet your needs, you can use `set_tag` instead. + +User monitoring tags are applied on the trace and start with the prefix `usr.` followed by the name of the field. For example, `usr.name` is a user monitoring tag that tracks the user's name. + +The example below shows how to obtain the active trace and add relevant user monitoring tags: + +**Notes**: +- Tag values must be strings. +- The `usr.id` tag is mandatory. + +```ruby +# Get the active trace +trace = Datadog::Tracing.active_trace + +# Set mandatory user id tag +trace.set_tag('usr.id', 'd131dd02c56eeec4') + +# Set optional user monitoring tags with known sematics +trace.set_tag('usr.name', 'Jean Example') +trace.set_tag('usr.email', 'jean.example@example.com') +trace.set_tag('usr.session_id', '987654321') +trace.set_tag('usr.role', 'admin') +trace.set_tag('usr.scope', 'read:message, write:files') + +# Set free-form tags: +trace.set_tag('usr.another_tag', 'another_value') +``` + +{{% /tab %}} + +{{< /tabs >}} + +{{< /programming-lang >}} + +{{< programming-lang lang="php" >}} + +The PHP tracer provides the `\DDTrace\set_user()` function, which allows you to monitor and block authenticated requests. + +`\DDTrace\set_user()` adds the relevant user tags and metadata to the trace and automatically performs user blocking. + +The following example shows how to set user monitoring tags and enable user blocking: + +```php + 'Jean Example', + 'email' => 'jean.example@example.com', + 'session_id' => '987654321', + 'role' => 'admin', + 'scope' => 'read:message, write:files', + ] +); +?> +``` + +{{< /programming-lang >}} + +{{< programming-lang lang="nodejs" >}} + +The Node tracer package provides the `tracer.setUser(user)` function, which allows you to monitor authenticated requests by adding user information to the trace. + +The example below shows how to add relevant user monitoring tags and enable user blocking capability: + +```javascript +const tracer = require('dd-trace').init() + +function handle () { + tracer.setUser({ + id: '123456789', // *REQUIRED* Unique identifier of the user. + + // All other fields are optional. + email: 'jane.doe@example.com', // Email of the user. + name: 'Jane Doe', // User-friendly name of the user. + session_id: '987654321', // Session ID of the user. + role: 'admin', // Role the user is making the request under. + scope: 'read:message, write:files', // Scopes or granted authorizations the user currently possesses. + + // Arbitrary fields are also accepted to attach custom data to the user (RBAC, Oauth, etc…) + custom_tag: 'custom data' + }) + +// Set the currently authenticated user and check whether they are blocked +if (tracer.appsec.isUserBlocked(user)) { // also set the currently authenticated user + return tracer.appsec.blockRequest(req, res) // blocking response is sent + } + +} +``` + +For information and options, read [the Node.js tracer documentation][1]. + + + +[1]: https://datadoghq.dev/dd-trace-js/#set-user +{{< /programming-lang >}} + +{{< programming-lang lang="python" >}} + +Monitor authenticated requests by adding user information to the trace with the `set_user` function provided by the Python tracer package. + +This example shows how to set user monitoring tags and enable user blocking capability: + +```python +from ddtrace.contrib.trace_utils import set_user +from ddtrace import tracer +# Call set_user() to trace the currently authenticated user id +user_id = "some_user_id" +set_user(tracer, user_id, name="John", email="test@test.com", scope="some_scope", + role="manager", session_id="session_id", propagate=True) +``` + +{{< /programming-lang >}} + +{{< /programming-lang-wrapper >}} + +## Adding business logic information (login success, login failure, any business logic) to traces + +
+A note on usr.id and usr.login: Investigation login abuse rely on two similar, but different concepts. usr.id contains the unique identifier of the user account in database. It's unique and immutable. It's unavailable when someone tries to log into a non-existant account. User blocking targets usr.id.
+The user generally isn't aware of their user ID. Instead, they rely on mutable identifiers (phone number, username, email address...). The string used by the user to log into an account should be reported as usr.login in login events.
+If no usr.login is provided, usr.id will be used instead. +
+ +{{< programming-lang-wrapper langs="java,dotnet,go,ruby,php,nodejs,python" >}} +{{< programming-lang lang="java" >}} + +Starting in dd-trace-java v1.8.0, you can use the Java tracer's API to track user events. + +The following examples show how to track login events or custom events (using signup as an example). + +{{< tabs >}} +{{% tab "Login success" %}} +```java +import datadog.trace.api.EventTracker; +import datadog.trace.api.GlobalTracer; + +public class LoginController { + + private User doLogin(String userName, String password) { + // this is where you get User based on userName/password credentials + User user = checkLogin(userName, password); + + Map metadata = new HashMap<>(); + metadata.put("email", user.getEmail()); + metadata.put("usr.login", userName); + + // If your system has multiple "tenants", please provide it. A tenant is an environment/group of user + metadata.put("usr.org", usr.getTenant()); + + // track user authentication success events + GlobalTracer + .getEventTracker() + .trackLoginSuccessEvent(user.getId(), metadata); + + } +} + +``` +{{% /tab %}} + +{{% tab "Login failure" %}} +```java +import datadog.trace.api.EventTracker; +import datadog.trace.api.GlobalTracer; + +public class LoginController { + + private User doLogin(String userName, String password) { + // this is where you get User based on userName/password credentials + User user = checkLogin(userName, password); + + // if function returns null - user doesn't exist + boolean userExists = (user != null); + String userId = null; + Map metadata = new HashMap<>(); + metadata.put("usr.login", userName); + if (userExists != null) { + userId = getUserId(userName) + metadata.put("email", user.getEmail()); + } else { + userId = userName; + } + + // track user authentication error events + GlobalTracer + .getEventTracker() + .trackLoginFailureEvent(userId, userExists, metadata); + } +} +``` +{{% /tab %}} + +{{% tab "Custom business logic" %}} +```java +import datadog.trace.api.EventTracker; +import datadog.trace.api.GlobalTracer; + +public class LoginController { + + private User doSignup(String userId, String email) { + // this is where you create your user account + User user = createUser(userId, email); + + Map metadata = new HashMap<>(); + metadata.put("usr.id", user.getId()); + + // track user signup events + GlobalTracer + .getEventTracker() + .trackCustomEvent("users.signup", metadata); + } +} + +``` +{{% /tab %}} + +{{< /tabs >}} + +{{< /programming-lang >}} + +{{< programming-lang lang="dotnet" >}} + +Starting in dd-trace-dotnet v2.23.0, you can use the .NET tracer's API to track user events. + +The following examples show how to track login events or custom events (using signup as an example). + +{{< tabs >}} +{{% tab "Login success" %}} +```csharp +using Datadog.Trace.AppSec; + +void OnLogonSuccess(string userId, string login...) +{ + // metadata is optional + var metadata = new Dictionary() + { + { "usr.login", login } + }; + EventTrackingSdk.TrackUserLoginSuccessEvent(userId, metadata); + + // ... +} + +``` +{{% /tab %}} +{{% tab "Login failure" %}} +```csharp +using Datadog.Trace.AppSec; + +void OnLogonFailure(string userId, string login, bool userExists, ...) +{ + // If no userId can be provided, any unique user identifier (username, email...) may be used + // metadata is optional + var metadata = new Dictionary() + { + { "usr.login", login } + }; + EventTrackingSdk.TrackUserLoginFailureEvent(userId, userExists, metadata); + + // ... +} +``` + +{{% /tab %}} + +{{% tab "Custom business logic" %}} +```csharp +void OnUserSignupComplete(string userId, ...) +{ + // the metadata parameter is optional, but adding the "usr.id" + var metadata = new Dictionary() + { + { "usr.id", userId } + }; + // Leveraging custom business logic tracking to track user signups + EventTrackingSdk.TrackCustomEvent("users.signup", metadata); + + // ... +} +``` +{{% /tab %}} + +{{< /tabs >}} + + +{{< /programming-lang >}} +{{< programming-lang lang="go" >}} + +Starting in dd-trace-go v1.47.0, you can use the Go tracer's API to track user events. + +The following examples show how to track login events or custom events (using signup as an example). + +{{< tabs >}} +{{% tab "Login success" %}} +```go +import ( + "gopkg.in/DataDog/dd-trace-go.v1/appsec" // 1.x + // "github.com/DataDog/dd-trace-go/v2/appsec" // 2.x +) + +func handler(w http.ResponseWriter, r *http.Request) { + metadata := make(map[string]string) /* optional extra event metadata */ + userdata := /* optional extra user data */ + + metadata["usr.login"] = "user-email" + + // Track login success, replace `my-uid` by a unique identifier of the user (such as numeric, username, and email) + if appsec.TrackUserLoginSuccessEvent(r.Context(), "my-uid", metadata, userdata) != nil { + // The given user id is blocked and the handler should be aborted asap. + // The blocking response will be sent by the appsec middleware. + return + } +} +``` +{{% /tab %}} +{{% tab "Login failure" %}} +```go +import ( + "gopkg.in/DataDog/dd-trace-go.v1/appsec" // 1.x + // "github.com/DataDog/dd-trace-go/v2/appsec" // 2.x +) + +func handler(w http.ResponseWriter, r *http.Request) { + exists := /* whether the given user id exists or not */ + metadata := make(map[string]string) /* optional extra event metadata */ + metadata["usr.login"] = "user-email" + + // Replace `my-uid` by a unique identifier of the user (numeric, username, email...) + appsec.TrackUserLoginFailureEvent(r.Context(), "my-uid", exists, metadata) +} +``` +{{% /tab %}} + +{{% tab "Custom business logic" %}} +```go +import ( + "gopkg.in/DataDog/dd-trace-go.v1/appsec" // 1.x + // "github.com/DataDog/dd-trace-go/v2/appsec" // 2.x +) + +func handler(w http.ResponseWriter, r *http.Request) { + metadata := map[string]string{"usr.id": "my-uid"} + + // Leveraging custom business logic tracking to track user signups + appsec.TrackCustomEvent(r.Context(), "users.signup", metadata) +} +``` +{{% /tab %}} + +{{< /tabs >}} + +{{< /programming-lang >}} +{{< programming-lang lang="ruby" >}} + +Starting in dd-trace-rb v1.9.0, you can use the Ruby tracer's API to track user events. + +The following examples show how to track login events or custom events (using signup as an example). + +Traces containing login success/failure events can be queried using the following query `@appsec.security_activity:business_logic.users.login.success` or `@appsec.security_activity:business_logic.users.login.failure`. + +{{< tabs >}} +{{% tab "Login success" %}} +```ruby +require 'datadog/kit/appsec/events' + +trace = Datadog::Tracing.active_trace +# Replace `my_user_id` by a unique identifier of the user (numeric, username, email...) +Datadog::Kit::AppSec::Events.track_login_success(trace, user: { id: 'my_user_id' }, { 'usr.login': 'my_user_email' }) +``` +{{% /tab %}} + +{{% tab "Login failure" %}} +```ruby +require 'datadog/kit/appsec/events' +trace = Datadog::Tracing.active_trace + +# Replace `my_user_id` by a unique identifier of the user (numeric, username, email...) + +# if the user exists +Datadog::Kit::AppSec::Events.track_login_failure(trace, user_id: 'my_user_id', user_exists: true, { 'usr.login': 'my_user_email' }) + +# if the user doesn't exist +Datadog::Kit::AppSec::Events.track_login_failure(trace, user_id: 'my_user_id', user_exists: false, { 'usr.login': 'my_user_email' }) +``` +{{% /tab %}} + +{{% tab "Custom business logic" %}} +```ruby +require 'datadog/kit/appsec/events' +trace = Datadog::Tracing.active_trace + +# Replace `my_user_id` by a unique identifier of the user (numeric, username, email...) + +# Leveraging custom business logic tracking to track user signups +Datadog::Kit::AppSec::Events.track('users.signup', trace, nil, { 'usr.id': 'my_user_id'}) +``` +{{% /tab %}} +{{< /tabs >}} + +{{< /programming-lang >}} + +{{< programming-lang lang="php" >}} +Starting in dd-trace-php v0.84.0, you can use the PHP tracer's API to track user events. + +The following examples show how to track login events or custom events (using signup as an example). + +{{< tabs >}} +{{% tab "Login success" %}} +```php + $email]) +?> +``` +{{% /tab %}} + +{{% tab "Login failure" %}} +```php + $email]) +?> +``` +{{% /tab %}} + +{{% tab "Custom business logic" %}} +```php + $id]); +?> +``` +{{% /tab %}} + +{{< /tabs >}} + + +{{< /programming-lang >}} +{{< programming-lang lang="nodejs" >}} +Starting in dd-trace-js v3.13.1, you can use the Node.js tracer's API to track user events. + +The following examples show how to track login events or custom events (using signup as an example). + +{{< tabs >}} +{{% tab "Login success" %}} +```javascript +const tracer = require('dd-trace') + +// in a controller: +const user = { + id: 'user-id', // id is mandatory, if no numeric ID is available, any unique identifier will do (username, email...) + email: 'user@email.com' // other fields are optional +} +const metadata = { 'usr.login': 'user@email.com' } // usr.login is required, but you can also add arbitrary fields + +// Log a successful user authentication event +tracer.appsec.trackUserLoginSuccessEvent(user, metadata) // metadata is optional +``` +{{% /tab %}} + +{{% tab "Login failure" %}} +```javascript +const tracer = require('dd-trace') + +// in a controller: +const userId = 'user-id' // if no numeric ID is available, any unique identifier will do (username, email...) +const userExists = true // if the user login exists in database for example +const metadata = { 'usr.login': 'user@email.com' } // usr.login is required, but you can also add arbitrary fields + +// metadata is optional +tracer.appsec.trackUserLoginFailureEvent(userId, userExists, metadata) +``` +{{% /tab %}} + +{{% tab "Custom business logic" %}} +```javascript +const tracer = require('dd-trace') + +// in a controller: +const eventName = 'users.signup' +const metadata = { 'usr.id': 'user-id' } + +tracer.appsec.trackCustomEvent(eventName, metadata) +``` +{{% /tab %}} + +{{< /tabs >}} + + +{{< /programming-lang >}} + +{{< programming-lang lang="python" >}} + +Starting in dd-trace-py v1.9.0, you can use the Python tracer's API to track user events. + +The following examples show how to track login events or custom events (using signup as an example). + +{{< tabs >}} + +{{% tab "Login success" %}} + +```python +from ddtrace.appsec.trace_utils import track_user_login_success_event +from ddtrace import tracer +metadata = {"usr.login": "user@email.com"} +# name, email, scope, role, session_id and propagate are optional arguments which +# default to None except propagate that defaults to True. They'll be +# passed to the set_user() function +track_user_login_success_event(tracer, "userid", metadata) +``` +{{% /tab %}} +{{% tab "Login failure" %}} +```python +from ddtrace.appsec.trace_utils import track_user_login_failure_event +from ddtrace import tracer +metadata = {"usr.login": "user@email.com"} +# exists indicates if the failed login user exists in the system +exists = False +# if no numeric userId is available, any unique identifier will do (username, email...) +track_user_login_failure_event(tracer, "userid", exists, metadata) +``` +{{% /tab %}} + +{{% tab "Custom business logic" %}} + +```python +from ddtrace.appsec.trace_utils import track_custom_event +from ddtrace import tracer +metadata = {"usr.id": "userid"} +event_name = "users.signup" +track_custom_event(tracer, event_name, metadata) +``` +{{% /tab %}} + +{{< /tabs >}} + +{{< /programming-lang >}} + +{{< /programming-lang-wrapper >}} + +### Tracking business logic information without modifying the code + +If your service has AAP enabled and [Remote Configuration][1] enabled, you can create a custom WAF rule to flag any request it matches with a custom business logic tag. This doesn't require any modification to your application, and can be done entirely from Datadog. + +To get started, navigate to the [Custom WAF Rule page][2] and click on "Create New Rule". + +{{< img src="security/application_security/threats/custom-waf-rule-menu.png" alt="Access the Custom WAF Rule Menu from the AAP homepage by clicking on Protection, then In-App WAF and Custom Rules" style="width:100%;" >}} + +This will open a menu in which you may define your custom WAF rule. By selecting the "Business Logic" category, you will be able to configure an event type (for instance, `users.password_reset`). You can then select the service you want to track, and a specific endpoint. You may also use the rule condition to target a specific parameter to identify the codeflow you want to _instrument_. When the condition matches, the library tags the trace and flags it to be forwarded to AAP. If you don't need the condition, you may set a broad condition to match everything. + +{{< img src="security/application_security/threats/custom-waf-rule-form.png" alt="Screenshot of the form that appear when you click on the Create New Rule button" style="width:50%;" >}} + +Once saved, the rule is deployed to instances of the service that have Remote Configuration enabled. + + +[1]: /agent/remote_config?tab=configurationyamlfile#application-security-management-asm +[2]: https://app.datadoghq.com/security/appsec/in-app-waf?config_by=custom-rules + +## Automatic user activity event tracking + +When AAP is enabled, Datadog Tracing Libraries attempt to detect user activity events automatically. + +The events that can be automatically detected are: + +- `users.login.success` +- `users.login.failure` +- `users.signup` + +### Automatic user activity event tracking modes + +Automatic user activity tracking offers the following modes: + +- `identification` mode (short name: `ident`): + - This mode is the default and always collects the user ID or best effort. + - The user ID is collected on login success and login failure. With failure, the user ID is collected regardless of whether the user exists or not. + - When the instrumented framework doesn’t clearly provide a user ID, but rather a structured user object, the user ID is determined on a best effort basis based on the object field names. This list of field names are considered, ordered by priority: + - `id` + - `email` + - `username` + - `login` + - `user` + - If no user ID is available or found, the user event is not emitted. +- `anonymization` mode (short name: `anon`): + - This mode is the same as `identification`, but anonymizes the user ID by hashing (SHA256) it and cropping the resulting hash. +- `disabled` mode: + - AAP libraries do *not* collect any user ID from their automated instrumentations. + - User login events are not emitted. + +
All modes only affect automated instrumentation. The modes don't apply to manual collection. Manual collection is configured using an SDK, and those settings are not overridden by automated instrumentation.
+ +### Manual configuration + +Datadog libraries allow you to configure auto-instrumentation by using the `DD_APPSEC_AUTO_USER_INSTRUMENTATION_MODE` environment variable with the short name for the mode: `ident`|`anon`|`disabled`. + +The default mode is `identification` mode (short name: `ident`). + +For example, `DD_APPSEC_AUTO_USER_INSTRUMENTATION_MODE=anon`. + +### Deprecated modes + +
Previous modes are deprecated, but compatibility will be maintained until the next major release.
+ +The following modes are deprecated: + +- `safe` mode: The trace library does not include any PII information on the events metadata. The tracer library tries to collect the user ID, and only if the user ID is a valid [GUID][10] +- `extended` mode: The trace library tries to collect the user ID, and the user email. In this mode, Datadog does not check the type for the user ID to be a GUID. The trace library reports whatever value can be extracted from the event. + +**Note**: There could be cases in which the trace library won't be able to extract any information from the user event. The event would be reported with empty metadata. In those cases, use the [SDK](#adding-business-logic-information-login-success-login-failure-any-business-logic-to-traces) to manually instrument the user events. + +## Disabling user activity event tracking + +To disable automated user activity detection through your [AAP Software Catalog][14], change the automatic tracking mode environment variable `DD_APPSEC_AUTO_USER_INSTRUMENTATION_MODE` to `disabled` on the service you want to deactivate. All modes only affect automated instrumentation and require [Remote Configuration][15] to be enabled. + +For manual configuration, you can set the environment variable `DD_APPSEC_AUTOMATED_USER_EVENTS_TRACKING_ENABLED` to `false` on your service and restart it. This must be set on the application hosting the Datadog Tracing Library, and not on the Datadog Agent. + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + +[3]: /tracing/trace_collection/custom_instrumentation/ +[4]: /security/default_rules/bl-rate-limiting/ +[5]: /security/default_rules/bl-privilege-violation-user/ +[6]: /security/default_rules/appsec-ato-groupby-ip/ +[7]: /security/default_rules/bl-signup-ratelimit/ +[8]: /security/default_rules/bl-account-deletion-ratelimit/ +[9]: /security/default_rules/bl-password-reset/ +[10]: /security/default_rules/bl-payment-failures/ +[11]: https://guid.one/guid +[12]: /security/default_rules/appsec-ato-bf/ +[13]: /security/default_rules/distributed-ato-ua-asn/ +[14]: https://app.datadoghq.com/security/appsec/inventory/services?tab=capabilities +[15]: /agent/remote_config/ diff --git a/content/en/security/application_security/how-it-works/protection.md b/content/en/security/application_security/how-it-works/protection.md new file mode 100644 index 0000000000000..8f1034df86529 --- /dev/null +++ b/content/en/security/application_security/how-it-works/protection.md @@ -0,0 +1,126 @@ +--- +title: Protection +is_beta: true +further_reading: +- link: "/security/application_security/" + tag: "Documentation" + text: "App and API Protection with Datadog" +--- + +## Overview + +If your service is running [an Agent with Remote Configuration enabled and a tracing library version that supports it][2], you can block attacks and attackers from the Datadog UI without additional configuration of the Agent or tracing libraries. + +App and API Protection (AAP) Protect enables you to slow down attacks and attackers by _blocking_ them. Security traces are blocked in real-time by the Datadog tracing libraries. Blocks are saved in the Datadog platform, automatically and securely fetched by the Datadog Agent, deployed in your infrastructure, and applied to your services. + +## Prerequisites + +To use protection capabilities with your service: + +- [Update your Datadog Agent][3] to at least version 7.41.1. +- [Enable AAP][1]. +- [Enable Remote Configuration][2]. +- Update your tracing library to at least the minimum version needed to turn on protection. For details, see the AAP capabilities support section of [Compatibility][12] for your service's language. +- If you plan to use authenticated user blocking, [add user information to traces][4]. + +## Blocking attackers (IPs and authenticated users) + +You can block attackers that are flagged in AAP [Security Signals][5] temporarily or permanently. In the Signals Explorer, click into a signal to see what users and IP addresses are generating the signal, and optionally block them. + +From there, all AAP-protected services block incoming requests performed by the blocked IP or user, for the specified duration. All blocked traces are tagged with `security_response.block_ip` or `security_response.block_user` and displayed in the [Trace Explorer][6]. Services where AAP is disabled aren't protected. See [Investigate Security Signals][20] for more information. + +## Respond to threats in real time by automating attacker blocking + +In addition to manually blocking attackers, you can configure automation rules to have AAP automatically block attackers that are flagged in Security Signals. + +To get started, navigate to **Security > Application Security > Protection > [Detection Rules][14]**. You can create a new rule or edit an existing rule with type _Application security_. For example, you can create a rule to trigger `Critical` severity signals when Credential Stuffing attacks are detected, and automatically block the associated attackers' IP addresses for 30 minutes. + +**Note**: You must instrument your services to be able to block authenticated attackers. See [User Monitoring and Protection][15] for more details. + +## Block attackers at the perimeter - integrate AAP with your existing WAF deployments + +Datadog AAP enables customers to block attackers at the perimeter, directly from the Security Signal. AAP integrates with [Workflows][17] to push the attackers' IP addresses to perimeter Web Application Firewalls (AWS WAF, Cloudflare, Fastly) and ensure requests from these attackers are blocked at the edge even before they enter the customer's environment. +Create workflows from the available [blueprints][18] and run them directly from AAP's Signal side panel. + +## Denylist + +Attackers' IP addresses and authenticated users that are permanently or temporarily blocked are added to the _Denylist_. Manage the list on the [Denylist page][7]. A denylist supports blocking individual IPs as well as a range of IPs (CIDR blocks). + +## Passlist + +You can use the _Passlist_ to permanently allow specific IP addresses access to your application. For example, you may wish to add internal IP addresses to your passlist, or IP addresses that regularly run security audits on your application. You can also add specific paths to ensure uninterrupted access. Manage the list from the [Passlist page][8]. + +## Blocking attack attempts with In-App WAF + +AAP In-App WAF (web application firewall) combines the detection techniques of perimeter-based WAFs with the rich context provided by Datadog, helping your teams protect their systems with confidence. + +Because AAP is aware of an application's routes, protection can be applied granularly to specific services, and not necessarily across all applications and traffic. This contextual efficiency reduces your inspection effort, and it reduces the false positive rate compared to a perimeter WAF. There is no learning period, because most web frameworks provide a structured map of routes. AAP can help your team roll out protections against zero-day vulnerabilities automatically soon after the vulnerability is disclosed, while targeting vulnerable applications, limiting the risk of false positives. + +### How In-App WAF blocks security traces + +In addition to the `monitoring` and `disabled` modes offered for each of the 130+ In-App WAF rules, rules also have `blocking` mode. Each rule specifies conditions on the incoming request to define what the library considers suspicious. When a given rule pattern matches an ongoing HTTP request, the request is blocked by the library. + +Managed policies define the mode in which each of the In-App WAF rules behave on match: `monitoring`, `blocking`, or `disabled`. Because it has the full context of your applications, AAP knows which rules to apply to protect your applications while limiting the number of false positives. + +For fine-grained control, you can clone a Datadog managed policy or create a custom policy and set the mode to meet your needs. If you set the policy to `auto-updating`, your applications are protected by the latest detections rolled out by Datadog. You also have the option to pin a policy to a specific version of the ruleset. + +As In-App WAF rules are toggled between modes, the changes are reflected in near real-time for services with [Remote Configuration enabled][2]. For other services, you can update the policy on the [In-App WAF page][9] and then [define In-App WAF rules][10] for the change in behavior to be applied. + +Manage In-App WAF by navigating to Security --> Application Security --> Configuration --> [In-App WAF][9]. + +View blocked security traces in the [Trace Explorer][11] by filtering on the facet `Blocked:true`. + +{{< img src="security/application_security/app_sec_blocked.png" alt="AAP Trace Explorer filtered using facet Blocked set to true." style="width:100%;" >}} + +### Configure In-App WAF + +1. [**Enable Remote Configuration**][2] so that your AAP-enabled services show up under In-App WAF. This is required to securely push In-App WAF configuration from your Datadog backend to the tracing library in your infrastructure. + +2. **Associate your AAP/Remote Configuration-enabled services with a policy**. After Remote Configuration is enabled on a service, navigate to **Security > Application Security > Protection > [In-App WAF][9]**. The service appears under the _Datadog Monitoring-only_ policy by default. Datadog Monitoring-only is a managed policy and is read-only, meaning you cannot modify the status (monitoring, blocking, or disabled) for individual rules. + + If you need granular control, clone one of the available policies to create a custom policy where rule statuses can be modified. Associate one or more of your services with this custom policy. + + To change the policy applied by default to your services, you can update your default policy. From the In-App-WAF, click the policy you would like to set as default, then click **Actions** > **Set this policy as default**. + +## Customize protection behavior + +### Customize response to blocked requests + +{{% asm-protection-page-configuration %}} + +{{< img src="/security/application_security/asm-blocking-page-html.png" alt="The page displayed as AAP blocks requests originating from blocked IPs" width="75%" >}} + +The default HTTP response status code while serving the deny page to attackers is `403 FORBIDDEN`. To customize the response, navigate to **Security > Application Security > Protection > In-App Waf > [Custom Responses][16]**. + +You can optionally mask the fact that the attacker has been detected and blocked by overriding the response code to be `200 OK` or `404 NOT FOUND` when the deny page is served. + +You can also optionally redirect attackers to a custom deny page and away from your critical services and infrastructure. Specify a redirect URL and the type of redirect, for example permanent (`301` response code) or temporary (`302` response code). + +### Disable protection across all services (Disabling protection mode) + +Protection mode is **on** by default and is a toggle available to quickly disable blocking across **all** your services. Requests can be blocked from two sections in Datadog: all attacker requests from Security Signals, and security traces from In-App WAF. + +As important as it is for you to be able to apply protection granularly and reduce the likelihood of legitimate users getting blocked, you sometimes need a simple off switch to quickly stop **all** blocking across **all** services. To turn off protection, navigate to **Security > Application Security > Protection > [In-App WAF][9]** and toggle **Allow Request Blocking** to off. + +## Further reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: /security/application_security/threats/setup/ +[2]: /agent/remote_config/#enabling-remote-configuration +[3]: /agent/versions/upgrade_between_agent_minor_versions +[4]: /security/application_security/threats/add-user-info/#adding-authenticated-user-information-to-traces-and-enabling-user-blocking-capability +[5]: https://app.datadoghq.com/security?query=%40workflow.rule.type%3A%22Application%20Security%22&column=time&order=desc&product=appsec&view=signal +[6]: https://app.datadoghq.com/security/appsec/traces?query=%40appsec.blocked%3Atrue +[7]: https://app.datadoghq.com/security/appsec/denylist +[8]: https://app.datadoghq.com/security/appsec/passlist +[9]: https://app.datadoghq.com/security/appsec/in-app-waf +[10]: /security/application_security/threats/inapp_waf_rules/ +[11]: https://app.datadoghq.com/security/appsec/traces +[12]: /security/application_security/threats/setup/compatibility/ +[14]: https://app.datadoghq.com/security/appsec/detection-rules +[15]: /security/application_security/threats/add-user-info/?tab=set_user#adding-authenticated-user-information-to-traces-and-enabling-user-blocking-capability +[16]: https://app.datadoghq.com/security/appsec/in-app-waf?config_by=custom-responses +[17]: https://docs.datadoghq.com/service_management/workflows/ +[18]: https://app.datadoghq.com/workflow/blueprints?selected_category=SECURITY +[20]: /security/application_security/threats/security_signals/ diff --git a/content/en/security/application_security/how-it-works/threat-intelligence.md b/content/en/security/application_security/how-it-works/threat-intelligence.md new file mode 100644 index 0000000000000..012bf45315850 --- /dev/null +++ b/content/en/security/application_security/how-it-works/threat-intelligence.md @@ -0,0 +1,176 @@ +--- +title: Threat Intelligence +further_reading: +- link: "https://docs.datadoghq.com/security/threat_intelligence/" + tag: "Documentation" + text: "Threat Intelligence at Datadog" +- link: "/security/application_security/" + tag: "Documentation" + text: "Protect against threats with Datadog App and API Protection" +--- + +## Overview + +This topic describes [threat intelligence][1] for App and API Protection (AAP). + +Datadog provides built-in threat intelligence [datasets][1] for AAP. This provides additional evidence when acting on security activity and reduces detection thresholds for some business logic detections. + +Additionally, AAP supports *bring your own threat intelligence*. This functionality enriches detections with business-specific threat intelligence. + +## Best practices + +Datadog recommends the following methods for consuming threat intelligence: + +1. Reducing detection rule thresholds for business logic threats such as credential stuffing. Users can clone the default [Credential Stuffing][6] rule and modify it to meet their needs. +2. Using threat intelligence as a indicator of reputation with security activity. + +Datadog recommends _against_ the following: +1. Blocking threat intelligence traces without corresponding security activity. IP addresses might have many hosts behind them. Detection of a residential proxy means that the associated activity has been observed by a host behind that IP. It does not guarantee that the host running the malware or proxy is the same host communicating with your services. +2. Blocking on all threat intelligence categories, as this is inclusive of benign traffic from corporate VPNs and blocks unmalicious traffic. + +## Filtering on threat intelligence in AAP + +Users can filter threat intelligence on the Signals and Traces explorers using facets and the search bar. + +To search for all traces flagged by a specific source, use the following query with the source name: + + @threat_intel.results.source.name: + +To query for all traces containing threat intelligence from any source, use the following query: + + @appsec.threat_intel:true + +## Bring your own threat intelligence + +AAP supports enriching and searching traces with threat intelligence indicators of compromise stored in Datadog reference tables. [Reference Tables][2] allow you to combine metadata with information already in Datadog. + +### Storing indicators of compromise in reference tables + +Threat intelligence is supported in the CSV format and requires the following columns: + +**CSV Structure** + +| field | data | description| required | example| +|------------------|-------|----|-----|--| +| ip_address | text | The primary key for the reference table in the IPv4 dot notation format. | true | 192.0.2.1 | +| additional_data | json | Additional data to enrich the trace. | false | `{"ref":"hxxp://example.org"}` +| category | text | The threat intel [category][7]. This is used by some out of the box detection rules. | true | `residential_proxy` | +| intention | text | The threat intel [intent][8]. This is used by some out of the box detection rules.| true | malicious | | +| source | text | The name of the source and the link to its site, such as your team and your teams wiki. | true| `{"name":"internal_security_team", "url":"https://teamwiki.example.org"}` | | + + + +The full list of supported categories and intents is available at [Threat Intelligence Facets][3]. + +
JSON in a CSV requires double quoting. The following is an example CSV.
+ +``` +ip_address,additional_data,category,intention,source +192.0.2.1,"{""ref"":""hxxp://example.org""}",scanner,suspicious,"{""name"":""internal_security_team"", ""url"":""https://teamwiki.example.org""}" +192.0.2.2,"{""ref"":""hxxp://example.org""}",scanner,suspicious,"{""name"":""internal_security_team"", ""url"":""https://teamwiki.example.org""}" +192.0.2.3,"{""ref"":""hxxp://example.org""}",scanner,suspicious,"{""name"":""internal_security_team"", ""url"":""https://teamwiki.example.org""}" +``` + +### Uploading and enabling your own threat intel + +Datadog supports creating reference tables through a manual upload, or by periodically retrieving the data from [Amazon S3, Azure storage, or Google Cloud storage][10]. + +Notes: +- It can take 10 to 30 minutes to start enriching AAP traces after creating a table. +- If a primary key is duplicated, it is skipped and an error message about the key is displayed. + +On a new [references table][4] page: + +1. Name the table. The table name is referenced in AAP's **Threat Intel** config. +2. Upload a local CSV or import a CSV from a cloud storage bucket. The file is normalized and validated. +3. Preview the table schema and choose the IP address as the Primary Key. + + {{< img src="/security/application_security/threats/threat_intel/threat_intel_ref_table.png" alt="New reference table" style="width:100%;" >}} +4. Save the table. +5. In [Threat Intel][5], locate the new table, and then select the toggle to enable it. + + {{< img src="/security/application_security/threats/threat_intel/threat_intel_ref_table_enabled.png" alt="Enabled reference table" style="width:100%;" >}} + +#### Using cloud storage + +When the reference table is created from cloud storage, it is refreshed periodically. The entire table is *replaced*. Data is not merged. + +See the related reference table documentation for: +- [Amazon S3][11] +- [Azure storage][12] +- [Google Cloud storage][13] + +#### Troubleshooting cloud imports + +If the reference tables are not refreshing, select the **View Change Events** link from the settings on the reference table detail page. + +**View Change Events** opens a page in **Event Management** showing potential error events for the ingestion. You can also filter in **Event Management** using the reference table name. + +
In Datadog Event Management, it can look like the data is fetched from the cloud, but it can take a few more minutes to propagate those changes to Threat Intellegence.
+ +Other useful cloud import details to remember: + +- The expected latency before updated enrichments are available when a source is uploaded or updated is 10 to 30 minutes. +- How to know when the updates are applied: The changes are visible in the reference table or in the spans. Select the **View Change Events** link from settings on the reference table detail page to see the related events. +- The update replaces the *entire table* with the new data. +- In case of a duplicated primary key, the rows with the duplicated key are not written, and an error is shown in the reference table detail page. + +### Filter traces by joining the list with a Reference Table + +You can filter AAP traces in Datadog by joining a trace table with a Reference Table. + +To join a Reference Table with a trace query, you combine rows from the Datadog trace table and a Reference Table based on a related column between them. The traces query returns only those traces where there is a match in both tables. + +Using a join with a Reference Table enables you to evaluate impact before enrichment by searching for historical matches with existing traces. + +You can use any fields, not just IP addresses. For example, by associating security traces with specific URLs from a reference table, you can identify which parts of your application are being targeted by attacks. This can help pinpoint vulnerabilities or high-risk areas within the application. + +Examples: + +- Investigation and incident response. You can upload and join using IPs or other fields from attacks and see the traffic related to that incident. +- By using security traces with the IP addresses from a Reference Table, such as associating IP addresses with geographic locations or organizational details, security teams can gain better context around attack attempts. This can help in understanding the origin and potential motivation behind the attacks. + + +To join a trace with a Reference Table: + +1. Upload the Reference Table you want to use as described in [Uploading and enabling your own threat intel](#uploading-and-enabling-your-own-threat-intel). +2. To join a trace with a Reference Table, in [Traces][9], select **Add**, and then select **Join with Reference Table**. +3. In **Inner join with reference table**, select the Reference Table to use. +4. In **where field**, select the Datadog traces field to use for the join. +5. In **column**, select the Reference Table field to use for the join. + +{{< img src="security/application_security/threats/threat_intel/threat_intel_ref_join.png" alt="Your image description" style="width:100%;" >}} + +### Enriching traces for detection rules + +Enriching traces includes the threat intelligence attributes in AAP traces when the indicator of compromise matches the value of the `http.client_ip` key in the AAP trace. This enables searching for traces with threat intelligence matches using existing facets and using threat intelligence with detection rules. + + + +## Threat intelligence in the user interface + +When viewing the traces in the AAP Traces Explorer, you can see threat intelligence data under the `@appsec` attribute. The `category` and `security_activity` attributes are both set. + +{{< img src="security/application_security/threats/threat_intel/threat_intel_appsec.png" alt="Example of the appsec attribute containing threat intelligence data">}} + +Under `@threat_intel.results` you can always see the full details of what was matched from which source: + + {{< img src="security/application_security/threats/threat_intel/threat_intel_generic.png" alt="Example of the threat_intel attribute containing threat intelligence data">}} + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: /security/threat_intelligence/#threat-intelligence-sources +[2]: /integrations/guide/reference-tables +[3]: /security/threat_intelligence/#threat-intelligence-facets +[4]: https://app.datadoghq.com/reference-tables/create +[5]: https://app.datadoghq.com/security/configuration/threat-intel +[6]: https://app.datadoghq.com/security/configuration/asm/rules/edit/kdb-irk-nua?product=appsec +[7]: /security/threat_intelligence#threat-intelligence-categories +[8]: /security/threat_intelligence#threat-intelligence-intents +[9]: https://app.datadoghq.com/security/appsec/traces +[10]: /integrations/guide/reference-tables/?tab=manualupload#create-a-reference-table +[11]: /integrations/guide/reference-tables/?tab=amazons3#create-a-reference-table +[12]: /integrations/guide/reference-tables/?tab=azurestorage#create-a-reference-table +[13]: /integrations/guide/reference-tables/?tab=googlecloudstorage#create-a-reference-table diff --git a/content/en/security/application_security/how-it-works/trace_qualification.md b/content/en/security/application_security/how-it-works/trace_qualification.md new file mode 100644 index 0000000000000..b9942a3260d11 --- /dev/null +++ b/content/en/security/application_security/how-it-works/trace_qualification.md @@ -0,0 +1,47 @@ +--- +title: Trace Qualification +aliases: +further_reading: +- link: "/security/application_security/" + tag: "Documentation" + text: "Protect against threats with Datadog App and API Protection" +- link: "/security/application_security/how-appsec-works//" + tag: "Documentation" + text: "How App and API Protection Works" +--- + +## Overview + +App and API Protection (AAP) provides observability into application-level attacks, and evaluates the conditions in which each trace was generated. AAP trace qualification then labels each attack as harmful or safe to help you take action on the most impactful attacks. + +Filter by the **Qualification** facet in the AAP [Traces Explorer][1] to view the possible qualification results: + +{{< img src="security/application_security/threats/trace_qualification/trace-qualification-traces_2.png" alt="AAP trace list with the qualification facet showing the possible qualification results">}} + +## Qualification outcomes + +AAP runs qualification rules (closed-source) on every trace. There are four possible qualification outcomes, as listed in the facet menu: + +| Qualification result | Description | +|------|-------------| +| Unknown | AAP has qualification rules for this attack, but did not have enough information to make a qualification decision. | +| None successful | AAP determined that attacks in this trace were not harmful. | +| Harmful | At least one attack in the trace was successful. | +| No value | AAP does not have qualification rules for this type of attack. | + +### Trace sidepanel + +The qualification result can also be seen when viewing the details of an individual trace.
+Example of a trace that AAP has qualified as safe: + +{{< img src="security/application_security/threats/trace_qualification/trace-none-successful_3.png" alt="AAP trace qualified as safe">}} + +Example of a trace that AAP has qualified as harmful: + +{{< img src="security/application_security/threats/trace_qualification/trace-harmful_2.png" alt="AAP trace qualified as harmful">}} + +[1]: https://app.datadoghq.com/security/appsec/traces +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + diff --git a/content/en/security/application_security/overview/_index.md b/content/en/security/application_security/overview/_index.md new file mode 100644 index 0000000000000..635038bd05513 --- /dev/null +++ b/content/en/security/application_security/overview/_index.md @@ -0,0 +1,42 @@ +--- +title: Overview +aliases: + - /security/application_security/threats/threat-overview +--- + +{{< img src="security/application_security/threats/appsec-threat-overview-page-top.png" alt="Screenshot of the AAP Attack Summary page" >}} + +The AAP **Attack Summary** provides a quick view of your application and API posture. It highlights trends, service exposure, attack traffic, and the impact on business logic. You can pivot from widgets to their related traces. + +Each section of **Attack Summary** focuses on a different aspect of security with supporting information. + +## Sections + +Attack Surface Area +: This section provides insights into the exposed services, the tools attackers are using, and the commercial scanners that identify potential vulnerabilities. + +Attack Traffic +: These graphs identify the classification of attacks, such as SSRF, LFI, SQL and command injection. They allow users to identify spikes in malicious traffic and patterns. + +Business Logic +: This section focuses on fraud and business logic abuse such as account takeover attempts or any custom business logic events tracked by your application. + +Attack Traffic Sources +: A global heatmap indicating the sources of attack traffic, providing a visual representation of threats by region. + +## Best practices + +1. Review trends and adopt a protection policy that meets your posture needs. +2. Regularly review the **Exposed Services** widget in **Attack Surface Area** to ensure only the correct services are accessible and have a protection policy that meets your risk profile. +3. Block attack tools and ensure that customer scanners are part of an authorized vulnerability management program. +4. Monitor business logic for spikes in credential stuffing attacks or risky payment activity. +5. Use **Attack Traffic Sources** to compare the attack traffic sources with your expected customer locations. +6. Use [Powerpacks](#using-powerpacks) to enhance your dashboards with the most relevant information. + +### Using powerpacks + +When adding a widget to a [new dashboard][1] in Datadog, choose the **Powerpacks** section in the tray. Filter on `tag:attack_summary` or type `Attack Summary` in the search box. + +Each section in the **Attack Summary** page corresponds to a dedicated powerpack. + +[1]: https://app.datadoghq.com/dashboard/lists \ No newline at end of file diff --git a/content/en/security/application_security/security_signals/_index.md b/content/en/security/application_security/security_signals/_index.md new file mode 100644 index 0000000000000..0648523c639d3 --- /dev/null +++ b/content/en/security/application_security/security_signals/_index.md @@ -0,0 +1,159 @@ +--- +title: Investigate Security Signals +further_reading: + - link: "/security/default_rules/?category=cat-application-security#cat-application-security" + tag: "Documentation" + text: "Explore AAP threat detection OOTB rules" + - link: "/security/application_security/threats/custom_rules/" + tag: "Documentation" + text: "Configure custom AAP threat detection rules" + - link: "/security/application_security/threats/threat-intelligence/" + tag: "Documentation" + text: "AAP threat intelligence" +--- + +## Overview + +AAP security signals are created when Datadog detects a threat based on a detection rule. View, search, filter, and investigate security signals in the [Signals Explorer][2], or configure [Notification Rules][8] to send signals to third-party tools. + +{{< img src="security/application_security/threats/security_signals/appsec-threat-signals.png" alt="Overview of investigating threats in signals explorer with details side panel">}} + +## Signals Explorer columns + +The Signals Explorer displays the following columns. + +Severity +: There are five severity states: **Info**, **Low**, **Medium**, **High**, and **Critical**. **High** and **Critical** indicate a major impact to service availability or active compromise. + +Title +: The name of the signal. Titles might update when new data is correlated, altering the assessed impact of the attack. + +Service/Env +: The service and environment identified in the attack. Hover over the service name to link to the service page and code repo, and to see who is on-call for the service. + +Entities +: The attackers and the victims of an attack. Attackers are identified by IP addresses. Victims are identified as authenticated users. Hover over the IP list and then click an IP to see details such as **Threat Intelligence** and **Security Activity**. + +Triage State +: You can assign a responder and set a triage state for the signal. Available states are **Open**, **Under Review**, and **Archived**. + +Creation Date +: The date when the signal was first created. Signals are sorted by date by default. + +## Filter security signals + +To filter the security signals in the [Signals Explorer][2], use the search query `@workflow.triage.state:`, where `` is the state you want to filter on (`open`, `under_review`, or `archived`). You can also use the **Signal State** facet on the facet panel. + +## Triage a signal + +You can triage a signal by assigning it to a user for further investigation. The assigned user can then track their review by updating the signal's status. + +1. On the [Signals Explorer][2] page, click the user profile icon in the **Triage State** column. +2. Select a user to assign the signal. +3. To update the status of the security signal, click the triage status dropdown menu and select a status. The default status is **Open**. + - **Open**: The signal has not yet been resolved. + - **Under Review**: The signal is actively being investigated. From the **Under Review** state, you can move the signal to **Archived** or **Open** as needed. + - **Archived**: The detection that caused the signal has been resolved. From the **Archived** state, you can move the signal back to **Open** if it's within 30 days of when the signal was originally detected. + +**Note**: To modify security signals, you must have the `security_monitoring_signals_write` permission. See [Role Based Access Control][9] for more information about Datadog's default roles and granular role-based access control permissions available for App and API Protection. + +## Declare an incident + +Use [Incident Management][4] to create an incident for a security signal. + +Declare an incident if: + +- An issue is or might be impacting customers. +- You believe an issue (even if it's internal) needs to be addressed as an emergency. + +If you don't know whether you should declare an incident, notify other users and increase severity appropriately. + +1. On the [Signals Explorer][2] page, select a security signal to open its details panel. +2. On the signal panel, click **Declare Incident** or select the dropdown arrow and select **Add to an existing incident**. +3. When you declare a new incident, in the **Declare Incident** settings, configure the incident by specifying details such as the severity level and incident commander. + 1. Estimate impact. Severity levels go from SEV-1 (critical) to SEV-5 (minor impact). When in doubt, always choose the higher severity. +4. Click **Declare Incident**. + +## Run a workflow + +Use [Workflow Automation][5] to manually trigger a workflow for a security signal. + +1. Make sure the workflow you want to run has a security trigger. +2. On the [Signals Explorer][2] page, open a security signal. +3. In the **Respond** section, click **Run Workflow**. +4. In **Run a workflow**, select the workflow you want to run or click **New Workflow**. + - Depending on the workflow you select, you might be required to enter additional input parameters. + - If you selected **New Workflow**, Run a Security Workflow opens. To learn more about workflows, see [Workflow Automation][5]. +5. Click **Run**. + +## Review and remediate + +1. On the [Signals Explorer][2] page, open a security signal. +2. In the signal details, view each of the sections, such as **What Happened**, **Activity Summary**, and **Detection Rule**. +3. Review the **Next Steps** and take action: + - Click **Block all Attacking IPs** (by specific duration or permanently). + - Click **Automated Attacker Blocking** (based on [detection][10] rules). This setting requires the App and API Protection **Protect Write** permission. + - Click **[Block with Edge WAF][11]**. + +## Bulk actions + +When you select one or more signals, you can use **Bulk Actions** to perform the following. + +### Set state + +Set the triage state to **Open**, **Under Review**, or **Archived**. + +### Assign the signal to users + +Select **Assign selection** and then select the user(s) to assign to the signal. + +Select **Remove all assignments** to reset the signal assignment to none. + +### Case management + +Datadog [Case Management][6] offers a centralized place to triage, track, and remediate issues detected by Datadog and third-party integrations. + +1. On the [Signals Explorer][2] page, select a security signal. +2. In **Bulk Actions**, select **Create a case**. +3. Select **Create a case** or **Add to an existing case** to add the signal to an existing case. +4. Enter a title and optional description. +5. Click **Create Case**. + +When you click **Create Case**, you are directed to Case Management and the project you selected. + +## Saved views + +You can save different configurations of the Signals Explorer as views. For example, you could filter the explorer to show all unassigned signals and then save that as a view. + +When a configuration is saved as a view, you and your teammates can use it later. + +A view contains the explorer's current selections for: + +- Time and query +- Displayed columns and sorting +- Analytics aggregation settings +- Timeline visibility +- Displayed facets +- Aggregate by detection rule + +1. To save a view, configure the explorer to display the view you want and then click **Save**. +2. Enter a name for the view, and then select the teams you want to share the view with. +3. Click **Save**. + +To see all of the saved views, click **Views** next to the **Signals Explorer** page title. + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + + +[1]: https://app.datadoghq.com/services?lens=Security +[2]: https://app.datadoghq.com/security?query=%40workflow.rule.type%3A%22Application%20Security%22&column=time&order=desc&product=appsec&viz=stream&start=1694726477747&end=1695331277747&paused=false +[4]: /service_management/incident_management/ +[5]: /service_management/workflows/ +[6]: /service_management/case_management/ +[7]: https://app.datadoghq.com/security/appsec? +[8]: /security/notifications/rules/ +[9]: /account_management/rbac/permissions/#cloud-security-platform +[10]: /security/application_security/threats/protection/#respond-to-threats-in-real-time-by-automating-attacker-blocking +[11]: /security/application_security/threats/protection/#blocking-attack-attempts-with-in-app-waf \ No newline at end of file From 470938fef77058159ea05873f954a35773c90cda Mon Sep 17 00:00:00 2001 From: Michael Cretzman Date: Tue, 6 May 2025 12:41:35 -0700 Subject: [PATCH 2/6] main sections updated --- config/_default/menus/main.en.yaml | 237 +++++---- .../exploit-prevention.md | 108 ++++ .../_index.md} | 0 .../protection.md => policies/_index.md} | 10 +- .../policies/custom_rules.md | 120 +++++ .../security_signals/attacker-explorer.md | 153 ++++++ .../security_signals/attacker_clustering.md | 78 +++ .../security_signals/attacker_fingerprint.md | 73 +++ .../application_security/setup/_index.md | 21 + .../setup/compatibility/_index.md | 34 ++ .../setup/compatibility/dotnet.md | 110 ++++ .../setup/compatibility/envoy.md | 33 ++ .../compatibility/gcp-service-extensions.md | 31 ++ .../setup/compatibility/go.md | 154 ++++++ .../setup/compatibility/java.md | 163 ++++++ .../setup/compatibility/nginx.md | 35 ++ .../setup/compatibility/nodejs.md | 181 +++++++ .../setup/compatibility/php.md | 149 ++++++ .../setup/compatibility/python.md | 109 ++++ .../setup/compatibility/ruby.md | 126 +++++ .../setup/compatibility/serverless.md | 92 ++++ .../setup/single_step/_index.md | 274 ++++++++++ .../setup/standalone/_index.md | 49 ++ .../setup/standalone/dotnet.md | 215 ++++++++ .../setup/standalone/envoy.md | 118 +++++ .../standalone/gcp-service-extensions.md | 119 +++++ .../setup/standalone/go.md | 131 +++++ .../setup/standalone/java.md | 154 ++++++ .../setup/standalone/nginx.md | 82 +++ .../setup/standalone/nodejs.md | 171 ++++++ .../setup/standalone/php.md | 109 ++++ .../setup/standalone/python.md | 122 +++++ .../setup/standalone/ruby.md | 233 +++++++++ .../setup/threat_detection/_index.md | 40 ++ .../setup/threat_detection/dotnet.md | 201 +++++++ .../setup/threat_detection/envoy.md | 118 +++++ .../gcp-service-extensions.md | 489 ++++++++++++++++++ .../setup/threat_detection/go.md | 124 +++++ .../setup/threat_detection/java.md | 146 ++++++ .../setup/threat_detection/nginx.md | 82 +++ .../setup/threat_detection/nodejs.md | 162 ++++++ .../setup/threat_detection/php.md | 102 ++++ .../setup/threat_detection/python.md | 115 ++++ .../setup/threat_detection/ruby.md | 221 ++++++++ .../application_security/waf-integration.md | 62 +++ layouts/partials/nav/left-nav.html | 2 +- 46 files changed, 5553 insertions(+), 105 deletions(-) create mode 100644 content/en/security/application_security/exploit-prevention.md rename content/en/security/application_security/{how-appsec-works.md => how-it-works/_index.md} (100%) rename content/en/security/application_security/{how-it-works/protection.md => policies/_index.md} (98%) create mode 100644 content/en/security/application_security/policies/custom_rules.md create mode 100644 content/en/security/application_security/security_signals/attacker-explorer.md create mode 100644 content/en/security/application_security/security_signals/attacker_clustering.md create mode 100644 content/en/security/application_security/security_signals/attacker_fingerprint.md create mode 100644 content/en/security/application_security/setup/_index.md create mode 100644 content/en/security/application_security/setup/compatibility/_index.md create mode 100644 content/en/security/application_security/setup/compatibility/dotnet.md create mode 100644 content/en/security/application_security/setup/compatibility/envoy.md create mode 100644 content/en/security/application_security/setup/compatibility/gcp-service-extensions.md create mode 100644 content/en/security/application_security/setup/compatibility/go.md create mode 100644 content/en/security/application_security/setup/compatibility/java.md create mode 100644 content/en/security/application_security/setup/compatibility/nginx.md create mode 100644 content/en/security/application_security/setup/compatibility/nodejs.md create mode 100644 content/en/security/application_security/setup/compatibility/php.md create mode 100644 content/en/security/application_security/setup/compatibility/python.md create mode 100644 content/en/security/application_security/setup/compatibility/ruby.md create mode 100644 content/en/security/application_security/setup/compatibility/serverless.md create mode 100644 content/en/security/application_security/setup/single_step/_index.md create mode 100644 content/en/security/application_security/setup/standalone/_index.md create mode 100644 content/en/security/application_security/setup/standalone/dotnet.md create mode 100644 content/en/security/application_security/setup/standalone/envoy.md create mode 100644 content/en/security/application_security/setup/standalone/gcp-service-extensions.md create mode 100644 content/en/security/application_security/setup/standalone/go.md create mode 100644 content/en/security/application_security/setup/standalone/java.md create mode 100644 content/en/security/application_security/setup/standalone/nginx.md create mode 100644 content/en/security/application_security/setup/standalone/nodejs.md create mode 100644 content/en/security/application_security/setup/standalone/php.md create mode 100644 content/en/security/application_security/setup/standalone/python.md create mode 100644 content/en/security/application_security/setup/standalone/ruby.md create mode 100644 content/en/security/application_security/setup/threat_detection/_index.md create mode 100644 content/en/security/application_security/setup/threat_detection/dotnet.md create mode 100644 content/en/security/application_security/setup/threat_detection/envoy.md create mode 100644 content/en/security/application_security/setup/threat_detection/gcp-service-extensions.md create mode 100644 content/en/security/application_security/setup/threat_detection/go.md create mode 100644 content/en/security/application_security/setup/threat_detection/java.md create mode 100644 content/en/security/application_security/setup/threat_detection/nginx.md create mode 100644 content/en/security/application_security/setup/threat_detection/nodejs.md create mode 100644 content/en/security/application_security/setup/threat_detection/php.md create mode 100644 content/en/security/application_security/setup/threat_detection/python.md create mode 100644 content/en/security/application_security/setup/threat_detection/ruby.md create mode 100644 content/en/security/application_security/waf-integration.md diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml index d93fd847e9e4c..8d78260c10940 100644 --- a/config/_default/menus/main.en.yaml +++ b/config/_default/menus/main.en.yaml @@ -6444,10 +6444,10 @@ menu: identifier: appsec_terms weight: 1 - name: How It Works - url: security/application_security/how-appsec-works/ + url: security/application_security/how-it-works/ parent: application_security identifier: appsec_howitworks - weight: 3 + weight: 2 - name: Threat Intelligence url: security/application_security/how-it-works/threat-intelligence parent: appsec_howitworks @@ -6463,116 +6463,161 @@ menu: parent: appsec_howitworks identifier: user_monitoring_and_protection weight: 3 - - name: Protection - url: security/application_security/how-it-works/protection - parent: appsec_howitworks - identifier: protection - weight: 4 - - name: Attack Summary - url: security/application_security/overview - parent: application_security - identifier: application_security_overview - weight: 5 - - name: Security Signals - url: security/application_security/security_signals - parent: application_security - identifier: application_security_security_signals - weight: 6 - - name: Threat Management - url: security/application_security/threats/ - parent: application_security - identifier: appsec_threats - weight: 7 - name: Setup - url: security/application_security/threats/setup/ - parent: appsec_threats + url: security/application_security/setup/ + parent: application_security identifier: appsec_threats_management_setup - weight: 700 + weight: 3 - name: Library Compatibility - url: security/application_security/threats/setup/compatibility/ + url: security/application_security/setup/compatibility/ parent: appsec_threats_management_setup identifier: appsec_compat_threats_mgmt - weight: 701 + weight: 1 - name: Using Datadog Tracing Libraries - url: security/application_security/threats/setup/threat_detection/ + url: security/application_security/setup/threat_detection/ parent: appsec_threats_management_setup identifier: appsec_threats_setup_threat_detection_setup - weight: 703 - - name: Attack Summary - url: security/application_security/threats/attack-summary/ - parent: appsec_threats - identifier: attack_summary_overview - weight: 704 - - name: Attacker Explorer - url: security/application_security/threats/attacker-explorer/ - parent: appsec_threats - identifier: threats_attackers - weight: 705 - - name: Custom Detection Rules - url: security/application_security/threats/custom_rules/ - parent: appsec_threats - identifier: threats_custom_rules - weight: 706 - - name: Exploit Prevention - url: security/application_security/threats/exploit-prevention/ - parent: appsec_threats - identifier: exploit_prevention - weight: 707 - - name: WAF Integrations - url: security/application_security/threats/waf-integration/ - parent: appsec_threats - identifier: aws_waf_int - weight: 708 - - name: In-App WAF Rules - url: security/application_security/threats/inapp_waf_rules/ - parent: appsec_threats - identifier: threats_event_rules - weight: 709 - - name: OOTB Rules - url: security/default_rules/#cat-application-security - parent: appsec_threats - identifier: appsec_default_rules - weight: 710 - - name: Protection - url: security/application_security/threats/protection/ - parent: appsec_threats - identifier: threats_protection - weight: 718 - - name: Security Signals - url: security/application_security/threats/security_signals/ - parent: appsec_threats - identifier: threats_security_signals - weight: 719 - - name: Trace Qualification - url: security/application_security/threats/trace_qualification/ - parent: appsec_threats - identifier: threats_trace_qualification - weight: 721 - - name: User Monitoring and Protection - url: security/application_security/threats/add-user-info/ - parent: appsec_threats - identifier: threats_user_info - weight: 722 - - name: Attacker Fingerprint - url: security/application_security/threats/attacker_fingerprint/ - parent: appsec_threats - identifier: threats_attacker_fingerprint - weight: 723 - - name: Attacker Clustering - url: security/application_security/threats/attacker_clustering/ - parent: appsec_threats - identifier: threats_attacker_clustering - weight: 724 + weight: 2 - name: Application Security for Serverless url: security/application_security/serverless/ - parent: application_security + parent: appsec_threats_management_setup identifier: asm_serverless - weight: 8 + weight: 4 - name: Library Compatibility url: security/application_security/serverless/compatibility/ parent: asm_serverless identifier: asm_serverless_compat + weight: 1 + - name: Overview + url: security/application_security/overview + parent: application_security + identifier: application_security_overview + weight: 4 + - name: Security Signals + url: security/application_security/security_signals + parent: application_security + identifier: application_security_security_signals + weight: 5 + - name: Attacker Explorer + url: security/application_security/security_signals/attacker-explorer/ + parent: application_security_security_signals + identifier: threats_attackers weight: 1 + - name: Attacker Fingerprint + url: security/application_security/security_signals/attacker_fingerprint/ + parent: application_security_security_signals + identifier: threats_attacker_fingerprint + weight: 2 + - name: Attacker Clustering + url: security/application_security/security_signals/attacker_clustering/ + parent: application_security_security_signals + identifier: threats_attacker_clustering + weight: 3 + - name: Policies + url: security/application_security/policies/ + parent: application_security + identifier: application_security_policies + weight: 6 + - name: Custom Rules + url: security/application_security/policies/custom_rules/ + parent: application_security_policies + identifier: application_security_policies_custom_rules + weight: 1 + - name: OOTB Rules + url: security/default_rules/ + parent: application_security_policies + identifier: application_security_policies_ootb_rules + weight: 2 + - name: Exploit Prevention + url: security/application_security/exploit-prevention/ + parent: application_security + identifier: exploit_prevention + weight: 7 + - name: WAF Integrations + url: security/application_security/waf-integration/ + parent: application_security + identifier: aws_waf_int + weight: 8 + # - name: Threat Management + # url: security/application_security/threats/ + # parent: application_security + # identifier: appsec_threats + # weight: 6 + # - name: Setup + # url: security/application_security/setup/ + # parent: application_security + # identifier: appsec_threats_management_setup + # weight: 700 + # - name: Library Compatibility + # url: security/application_security/setup/compatibility/ + # parent: appsec_threats_management_setup + # identifier: appsec_compat_threats_mgmt + # weight: 701 + # - name: Using Datadog Tracing Libraries + # url: security/application_security/setup/threat_detection/ + # parent: appsec_threats_management_setup + # identifier: appsec_threats_setup_threat_detection_setup + # weight: 703 + # - name: Attack Summary + # url: security/application_security/threats/attack-summary/ + # parent: appsec_threats + # identifier: attack_summary_overview + # weight: 704 + # - name: Custom Detection Rules + # url: security/application_security/threats/custom_rules/ + # parent: appsec_threats + # identifier: threats_custom_rules + # weight: 706 + # - name: Exploit Prevention + # url: security/application_security/threats/exploit-prevention/ + # parent: appsec_threats + # identifier: exploit_prevention + # weight: 707 + # - name: WAF Integrations + # url: security/application_security/threats/waf-integration/ + # parent: appsec_threats + # identifier: aws_waf_int + # weight: 708 + # - name: In-App WAF Rules + # url: security/application_security/threats/inapp_waf_rules/ + # parent: appsec_threats + # identifier: threats_event_rules + # weight: 709 + # - name: OOTB Rules + # url: security/default_rules/#cat-application-security + # parent: appsec_threats + # identifier: appsec_default_rules + # weight: 710 + # - name: Protection + # url: security/application_security/threats/protection/ + # parent: appsec_threats + # identifier: threats_protection + # weight: 718 + # - name: Security Signals + # url: security/application_security/threats/security_signals/ + # parent: appsec_threats + # identifier: threats_security_signals + # weight: 719 + # - name: Trace Qualification + # url: security/application_security/threats/trace_qualification/ + # parent: appsec_threats + # identifier: threats_trace_qualification + # weight: 721 + # - name: User Monitoring and Protection + # url: security/application_security/threats/add-user-info/ + # parent: appsec_threats + # identifier: threats_user_info + # weight: 722 + # - name: Application Security for Serverless + # url: security/application_security/serverless/ + # parent: application_security + # identifier: asm_serverless + # weight: 9 + # - name: Library Compatibility + # url: security/application_security/serverless/compatibility/ + # parent: asm_serverless + # identifier: asm_serverless_compat + # weight: 1 - name: API Security Inventory url: security/application_security/api-inventory/ parent: application_security diff --git a/content/en/security/application_security/exploit-prevention.md b/content/en/security/application_security/exploit-prevention.md new file mode 100644 index 0000000000000..7bec2b7a061ca --- /dev/null +++ b/content/en/security/application_security/exploit-prevention.md @@ -0,0 +1,108 @@ +--- +title: Exploit Prevention +disable_toc: false +further_reading: +- link: "/security/application_security/" + tag: "Documentation" + text: "Protect against threats with Datadog App and API Protection" +- link: "/security/application_security/threats/library_configuration/" + tag: "Documentation" + text: "Other setup considerations and configuration options" +- link: "https://www.datadoghq.com/blog/datadog-exploit-prevention/" + tag: "Blog" + text: "Protect your applications from zero-day attacks with Datadog Exploit Prevention" +- link: "https://www.datadoghq.com/blog/understanding-your-waf/" + tag: "Blog" + text: "Understanding your WAF: How to address common gaps in web application security" +--- + + +## Overview + +Use AAP **Exploit Prevention** to protect your critical applications and APIs against zero-day vulnerabilities without tuning or reconfiguration. + +With AAP's context-aware capabilities, you can gain a deep understanding of application logic, data flow, and state. + +Combine telemetry from the Datadog tracer with predefined heuristics to detect and block exploits with higher accuracy, ensuring legitimate traffic remains unaffected. + +## How exploit prevention works + +1. With the Datadog AAP tracing library instrumented in your applications, details are captured about every interaction within the application, including requests, code execution, and data flows. +2. When an attack payload reaches the application, AAP evaluates if the payload triggers code paths tied to known vulnerabilities. +3. If a potential exploit is detected: + 1. AAP blocks the request in real-time before it causes damage. + 2. AAP raises security signals for further investigation. +4. Exploit prevention detections are accompanied by stack traces that provide full visibility of the code location of the vulnerability, providing a clear path to remediation. + +### Example 1: Server-side request forgery + +An attacker tricks the server into making unauthorized requests to internal systems or external servers, potentially leaking information or a further exploitation. + +AAP Exploit Prevention checks whether an internal or external request's URL, which is partially or totally controlled by a user parameter, has been manipulated by an attacker to alter the original purpose of the request. + +### Example 2: Local file inclusion + +An attacker exploits a vulnerable parameter to include local files from the server, potentially exposing sensitive data like configuration files or possibly enabling remote code execution. + +AAP Exploit Prevention inspects all file access attempts to determine if the path has been injected and whether a restricted file is accessed. + +### Example 3: SQL injection + +An attacker injects malicious SQL code into a query, potentially gaining unauthorized access to the database, manipulating data, or executing administrative operations. + +AAP Exploit Prevention intercepts all SQL queries to determine if a user parameter has been injected and whether the injection alters the original purpose and structure of the SQL query. + +## Prerequisites + +- Ensure that your applications are instrumented with the Datadog tracer. +- AAP Threat Management must be enabled. See [Threat Management Setup][1]. +- Ensure Remote Configuration is enabled to push rule updates and In-App WAF policies. See [Enabling Remote Configuration][2]. + +### Library Compatibility + + +| Exploit Type | .NET | Python | Go | Java | Node.js | PHP | Ruby | +|------------------------------------|------------------|------------------|-------------------------|------------------|------------------|------------------|-------------------| +| Server-side Request Forgery (SSRF) | v3.3.0 | v2.15.0 | v1.70.1 | v1.42.0 | v5.20.0, v4.44.0 | Avail. in Q1 '25 | Avail. in Q1 '25 | +| Local File Inclusion (LFI) | v3.5.0 | v2.15.0 | [orchestrion][3] v1.0.0 | v1.42.0 | v5.24.0, v4.48.0 | Avail. in Q1 '25 | Avail. in Q1 '25 | +| SQL Injection (SQLi) | v3.4.0 | v2.16.0 | v1.70.1 | v1.42.0 | v5.25.0, v4.49.0 | Avail. in Q1 '25 | Avail. in Q4 '24 | +| Command Injection | v3.4.0 | v2.15.0 | Avail. in Q4 '24 | v1.45.0 | v5.25.0, v4.49.0 | Avail. in Q1 '25 | Avail. in Q1 '25 | + +## Enabling Exploit Prevention + + +1. Navigate to [In-App WAF][4] (**Security > Application Security > Protection > In-App WAF**). +2. If you have applied a Datadog managed policy to your services, then follow these steps: + a. Clone the policy. For example, you can use the **Managed - Block attack tools** policy. + + {{< img src="security/application_security/threats/clone-policy.png" alt="Clone the policy" width="100%" >}} + b. Add a policy name and description. + + {{< img src="security/application_security/threats/clone-policy-modal.png" alt="Clone the policy" width="100%" >}} + c. Click on the policy you created and select the **Local File Inclusion** ruleset. Enable blocking for the **Local File Inclusion exploit** rule. + + {{< img src="security/application_security/threats/local-file-inclusion.png" alt="Local File Inclusion" width="100%" >}} + d. Similarly, select the **Server-side Request Forgery** ruleset and enable blocking for the **Server-side request forgery** exploit rule. + + {{< img src="security/application_security/threats/server-side-request-forgery.png" alt="Server-side Request Forgery exploit" width="100%" >}} +3. If you have applied a custom policy for your services, you can skip Steps 2.a and 2.b for cloning a policy and directly set the Exploit Prevention rules in **blocking** mode (Steps 2.c and 2.d). + + +## Reviewing exploit attempts in AAP + +After you have enabled Exploit Prevention, if AAP detects an exploit attempt, it proceeds to block that request. Exploit Prevention detections are always accompanied by stack traces, which provide full visibility of where the vulnerability lies in your code, ensuring a clear path to remediation. + +{{< img src="security/application_security/threats/exploit-prevention-detection.png" alt="Exploit Prevention detection" width="100%" >}} + +In addition, AAP also generates a signal correlating all the blocked traces and isolating the attacker IP addresses that are targeting your service(s). You can take action by blocking all attacking IPs. + +{{< img src="security/application_security/threats/signal-correlating-blocked-traces.png" alt="Your image description" width="100%" >}} + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: /security/application_security/threats/setup +[2]: /agent/remote_config/?tab=configurationyamlfile#enabling-remote-configuration +[3]: /tracing/trace_collection/automatic_instrumentation/dd_libraries/go/#overview +[4]: https://app.datadoghq.com/security/appsec/in-app-waf diff --git a/content/en/security/application_security/how-appsec-works.md b/content/en/security/application_security/how-it-works/_index.md similarity index 100% rename from content/en/security/application_security/how-appsec-works.md rename to content/en/security/application_security/how-it-works/_index.md diff --git a/content/en/security/application_security/how-it-works/protection.md b/content/en/security/application_security/policies/_index.md similarity index 98% rename from content/en/security/application_security/how-it-works/protection.md rename to content/en/security/application_security/policies/_index.md index 8f1034df86529..c6a2a67315358 100644 --- a/content/en/security/application_security/how-it-works/protection.md +++ b/content/en/security/application_security/policies/_index.md @@ -1,14 +1,8 @@ --- -title: Protection -is_beta: true -further_reading: -- link: "/security/application_security/" - tag: "Documentation" - text: "App and API Protection with Datadog" +title: Policies +disable_toc: false --- -## Overview - If your service is running [an Agent with Remote Configuration enabled and a tracing library version that supports it][2], you can block attacks and attackers from the Datadog UI without additional configuration of the Agent or tracing libraries. App and API Protection (AAP) Protect enables you to slow down attacks and attackers by _blocking_ them. Security traces are blocked in real-time by the Datadog tracing libraries. Blocks are saved in the Datadog platform, automatically and securely fetched by the Datadog Agent, deployed in your infrastructure, and applied to your services. diff --git a/content/en/security/application_security/policies/custom_rules.md b/content/en/security/application_security/policies/custom_rules.md new file mode 100644 index 0000000000000..55d3bf197dff3 --- /dev/null +++ b/content/en/security/application_security/policies/custom_rules.md @@ -0,0 +1,120 @@ +--- +title: Custom Detection Rules +aliases: + - /security_platform/application_security/custom_rules + - /security/application_security/custom_rules +further_reading: +- link: "/security/application_security/" + tag: "Documentation" + text: "Protect against threats with Datadog App and API Protection" +- link: "/security/application_security/event_rules/" + tag: "Documentation" + text: "Creating event rules" +- link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshoot common Datadog App and API Protection issues" +- link: "/security/notifications/variables/" + tag: "Documentation" + text: "Learn more about Security notification variables" +- link: "/tracing/trace_explorer/query_syntax/" + tag: "Documentation" + text: "Syntax for defining the AAP query" +--- + +## Overview + +App and API Protection (AAP) comes with a set of [out-of-the-box detection rules][1] which aim to catch attack attempts, vulnerabilities found by attacker, and business logic abuse that impact your production systems. + +However, there are situations where you may want to customize a rule based on your environment or workload. For example, you may want to customize a detection rule that detects users performing sensitive actions from a geolocation where your business doesn't operate. + +Another example is customizing a rule to exclude an internal security scanner. AAP detects its activity as expected. However, you may not want to be notified of its regularly occurring scan. + +In these situations, a custom detection rule can be created to exclude such events. This guide shows you how to create a custom detection rule for AAP. + +## Business logic abuse detection rule + +AAP offers out of the box rules to detect business logic abuse (for example, resetting a password through brute force). Those rules require [adding business logic information to traces][7]. + +Recent Datadog Tracing Libraries attempt to detect and send user login and signup events automatically without needing to modify the code. If needed, you can [opt out of the automatic user activity event tracking][8]. + +You can filter the rules, and identify which business logic to start tracking. Additionally, you can use these rules as a blueprint to create custom rules based on your own business logic. + +See the section below to see how to configure your rules. + +## Configuration + +To customize an OOTB detection rule, you must first clone an existing rule. Navigate to your [Detection Rules][2] and select a rule. Scroll to the bottom of the rule and click the Clone Rule button. This now enables you to edit the existing rule. + +### Define an AAP query + +Construct an AAP query using the [same query syntax as in the AAP Trace Explorer][3]. For example, create a query to monitor login successes from outside of the United States: `@appsec.security_activity:business_logic.users.login.success -@actor.ip_details.country.iso_code:US`. + +Optionally, define a unique count and signal grouping. Count the number of unique values observed for an attribute in a given timeframe. The defined group-by generates a signal for each group-by value. Typically, the group-by is an entity (like user, IP, or service). The group-by is also used to [join the queries together](#joining-queries). + +Use the preview section to see which AAP traces match the search query. You can also add additional queries with the Add Query button. + +##### Joining queries + +Joining queries to span a timeframe can increase the confidence or severity of the Security Signal. For example, to detect a successful attack, both successful and unsuccessful triggers can be correlated for a service. + +Queries are correlated together by using a `group by` value. The `group by` value is typically an entity (for example, `IP` or `Service`), but can be any attribute. + +For example, create opposing queries that search for the same `business_logic.users.login.success` activity, but append opposing HTTP path queries for successful and unsuccessful attempts: + +Query 1: `@appsec.security_activity:business_logic.users.login.success @actor.ip_details.country.iso_code:US`. + +Query 2: `@appsec.security_activity:business_logic.users.login.success -@actor.ip_details.country.iso_code:US`. + +In this instance, the joined queries technically hold the same attribute value: the value must be the same for the case to be met. If a `group by` value doesn't exist, the case will never be met. A Security Signal is generated for each unique `group by` value when a case is matched. + +### Exclude benign activity with suppression queries + +In the **Only generate a signal if there is a match** field, you have the option to enter a query so that a trigger is only generated when a value is met. + +In the **This rule will not generate a signal if there is a match** field, you have the option to enter suppression queries so that a trigger is not generated when the values are met. For example, if a service is triggering a signal, but the action is benign and you no longer want signals triggered from this service, create a query that excludes `service`. + +### Set a rule case + +#### Trigger + +Rule cases, such as `successful login > 0`, are evaluated as case statements. Thus, the first case to match generates the signal. Create one or multiple rule cases, and click on the grey area next to them to drag and manipulate their orderings. + +A rule case contains logical operations (`>, >=, &&, ||`) to determine if a signal should be generated based on the event counts in the previously defined queries. + +**Note**: The query label must precede the operator. For example, `a > 3` is allowed; `3 < a` is not allowed. + +Provide a **name** for each rule case. This name is appended to the rule name when a signal is generated. + +#### Severity and notification + +{{% security-rule-severity-notification %}} + +### Time windows + +{{% security-rule-time-windows %}} + +Click **Add Case** to add additional cases. + +**Note**: The `evaluation window` must be less than or equal to the `keep alive` and `maximum signal duration`. + +### Say what's happening + +{{% security-rule-say-whats-happening %}} + +Use the **Tag resulting signals** dropdown menu to add tags to your signals. For example, `attack:sql-injection-attempt`. + +**Note**: The tag `security` is special. This tag is used to classify the security signal. The recommended options are: `attack`, `threat-intel`, `compliance`, `anomaly`, and `data-leak`. + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: /security/default_rules/?category=cat-application-security +[2]: https://app.datadoghq.com/security/appsec/signals-rules +[3]: /tracing/trace_explorer/query_syntax/ +[4]: /monitors/notify/?tab=is_alert#integrations +[5]: /security/notifications/variables/ +[6]: /security/notifications/variables/#template-variables +[7]: /security/application_security/threats/add-user-info/?tab=set_user#adding-business-logic-information-login-success-login-failure-any-business-logic-to-traces +[8]: /security/application_security/threats/add-user-info/?tab=set_user#disabling-automatic-user-activity-event-tracking + diff --git a/content/en/security/application_security/security_signals/attacker-explorer.md b/content/en/security/application_security/security_signals/attacker-explorer.md new file mode 100644 index 0000000000000..423d4603cd23a --- /dev/null +++ b/content/en/security/application_security/security_signals/attacker-explorer.md @@ -0,0 +1,153 @@ +--- +title: Attacker Explorer +disable_toc: false +further_reading: +- link: "/security/application_security/threats/protection" + tag: "Documentation" + text: "Protection" +--- + +This topic describes how to use **Attacker Explorer** to investigate and block Flagged Attackers. + +## Overview + +Datadog App and API Protection (AAP) identifies attackers as suspicious and flagged. With [Attacker Explorer][1], you can investigate and take action against the attackers. + + +### Definitions + +- **Suspicious Attackers:** IP addresses that have sent attack traffic in the last 24 hours up to a maximum threshold. + +- **Flagged Attackers:** IP addresses that have sent attack traffic, exceeding the threshold of Suspicious Attackers, in the last 24 hours. Flagged Attackers should be reviewed and blocked. + +
Flagged Attackers and Suspicious Attackers are mutually exclusive. An IP cannot be in both states at the same time.
+ +### How Attacker Explorer differs from Signal and Trace explorers + +To understand the difference between the different explorers, review these approaches: + +- **Protect:** Automated blocking using AAP Protection configuration. Customers should block attack tools as their first automated blocking action. Blocking attack tools reduces common vulnerability discovery for OWASP threats such as SQLi, command injection, and SSRF. +- **Reactive:** Blocking using Signals or Attackers explorer in response to observed threats. + +{{< img src="security/application_security/threats/attacker-explorer/attacker_explorer_nav.png" alt="Screenshot of the AAP Attacker Explorer navigation" >}} + +Each explorer focuses on a specific use case: + +- **Signal Explorer**: List of actionable alerts such as Credential Stuffing Attack or Command Injection. Signals have workflow capabilities, a description, severity, and correlated Traces. Interactions include user assignment workflows, automated protection, analytics, search, and pivoting to Trace Explorer. +- **Trace Explorer**: List of evidence for business logic events, such as logins, or attack payloads. Interactions include analytics and search. +- **Attacker Explorer**: List of Flagged and Suspicious Attackers. Interactions include: + - Bulk actions for attacker analytics and blocking + - Drill-down into the history of any attacker + - Search + - Pivoting to other explorers + + +### Explore and filter attackers + +To start reviewing attackers, go to [Attacker Explorer][1]. + +{{< img src="security/application_security/threats/attacker-explorer/attacker_explorer_default_view2.png" alt="AAP Attacker Explorer" >}} + +There are two sections to the Attacker Explorer: + +1. Facets and search. These enable you to filter traffic by service or attacker attributes. +2. The list of attackers with security metrics. + + +### Investigate an IP + +Click on any row to view the history and attributes of the IP. + +{{< img src="security/application_security/threats/attacker-explorer/ip_drawer.png" alt="Investigate and IP address with AAP Attacker Explorer" >}} + +IPs can be blocked or added to the Passlist from the IP drawer. + +### Best practices for blocking with Attacker Explorer + +1. Account takeover attacks: Use short durations for blocking IP addresses. +2. Add authorized scanners to monitored passlists to observe activity but prevent blocking. +3. Block mobile ISPs with caution. These networks might have large numbers of users and mobile devices behind single IP addresses. + +## Block individual IPs + +To block an individual IP temporarily or permanently, do the following: + +{{< img src="security/application_security/threats/attacker-explorer/block_ip_address.png" alt="Block an IP address with AAP Attacker Explorer" >}} + +1. Click `Block` on the row. +2. Choose a blocking duration. + +## Block IPs in bulk + +You can select multiple IPs and block them temporarily or permanently using the Attacker Explorer's **Compare and Block** option. + +**Compare and Block** provides metrics about the IPs to help you block with safety and confidence. For example, **Similarity Overview** and **Activity**, described later in this topic. + +To compare and block IPs in bulk, do the following: +1. Filter the list of Attackers with a search or facets. +2. Select multiple IPs. +3. Select the **Compare and Block** option. + + In the following example, the selected IPs are from the same location and appear to be related. The **Compare and Block** option opens the **Block selected attackers** view, showing metrics and attributes for the selected IP addresses. + + {{< img src="security/application_security/threats/attacker-explorer/attacker_explorer_review_groups2.png" alt="Screenshot of the AAP Attacker Explorer group blocking" >}} + +4. To block attackers, click **Block**. + +## Block selected attackers metrics + +When you select the **Compare and Block** option, the **Block selected attackers** view opens, showing metrics and attributes for the selected IP addresses. + +{{< img src="security/application_security/threats/attacker-explorer/attacker_explorer_review_groups2.png" alt="Screenshot of the AAP Attacker Explorer group blocking" >}} + +
Metrics for Similarity Overview and Activity are scoped to the last 30 days.
+ +The **Block selected attackers** view metrics are explained in the following sections. + +### Selected IPs + +Contains the IPs selected from the explorer. Deselecting an IP removes it from the metrics sections and **Block** action. + +### Similarity overview + +Each column exists to help block with confidence and safety. The provided attributes are also used by AAP's Attacker Similarity feature. + +ASNs +: Autonomous System Numbers. Attacks with large numbers of IP addresses might originate from the same ASN, especially when attacks originate from data centers and cloud IPs. + +User Agents +: Attackers, commercial scanners, and your own software might use predictable user agents that can help qualify what should be included or excluded from blocking. + +Location +: Companies might have policies or serviceable markets that determine what countries they allow traffic from. + +Domain +: The owner of the ASN. This is helpful when an organization owns multiple ASNs. + +Users per IPs +: The number of users who have authenticated from the IP. IPs with large numbers of logins might indicate a load balancer or many users from the same location, like a company site. + +### Activity + +The time scope for activity is 30 days. + +#### Signals + +The signals associated with the IP addresses over the selected time. + +#### Traces + +The traces associated with the IP addresses over the selected time. + +Benign traffic is sampled APM traffic which are traces without business logic or attack traffic detections. + +Attack traffic is all AAP traces, inclusive of business logic. + +### Block + +This adds the IP addresses to the [Denylist][2] for the specified duration. + + +[1]: https://app.datadoghq.com/security/appsec/attackers +[2]: https://app.datadoghq.com/security/appsec/denylist +[3]: https://app.datadoghq.com/security/appsec/passlist diff --git a/content/en/security/application_security/security_signals/attacker_clustering.md b/content/en/security/application_security/security_signals/attacker_clustering.md new file mode 100644 index 0000000000000..aad20824db674 --- /dev/null +++ b/content/en/security/application_security/security_signals/attacker_clustering.md @@ -0,0 +1,78 @@ +--- +title: Attacker Clustering +disable_toc: false +further_reading: +- link: "/security/application_security/threats/attacker_fingerprint" + tag: "Documentation" + text: "Attacker Fingerprint" +- link: "/security/application_security/threats/threat-intelligence/" + tag: "Documentation" + text: "Threat Intelligence" +- link: "/security/application_security/threats/event_rules" + tag: "Documentation" + text: "In-App WAF Rules" +- link: "/security/application_security/threats/security_signals/" + tag: "Documentation" + text: "Security Signals" +- link: "https://www.datadoghq.com/blog/attacker-clustering/" + tag: "blog" + text: "Detect and respond to evolving attacks with Attacker Clustering" +--- + + +## Overview + +Attacker Clustering improves distributed attack blocking. Datadog App and API Protection (AAP) identifies security signal traffic attacker patterns and to help you mitigate distributed attacks more efficiently. + +Attacker clustering highlights a set of common attributes shared by a significant portion of traffic and suggests blocking based on those attributes. + +Blocking on attacker attributes means you keep your application or API protected even as the attacker rotates between IPs. + +## What signals are used for attacker clusters? + +The attacker clustering is computed for every [AAP security signal][4] emitted from a detection rule tagged with `category:account_takeover` or `category:fraud` + +Out of the box, attacker clustering is computed for the AAP detection rules that detect API abuse, credential stuffing, or brute force attacks. + +If you want the attacker clustering executed on custom detection rules, add these tags in the detection rule editor (see screenshot below). + +{{< img src="security/application_security/threats/tag-on-detection-rule.png" alt="Screenshot of the Detection rule editor showing where to add tags" >}} + +## Attacker clustering attributes + +Attacker clustering is computed using the following request attributes: +* Browser name +* Browser version +* OS name +* OS version +* User agent header +* HTTP request headers (for example, `accept-encoding`, `content-type`) +* [Datadog attacker fingerprinting][2] + +When the attacker attributes are identified, they are displayed on the signal side panel and **Signals** page. Attacker attributes can be a combination of the attributes listed above. + +{{< img src="security/application_security/threats/attacker-attributes.png" alt="Screenshot of an AAP signals with attacker attributes identified" >}} + +### Custom HTTP request headers + +If you want to use custom HTTP request headers for attacker clustering, they must be added under the path `@http.request.headers` in your traces. You can add custom headers to your traces by configuring the tracer with the `DD_TRACE_REQUEST_HEADER_TAGS` environment variable. For more information about this configuration, see [Configure the Datadog Tracing Library][5]. + +## Attacker clustering mechanism + +The clustering algorithm analyzes the frequency of attributes in the attack traffic. It selects attributes that appear frequently while also filtering out typical traffic noise. This process results in attributes that can be blocked to stop or slow the attacker. + +The algorithm tracks the changes in the attack traffic by identifying emerging trends as the attacker changes tactics (for example, changing headers, tool, etc.). The attacker cluster is updated with the latest traffic trends. + +Traffic associated with threat intelligence is also considered in the clustering mechanism. The more an attribute is correlated with [Threat Intelligence][1], the higher the chance to create an attacker cluster around this attribute. + +The attacker clustering attributes selected are then shown as regular expressions that can be used to block with AAP's [In-App WAF][3] or to filter out traffic in AAP Traces explorer for investigation. + +## Further reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: /security/application_security/threats/threat-intelligence/ +[2]: /security/application_security/threats/attacker_fingerprint +[3]: /security/application_security/threats/event_rules +[4]: /security/workload_protection/security_signals/ +[5]: /tracing/trace_collection/library_config/ diff --git a/content/en/security/application_security/security_signals/attacker_fingerprint.md b/content/en/security/application_security/security_signals/attacker_fingerprint.md new file mode 100644 index 0000000000000..cf8463cf8aa70 --- /dev/null +++ b/content/en/security/application_security/security_signals/attacker_fingerprint.md @@ -0,0 +1,73 @@ +--- +title: Attacker Fingerprint +disable_toc: false +further_reading: +- link: "/security/application_security/threats/attacker_clustering" + tag: "Documentation" + text: "Attacker Clustering" +--- + +This topic describes a feature called **Datadog Attacker Fingerprint** to identify attackers beyond IP addresses. + +## Overview + +Datadog Attacker Fingerprint identifies attackers beyond IP addresses. Datadog Attacker fingerprints are automatically computed and added to your traces on attack or login attempts when App and API Protection (AAP) is enabled on your service. + +Datadog Attacker fingerprints are composed of several fragments: +* Endpoint Identifier +* Session Identifier +* Header Identifier +* Network Identifier + +Each fragment identifies request specifics by looking for certain headers and query body fields, and by hashing cookie values and query parameters. + +## Attacker Fingerprint fragment details + +### Endpoint identifier + +The endpoint identifier fragment provides information about a specific endpoint, as well as the parameters used to call it. This fragments uses the following information: +* HTTP method +* Hash of request URI +* Hash of query parameter fields +* Hash of body fields + +### Session identifier + +The session identifier fragment tracks users based on their session information and whether they are authenticated. This fragment uses the following information: +* Hash of user ID +* Hash of cookie fields +* Hash of cookie values +* Hash of session ID + +If all of the fields are unavailable, the fragment is omitted as it does not provide meaningful information. + +### Header identifier + +The header identifier fragment provides information about the headers used in the request. This particular fragment uses the following information: +* Presence of known headers: Referer, Connection, Accept-Encoding, etc. +* Hash of user agent +* The number of unknown headers +* Hash of unknown headers. The list of unknown headers excludes all XFF headers, cookies and x-datadog headers. + + +### Network identifier + +The network identifier fragment provides information about the network part of the request. This fragment uses the following information: +* The number of IPs in the XFF header used by the caller to determine the client’s IP. +* The presence or absence of the known XFF headers + + +## How to use Attacker Fingerprints + +Fragments can be used as filters in the AAP Traces explorer by filtering on the desired fingerprint field. For example: `@appsec.fingerprint.header.ua_hash:e462fa45` will filter on all requests that have the same user agent hash. + +{{< img src="security/application_security/threats/attacker-fingerprint-trace.png" alt="Screenshot of an AAP trace with attacker fingerprint in the trace side panel" >}} + +Attacker fingerprints are used in the [Attacker Clustering][1] feature. If a significant portion of your traffic presents the same fingerprint attributes, attacker clustering will show it has a common attack attribute. + + +## Further reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: /security/application_security/threats/attacker_clustering diff --git a/content/en/security/application_security/setup/_index.md b/content/en/security/application_security/setup/_index.md new file mode 100644 index 0000000000000..9c8968b6da440 --- /dev/null +++ b/content/en/security/application_security/setup/_index.md @@ -0,0 +1,21 @@ +--- +title: Threat Management Setup +disable_toc: false +--- + +## Prerequisites + +Before setting up Threat Management, ensure the following prerequisites are met: +- **Datadog Agent:** [Install the Datadog Agent][4] and configure it for your application's operating system or container, cloud, or virtual environment. +- **Datadog APM Configuration:** Datadog APM is configured for your application or service, and web traces (`type:web`) are being received by Datadog. +- **Supported Tracing Library:** The Datadog Tracing Library used by your application or service supports Threat Management capabilities for the language of your application or service. For more details, refer to the [Library Compatibility][1] page. + +## Datadog Tracing Libraries + +Add an environment variable or a new argument to your [Datadog Tracing Library configuration][3]. + +By following these steps, you'll successfully set up Threat Management for your application or service, monitoring services that are under attack and protecting them against attacks. + +[1]: /security/application_security/threats/setup/compatibility +[3]: /security/application_security/threats/setup/threat_detection +[4]: /agent/ \ No newline at end of file diff --git a/content/en/security/application_security/setup/compatibility/_index.md b/content/en/security/application_security/setup/compatibility/_index.md new file mode 100644 index 0000000000000..2280b6c7840aa --- /dev/null +++ b/content/en/security/application_security/setup/compatibility/_index.md @@ -0,0 +1,34 @@ +--- +title: Compatibility Requirements +type: multi-code-lang +further_reading: +- link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting App and API Protection" +- link: "/security/application_security/how-appsec-works/" + tag: "Documentation" + text: "How App and API Protection Works in Datadog" +--- + +The following AAP capabilities are supported relative to each language's tracing library: + +| AAP capability | Java | .NET | Node.js | Python | Go | Ruby | PHP | +|----------------------------------------|---------|----------|--------------------------------------------------|---------------|-----------------|---------------|---------------| +| Threat Detection | 1.8.0 | 2.23.0 | 4.0.0 | 1.9.0 | 1.47.0 | 1.9.0 | 0.84.0 | +| API Security | 1.31.0 | 2.42.0 | 4.30.0 for Node.js 16+, or 5.6.0 for Node.js 18+ | 2.6.0 | 1.59.0 | 2.4.0 | 0.98.0 | +| Threat Protection | 1.9.0 | 2.26.0 | 4.0.0 | 1.10.0 | v1.50.0 | 1.11.0 | 0.86.0 | +| Customize response to blocked requests | 1.11.0 | 2.27.0 | 4.1.0 | 1.19.0 | v1.53.0 | 1.15.0 | 0.86.0 | +| Automatic user activity event tracking | 1.38.0 | support pending | support pending | 2.11.0 | support pending | support pending | support pending | +| Automatic user activity event tracking (deprecated modes) | 1.20.0 | 2.32.0 | 4.4.0 | 1.17.0 | not supported | 1.14.0 | 0.89.0 | + +Select your application language for details about framework compatibility and feature support. + + +{{< partial name="security-platform/appsec-languages.html" >}} + +
+ +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + diff --git a/content/en/security/application_security/setup/compatibility/dotnet.md b/content/en/security/application_security/setup/compatibility/dotnet.md new file mode 100644 index 0000000000000..c56c36a493274 --- /dev/null +++ b/content/en/security/application_security/setup/compatibility/dotnet.md @@ -0,0 +1,110 @@ +--- +title: .NET Compatibility Requirements +code_lang: dotnet +type: multi-code-lang +code_lang_weight: 10 +--- + +## Application Security capabilities support + +The following application security capabilities are supported in the .NET library, for the specified tracer version: + +| Application Security capability | Minimum .NET tracer version | +| -------------------------------- | ----------------------------| +| Threat Detection | 2.23.0| +| Threat Protection | 2.26.0| +| Customize response to blocked requests | 2.27.0 | +| Software Composition Analysis (SCA) | 2.16.0 | +| Code Security | 2.42.0 | +| Automatic user activity event tracking | 2.32.0 | +| API Security | 2.42.0 | + +The minimum tracer version to get all supported application security capabilities for .NET is 2.42.0. + +**Note**: Threat Protection requires enabling [Remote Configuration][3], which is included in the listed minimum tracer version. + +### Supported deployment types +| Type | Threat Detection support | Software Composition Analysis | +|-------------------|--------------------------|------------------------------------------| +| Docker | {{< X >}} | {{< X >}} | +| Kubernetes | {{< X >}} | {{< X >}} | +| Amazon ECS | {{< X >}} | {{< X >}} | +| AWS Fargate | {{< X >}} | {{< X >}} | +| AWS Lambda | {{< X >}} | | +| Azure App Service | {{< X >}} | {{< X >}} | + +**Note**: Azure App Service is supported for **web applications only**. Application Security capabilities are not supported for Azure Functions. + +## Language and framework compatibility + +### Supported .NET versions + +| .NET Framework Version | Microsoft End of Life | Support level | Package version | +| ----------------------- | --------------------- | ----------------------------------- | --------------------------- | +| 4.8 | | GA | latest | +| 4.7.2 | | GA | latest | +| 4.7 | | GA | latest | +| 4.6.2 | | GA | latest | +| 4.6.1 | 04/26/2022 | GA | latest | + + +These are supported on the following architectures: +- Linux (GNU) x86-64, ARM64 +- Alpine Linux (musl) x86-64, ARM64 +- macOS (Darwin) x86-64, ARM64 +- Windows (msvc) x86, x86-64 + + + +### Web framework compatibility + +- Attacker source HTTP request details +- Tags for the HTTP request (status code, method, etc) +- Distributed Tracing to see attack flows through your applications + +##### Application Security Capability Notes +- **Software Composition Analysis** is supported on all frameworks. +- If your framework is not listed below, **Code Security** will still detect Insecure Cookie vulnerabilities. + + +| Framework | Threat Detection supported? | Threat Protection supported? | Code Security? | +| ----------------------- | --------------- | ---------------------------------------------- | ---------------------------------------------- | +| ASP.NET MVC | {{< X >}} |{{< X >}} | {{< X >}} | +| ASP.NET Web API 2 | {{< X >}} | {{< X >}} | {{< X >}} | + +
If you don't see your framework of choice listed, let us know! Fill out this short form to send details.
+ +### Data store compatibility + +**Datastore tracing provides:** + +- SQL attack detection +- query info (for example, a sanitized query string) +- error and stacktrace capturing + +##### Application Security Capability Notes +- **Threat Protection** also works at the HTTP request (input) layer, and so works for all databases by default, even those not listed in the table below. + +| Framework | Threat Detection supported? | Threat Protection supported? | Code Security? | +|-------------------|-----------------|---------------------|---| +| OracleDB | {{< X >}} | {{< X >}} |{{< X >}} | +| ADO.NET | {{< X >}} | {{< X >}} |{{< X >}} | +| SQL Server | {{< X >}} | {{< X >}} |{{< X >}} | +| MySQL | {{< X >}} | {{< X >}} |{{< X >}} | +| SQLite | {{< X >}} | {{< X >}} |{{< X >}} | + +### User Authentication Frameworks compatibility + +Integrations to **User Authentication Frameworks provides:** + +- User login events including the user IDs +- User signup events (apps using built-in SignInManager) +- Account Takeover detection monitoring for user login events + +| Framework | +|-------------------| +| > .Net Core 2.1 | + +[1]: /tracing/trace_collection/compatibility/dotnet-core/ +[2]: /tracing/trace_collection/compatibility/dotnet-framework/ +[3]: /agent/remote_config/#enabling-remote-configuration diff --git a/content/en/security/application_security/setup/compatibility/envoy.md b/content/en/security/application_security/setup/compatibility/envoy.md new file mode 100644 index 0000000000000..9655f95945dce --- /dev/null +++ b/content/en/security/application_security/setup/compatibility/envoy.md @@ -0,0 +1,33 @@ +--- +title: Envoy Compatibility Requirements +code_lang: envoy +type: multi-code-lang +code_lang_weight: 40 +--- + +The following table lists the support for application security capabilities in the Envoy integration according to the specified tracer version: + +| Application Security capability | Minimum Envoy image version | +|----------------------------------------|------------------------------| +| Threat Detection | 1.71.0 | +| Threat Protection | 1.71.0 | +| Customize response to blocked requests | 1.71.0 | +| Software Composition Analysis (SCA) | not applicable | +| Code Security | not applicable | +| Automatic user activity event tracking | not supported | +| API Security | not supported | + +Please review Envoy integration version 1.71.0 [limitations][1]. + +## Envoy support + +Envoy integration is in Preview. + +Only the Linux version and both the arm64 and arm64 architectures are supported. + +
If you would like to see support added for any of +the unsupported capabilities, let us know! Fill out this short form to send +details.
+ +[1]: /security/application_security/threats/setup/threat_detection/envoy diff --git a/content/en/security/application_security/setup/compatibility/gcp-service-extensions.md b/content/en/security/application_security/setup/compatibility/gcp-service-extensions.md new file mode 100644 index 0000000000000..9c5f3a13e936a --- /dev/null +++ b/content/en/security/application_security/setup/compatibility/gcp-service-extensions.md @@ -0,0 +1,31 @@ +--- +title: AAP GCP Service Extensions Compatibility Requirements +code_lang: gcp-service-extensions +type: multi-code-lang +code_lang_weight: 40 +--- + +The following table lists the support for application security capabilities in the AAP GCP Service Extensions according to the specified version: + +| Application Security capability | Minimum AAP Service Extensions image version | +|----------------------------------------|----------------------------------------------| +| Threat Detection | 1.71.0 | +| Threat Protection | 1.71.0 | +| Customize response to blocked requests | 1.71.0 | +| Software Composition Analysis (SCA) | not applicable | +| Code Security | not applicable | +| Automatic user activity event tracking | not supported | +| API Security | not supported | + +Please review AAP GCP Service Extensions integration version 1.71.0 [limitations][1]. + +## AAP GCP Service Extensions support + +AAP GCP Service Extensions is in Preview. + +
If you would like to see support added for any of +the unsupported capabilities, let us know! Fill out this short form to send +details.
+ +[1]: /security/application_security/threats/setup/threat_detection/gcp-service-extensions diff --git a/content/en/security/application_security/setup/compatibility/go.md b/content/en/security/application_security/setup/compatibility/go.md new file mode 100644 index 0000000000000..ed0844a044a49 --- /dev/null +++ b/content/en/security/application_security/setup/compatibility/go.md @@ -0,0 +1,154 @@ +--- +title: Go Compatibility Requirements +code_lang: go +type: multi-code-lang +code_lang_weight: 20 +--- + +## Application Security capabilities + +The following application security capabilities are supported in the Go library, for the specified tracer version: + +| Application Security capability | Minimum Go tracer version | +| -------------------------------- | ----------------------------| +| Threat Detection| 1.47.0 | +| API Security | 1.59.0 | +| Threat Protection | 1.50.0 | +| Customize response to blocked requests | 1.53.0 | +| Software Composition Analysis (SCA) | 1.49.0 | +| Code Security | not supported | +| Automatic user activity event tracking | not supported | + +The minimum tracer version to get all supported application security capabilities for Go is 1.59.0. + +**Note**: Threat Protection requires enabling [Remote Configuration][1], which is included in the listed minimum tracer version. + +### Supported deployment types +| Type | Threat Detection support | Software Composition Analysis | +|-------------|--------------------------|-------------------------------| +| Docker | {{< X >}} | {{< X >}} | +| Kubernetes | {{< X >}} | {{< X >}} | +| Amazon ECS | {{< X >}} | {{< X >}} | +| AWS Fargate | {{< X >}} | {{< X >}} | +| AWS Lambda | {{< X >}} | | + +## Language and framework compatibility + +### Supported Go versions + +The Datadog Go Tracing library is open source. View the [GitHub repository][2] for more information. + +The Datadog Go Tracing Library has a [version support policy][3] defined for Go versions. The two latest releases of Go are fully supported, while the third newest release is considered in [maintenance][4]. Older versions may function, but no support is provided by default. For special requests, [contact support][5]. + +You must be running Datadog Agent v5.21.1+ + +Starting from tracer version 1.53.0, application security capabilities do not require [CGO][15]. + +## Integrations + +The Go tracer includes support for the following frameworks, data stores and libraries. + +The Go packages listed in this page are relevant for Application Security capabilities. You can also find more tracing integrations in [APM's tracing compatibility page][16]. + +{{% tabs %}} +{{% tab "v1" %}} + +**Note**: The [Go integrations documentation][6] provides a detailed overview of the supported packages and their APIs, along with usage examples. + +
If you don't see your library of choice listed, fill out this form to send details.
+ +### Web framework compatibility + +| Framework | Threat Detection supported? | Threat Protection supported? | +|-------------------|-----------------------------|------------------------------| +| [net/http][13] | | | +| [Gin][7] | | | +| [Gorilla Mux][8] | | | +| [gRPC][11] | | | +| [echo v4][9] | | | +| [echo v3][10] | | | +| [chi][12] | | | +| [graphql-go][17] | | | +| [gqlgen][18] | | | + + +### Networking framework compatibility + +| Framework | Threat Detection supported? | Threat Protection supported? | +|-----------------------|-----------------------------|------------------------------| +| [gRPC client][11] | | | +| [net/http client][13] | | | + +### Data store compatibility + +| Framework | Threat Detection supported? | Threat Protection supported? | +|-------------------|-----------------|--------------------------------------------------------------------------| +| [sql][14] | | | + +[6]: https://pkg.go.dev/gopkg.in/DataDog/dd-trace-go.v1/contrib +[7]: https://pkg.go.dev/gopkg.in/DataDog/dd-trace-go.v1/contrib/gin-gonic/gin +[8]: https://pkg.go.dev/gopkg.in/DataDog/dd-trace-go.v1/contrib/gorilla/mux +[9]: https://pkg.go.dev/gopkg.in/DataDog/dd-trace-go.v1/contrib/labstack/echo.v4 +[10]: https://pkg.go.dev/gopkg.in/DataDog/dd-trace-go.v1/contrib/labstack/echo +[11]: https://pkg.go.dev/gopkg.in/DataDog/dd-trace-go.v1/contrib/google.golang.org/grpc +[12]: https://pkg.go.dev/gopkg.in/DataDog/dd-trace-go.v1/contrib/go-chi/chi +[13]: https://pkg.go.dev/gopkg.in/DataDog/dd-trace-go.v1/contrib/net/http +[14]: https://pkg.go.dev/gopkg.in/DataDog/dd-trace-go.v1/contrib/database/sql +[16]: /tracing/compatibility_requirements/go +[17]: https://pkg.go.dev/github.com/graphql-go/graphql +[18]: https://pkg.go.dev/github.com/99designs/gqlgen/graphql + +{{% /tab %}} +{{% tab "v2" %}} + +**Note**: The [Go integrations documentation][19] provides a detailed overview of the supported packages and their APIs, along with usage examples. + +
If you don't see your library of choice listed, fill out this form to send details.
+ +### Web framework compatibility + +| Framework | Threat Detection supported? | Threat Protection supported? | +|-------------------|-----------------------------|------------------------------| +| [net/http][25] | | | +| [Gin][20] | | | +| [Gorilla Mux][21] | | | +| [gRPC][23] | | | +| [echo v4][22] | | | +| [chi][24] | | | +| [graphql-go][17] | | | +| [gqlgen][18] | | | + + +### Networking framework compatibility + +| Framework | Threat Detection supported? | Threat Protection supported? | +|-----------------------|-----------------------------|------------------------------| +| [gRPC client][23] | | | +| [net/http client][25] | | | + +### Data store compatibility + +| Framework | Threat Detection supported? | Threat Protection supported? | +|-------------------|-----------------|--------------------------------------------------------------------------| +| [sql][26] | | | + +[17]: https://pkg.go.dev/github.com/graphql-go/graphql +[18]: https://pkg.go.dev/github.com/99designs/gqlgen/graphql +[19]: https://pkg.go.dev/github.com/DataDog/dd-trace-go/v2/contrib +[20]: https://pkg.go.dev/github.com/DataDog/dd-trace-go/contrib/gin-gonic/gin/v2 +[21]: https://pkg.go.dev/github.com/DataDog/dd-trace-go/contrib/gorilla/mux/v2 +[22]: https://pkg.go.dev/github.com/DataDog/dd-trace-go/contrib/labstack/echo.v4/v2 +[23]: https://pkg.go.dev/github.com/DataDog/dd-trace-go/contrib/google.golang.org/grpc/v2 +[24]: https://pkg.go.dev/github.com/DataDog/dd-trace-go/contrib/go-chi/chi/v2 +[25]: https://pkg.go.dev/github.com/DataDog/dd-trace-go/contrib/net/http/v2 +[26]: https://pkg.go.dev/github.com/DataDog/dd-trace-go/contrib/database/sql/v2 + +{{% /tab %}} +{{% /tabs %}} + +[1]: /agent/remote_config/#enabling-remote-configuration +[2]: https://github.com/DataDog/dd-trace-go +[3]: https://github.com/DataDog/dd-trace-go#support-policy +[4]: https://github.com/DataDog/dd-trace-go#support-maintenance +[5]: https://www.datadoghq.com/support/ +[15]: https://github.com/golang/go/wiki/cgo \ No newline at end of file diff --git a/content/en/security/application_security/setup/compatibility/java.md b/content/en/security/application_security/setup/compatibility/java.md new file mode 100644 index 0000000000000..1c77b0bfadc4b --- /dev/null +++ b/content/en/security/application_security/setup/compatibility/java.md @@ -0,0 +1,163 @@ +--- +title: Java Compatibility Requirements +code_lang: java +type: multi-code-lang +code_lang_weight: 0 +--- + +## Application Security capabilities + +The following application security capabilities are supported in the Java library, for the specified tracer version: + +| Application Security capability | Minimum Java tracer version | +| -------------------------------- | ----------------------------| +| Threat Detection | 1.8.0 | +| API Security | 1.31.0 | +| Threat Protection| 1.9.0 | +| Customize response to blocked requests | 1.11.0 | +| Software Composition Analysis (SCA) | 1.1.4 | +| Code Security | 1.15.0| +| Automatic user activity event tracking | 1.20.0 | + +The minimum tracer version to get all supported application security capabilities for Java is 1.31.0. + +**Note**: Threat Protection requires enabling [Remote Configuration][2], which is included in the listed minimum tracer version. + +### Supported deployment types +| Type | Threat Detection support | Software Composition Analysis | +|-------------------|--------------------------|-------------------------------| +| Docker | {{< X >}} | {{< X >}} | +| Kubernetes | {{< X >}} | {{< X >}} | +| Amazon ECS | {{< X >}} | {{< X >}} | +| AWS Fargate | {{< X >}} | {{< X >}} | +| AWS Lambda | {{< X >}} | | +| Azure App Service | {{< X >}} | {{< X >}} | + +**Note**: Azure App Service is supported for **web applications only**. Application Security doesn't support Azure Functions. + +## Language and framework compatibility + +### Supported Java versions +The Java Tracer supports automatic instrumentation for the following Oracle JDK and OpenJDK JVM runtimes. + +| JVM versions | Operating Systems | Support level | Tracer version | +| -------------| ------------------------------------------------------------------------------- | ----------------------------------- | -------------- | +| 8 to 17 | Windows (x86-64)
Linux (glibc, musl) (arm64, x86-64)
MacOS (arm64, x86-64) | Supported | Latest | + + +Datadog does not officially support any early-access versions of Java. + + + + + + +### Web framework compatibility + +- Attacker source HTTP request details +- Tags for the HTTP request (status code, method, etc) +- Distributed Tracing to see attack flows through your applications + +##### Application Security Capability Notes +- **Software Composition Analysis** is supported on all frameworks +- If **Code Security** does not support your framework, it will still detect Weak Cipher, Weak Hashing, Insecure Cookie, Cookie without HttpOnly Flag, and Cookie without SameSite Flag vulnerabilities. + + + +| Framework | Versions | Threat Detection supported? | Threat Protection supported? |Code Security? | +| ----------------------- | ---------- | --------------- | ---------------------------------------------- | ---------------------------------------------- | +| Grizzly | 2.0+ | {{< X >}} | {{< X >}} | {{< X >}} | +| Glassfish | | {{< X >}} | {{< X >}} | {{< X >}} | +| gRPC | 1.5+ | {{< X >}} | {{< tooltip text="N/A" tooltip="Blocking not yet available for gRPC" >}} | {{< X >}} | +| Java Servlet | 2.3+, 3.0+ | {{< X >}} | {{< X >}} | {{< X >}} | +| Jetty | 7.0-9.x, 10.x | {{< X >}} | {{< X >}} | {{< X >}} | +| Spring Boot | 1.5 | {{< X >}} | {{< X >}} | {{< X >}} | +| Spring Web (MVC) | 4.0+ | {{< X >}} | {{< X >}} | {{< X >}} | +| Spring WebFlux | 5.0+ | | | {{< X >}} | +| Tomcat | 5.5+ | {{< X >}} | {{< X >}} | {{< X >}} | +| Vert.x | 3.4-3.9.x | {{< X >}} | {{< X >}} | {{< X >}} | + +**Note**: Many application servers are Servlet compatible and are automatically covered by that instrumentation, such as Websphere, Weblogic, and JBoss. Also, frameworks like Spring Boot (version 3) inherently work because they usually use a supported embedded application server, such as Tomcat, Jetty, or Netty. + +
If you don't see your framework of choice listed, let us know! Fill out this short form to send details.
+ +### Networking framework compatibility + +`dd-java-agent` includes support for automatically tracing the following networking frameworks. + +**Networking tracing provides:** + +- Distributed tracing through your applications +- Request-based blocking + +##### Application Security Capability Notes +- **Software Composition Analysis** is supported on all frameworks +- If **Code Security** does not support your framework, it will still detect Weak Cipher, Weak Hashing, Insecure Cookie, Cookie without HttpOnly Flag, and Cookie without SameSite Flag vulnerabilities. + + +| Framework | Versions | Threat Detection supported? | Threat Protection supported? | Code Security? | +| ------------------------ | ----------- | --------------- | ---------------------------------------------- | ---------------------------------------------- | +| Apache HTTP Client | 4.0+ | {{< X >}} | | | +| gRPC | 1.5+ | {{< X >}} | | | +| HttpURLConnection | all | {{< X >}} | | | +| Jax RS Clients | 2.0+ | {{< X >}} | {{< X >}} | {{< X >}} | +| Jersey Server | 1.9-2.29 | {{< X >}} | {{< X >}} | {{< X >}} | +| Netty HTTP Server | 3.8+ | {{< X >}} | | | +| RESTEasy | 3.0.x | {{< X >}} | | | +| Spring SessionAwareMessageListener | 3.1+ | {{< X >}} | | | + +
If you don't see your framework of choice listed, let us know! Fill out this short form to send details.
+ +### Data store compatibility + +`dd-java-agent` includes support for automatically tracing the following database frameworks/drivers. + +**Datastore tracing provides:** + +- Timing request to response +- Query info (for example, a sanitized query string) +- Error and stacktrace capturing + +##### Application Security Capability Notes +- **Software Composition Analysis** is supported on all frameworks +- **Threat Protection** also works at the HTTP request (input) layer, and so works for all databases by default, even those not listed in the table below. +- If your framework is not supported below, **Code Security** won’t detect SQL Injection vulnerabilities, but will still detect the rest of vulnerability types listed [here][3]. + +| Database | Versions | Threat Detection supported? | Code Security? | +| ----------------------- | -------- | ------------------------| ---------------------------------------------------------------- | +| Aerospike | 4.0+ | {{< X >}} | | +| Couchbase | 2.0+ | {{< X >}} | | +| JDBC | N/A | {{< X >}} | {{< X >}} | +| MongoDB | 3.0-4.0+ | {{< X >}} | | + +`dd-java-agent` is also compatible with common JDBC drivers for Threat Detection, such as: + +- Apache Derby +- Firebird SQL +- H2 Database Engine +- HSQLDB +- IBM DB2 +- MariaDB +- MSSQL (Microsoft SQL Server) +- MySQL +- Oracle +- Postgres SQL +- ScalikeJDBC + +
If you don't see your framework of choice listed, let us know! Fill out this short form to send details.
+ +### User Authentication Frameworks compatibility + +**Integrations to User Authentication Frameworks provide:** + +- User login events, including the user IDs +- Account Takeover detection monitoring for user login events + +| Framework | Minimum Framework Version | +|-------------------|---------------------------| +| Spring Security | 5.5+ | + + +[1]: /tracing/trace_collection/compatibility/java/ +[2]: /agent/remote_config/?tab=configurationyamlfile#enabling-remote-configuration +[3]: /security/code_security/software_composition_analysis/ diff --git a/content/en/security/application_security/setup/compatibility/nginx.md b/content/en/security/application_security/setup/compatibility/nginx.md new file mode 100644 index 0000000000000..6e94a0e3ed2a7 --- /dev/null +++ b/content/en/security/application_security/setup/compatibility/nginx.md @@ -0,0 +1,35 @@ +--- +title: Nginx Compatibility Requirements +code_lang: nginx +type: multi-code-lang +code_lang_weight: 40 +--- + +## Application Security capabilities support + +The following application security capabilities are supported in the nginx integration, for the +specified tracer version: + +| Application Security capability | Minimum nginx module version | +|----------------------------------------|------------------------------| +| Threat Detection | 1.2.0 | +| Threat Protection | 1.3.0 | +| Customize response to blocked requests | 1.3.0 | +| Software Composition Analysis (SCA) | not applicable | +| Code Security | not applicable | +| Automatic user activity event tracking | not supported | +| API Security | not supported | + +Please review nginx version 1.3.0 [limitations][1]. + +## Nginx support + +The nginx module policy is to support nginx versions up to one year past their +end-of-life. Only Linux and the arm64 and amd64 architectures are supported. + +
If you would like to see support added for any of +the unsupported capabilities, let us know! Fill out this short form to send +details.
+ +[1]: /security/application_security/threats/setup/threat_detection/nginx/ diff --git a/content/en/security/application_security/setup/compatibility/nodejs.md b/content/en/security/application_security/setup/compatibility/nodejs.md new file mode 100644 index 0000000000000..61d7330731c3b --- /dev/null +++ b/content/en/security/application_security/setup/compatibility/nodejs.md @@ -0,0 +1,181 @@ +--- +title: Node.js Compatibility Requirements +code_lang: nodejs +type: multi-code-lang +code_lang_weight: 50 +--- + +## Application Security capabilities + +The following application security capabilities are supported in the Node.js library, for the specified tracer version: + +| Application Security capability | Minimum Node.js tracer version | +|----------------------------------------|----------------------------------------------------| +| Threat Detection | 4.0.0 | +| Threat Protection | 4.0.0 | +| Customize response to blocked requests | 4.1.0 | +| Software Composition Analysis (SCA) | 4.0.0 | +| Code Security | 4.18.0 for Node.js 16+, or 5.0.0 for Node.js 18+ | +| Automatic user activity event tracking | 4.4.0 for Node.js 16+ | +| API Security | 4.30.0 for Node.js 16+, or 5.6.0 for Node.js 18+ | + +The minimum tracer version to get all supported application security capabilities for Node.js is 4.30.0. + + +**Note**: +- Threat Protection requires enabling [Remote Configuration][2], which is included in the listed minimum tracer version. + +### Supported deployment types +| Type | Threat Detection support | Software Composition Analysis | +|-------------|--------------------------|-------------------------------| +| Docker | {{< X >}} | {{< X >}} | +| Kubernetes | {{< X >}} | {{< X >}} | +| Amazon ECS | {{< X >}} | {{< X >}} | +| AWS Fargate | {{< X >}} | {{< X >}} | +| AWS Lambda | {{< X >}} | {{< X >}} | + +## Language and framework compatibility + +### Node.js Version Support + +When the Node.js project drops support for an LTS major release line (when it goes End of Life), support for it is dropped in the next major version of `dd-trace`. +The last major supporting release line of `dd-trace` library supports that EOL version of Node.js for at least another year on a maintenance mode basis. + +Some issues cannot be solved in `dd-trace` and instead must be solved in Node.js. When this happens and the Node.js release in question is EOL, it's not possible to solve the issue without moving to another non-EOL release. +Datadog does not make new releases of `dd-trace` to provide specific support for non-LTS Node.js major release lines (odd numbered versions). + +For the best level of support, always run the latest LTS release of Node.js, and the latest major version of `dd-trace`. Whatever release line of Node.js you use, also use the latest version of Node.js on that release line, to ensure you have the latest security fixes. + +For more information about Node.js release, see the [official Node.js documentation][4]. + + + +### Operating system support + +The following operating systems are officially supported by `dd-trace`. Any operating system not listed is still likely to work, but with some features missing, for example application security capabilities, profiling, and runtime metrics. Generally speaking, operating systems that are actively maintained at the time of initial release for a major version are supported. + + +| Operating System | Architectures | Minimum Versions | +|------------------|---------------|------------------------------------------| +| Linux (glibc) | arm64, x64 | CentOS 7, Debian 9, RHEL 7, Ubuntu 14.04 | +| Linux (musl) | arm64, x64 | Alpine 3.13 | +| macOS | arm64, x64 | Catalina (10.15) | +| Windows | x64 | Windows 8.1, Windows Server 2012 | + + + + + +### Web framework compatibility + +- Attacker source HTTP request details +- Tags for the HTTP request (status code, method, etc) +- Distributed Tracing to see attack flows through your applications + +##### Application Security Capability Notes +- **Software Composition Analysis** is supported on all frameworks +- If your framework is not listed below, **Code Security** will still detect Weak Cipher, Weak Hashing, Insecure Cookie, Cookie without HttpOnly Flag, and Cookie without SameSite Flag vulnerabilities. +- Although Threat Protection is available for express >= 4 versions, the blocking of payloads on the body is only supported for applications using `body-parser` library. + +| Framework | Versions | Threat Detection supported? | Threat Protection supported? | Code Security? | +|-----------|----------|-----------------------------|------------------------------|----------------------------------------------------| +| express | >=4 | {{< X >}} | {{< X >}} | {{< X >}} | +| nextjs | >=11.1 | {{< X >}} | | | + + + + + +
If you would like to see support added for any of the unsupported capabilities or for your Node.js framework, let us know! Fill out this short form to send details.
+ + +### Networking framework compatibility + + +**Networking tracing provides:** + +- Distributed tracing through your applications +- Request-based blocking + +##### Application Security Capability Notes +- **Software Composition Analysis** is supported on all frameworks + + + +| Framework | Threat Detection supported? | Threat Protection supported? | Code Security? | +|-----------|-----------------------------|------------------------------|----------------------------------------------------| +| http | {{< X >}} | {{< X >}} | {{< X >}} | +| https | {{< X >}} | {{< X >}} | {{< X >}} | + + +
If you don't see your framework of choice listed, let us know! Fill out this short form to send details.
+ +### Data store compatibility + + +**Datastore tracing provides:** + +- Timing request to response +- Query info (for example, a sanitized query string) +- Error and stacktrace capturing + +##### Application Security Capability Notes +- **Software Composition Analysis** is supported on all frameworks +- **Threat Protection** also works at the HTTP request (input) layer, and so works for all databases by default, even those not listed in the table below. + + +| Framework | Versions | Threat Detection supported? | Threat Protection supported? | Code Security? | +|--------------------------|-----------|-----------------------------|------------------------------|----------------------------------------------------| +| [@apollo/server][43] | `>=4` | {{< X >}} | {{< X >}} | | +| [apollo-server-core][44] | `>=3` | {{< X >}} | {{< X >}} | | +| [cassandra-driver][28] | `>=3` | {{< X >}} | {{< X >}} | | +| [couchbase][29] | `^2.4.2` | {{< X >}} | {{< X >}} | | +| [elasticsearch][30] | `>=10` | {{< X >}} | {{< X >}} | | +| [ioredis][31] | `>=2` | {{< X >}} | {{< X >}} | | +| [knex][32] | `>=0.8` | {{< X >}} | {{< X >}} | | +| [mariadb][5] | `>=3` | {{< X >}} | {{< X >}} | | +| [memcached][33] | `>=2.2` | {{< X >}} | {{< X >}} | | +| [mongodb-core][34] | `>=2` | {{< X >}} | {{< X >}} | {{< X >}} | +| [mysql][35] | `>=2` | {{< X >}} | {{< X >}} | {{< X >}} | +| [mysql2][36] | `>=1` | {{< X >}} | {{< X >}} | {{< X >}} | +| [oracledb][37] | `>=5` | {{< X >}} | {{< X >}} | | +| [pg][38] | `>=4` | {{< X >}} | {{< X >}} | {{< X >}} | +| [redis][39] | `>=0.12` | {{< X >}} | {{< X >}} | | +| [sharedb][40] | `>=1` | {{< X >}} | {{< X >}} | | +| [tedious][41] | `>=1` | {{< X >}} | {{< X >}} | | +| [sequelize][42] | `>=4` | {{< X >}} | {{< X >}} | {{< X >}} | + + +### User Authentication Frameworks compatibility + +**Integrations to User Authentication Frameworks provide:** + +- User login events, including the user IDs +- The Account Takeover detection monitoring the user login events + +| Framework | Minimum Framework Version | +|-----------------|---------------------------| +| passport-local | 1.0.0 | +| passport-http | 0.3.0 | + +[1]: /tracing/trace_collection/compatibility/nodejs/ +[2]: /agent/remote_config/#enabling-remote-configuration +[4]: https://github.com/nodejs/release#release-schedule +[5]: https://github.com/mariadb-corporation/mariadb-connector-nodejs +[28]: https://github.com/datastax/nodejs-driver +[29]: https://github.com/couchbase/couchnode +[30]: https://github.com/elastic/elasticsearch-js +[31]: https://github.com/luin/ioredis +[32]: https://knexjs.org +[33]: https://github.com/3rd-Eden/memcached +[34]: https://www.mongodb.com/docs/drivers/node/current/ +[35]: https://github.com/mysqljs/mysql +[36]: https://github.com/sidorares/node-mysql2 +[37]: https://oracle.github.io/node-oracledb/ +[38]: https://node-postgres.com +[39]: https://github.com/NodeRedis/node_redis +[40]: https://share.github.io/sharedb/ +[41]: http://tediousjs.github.io/tedious +[42]: https://github.com/sequelize/sequelize +[43]: https://github.com/apollographql/apollo-server +[44]: https://www.npmjs.com/package/apollo-server-core diff --git a/content/en/security/application_security/setup/compatibility/php.md b/content/en/security/application_security/setup/compatibility/php.md new file mode 100644 index 0000000000000..a8b9f0e30d388 --- /dev/null +++ b/content/en/security/application_security/setup/compatibility/php.md @@ -0,0 +1,149 @@ +--- +title: PHP Compatibility Requirements +code_lang: php +type: multi-code-lang +code_lang_weight: 40 +--- + +## Application Security capabilities support + +The following application security capabilities are supported in the PHP library, for the specified tracer version: + +| Application Security capability | Minimum PHP tracer version | +| -------------------------------- |----------------------------| +| Threat Detection | 0.84.0 | +| Threat Protection | 0.86.0 | +| Customize response to blocked requests | 0.86.0 | +| Software Composition Analysis (SCA) | 0.90.0 | +| Code Security | not supported | +| Automatic user activity event tracking | 0.89.0 | +| API Security | 0.98.0 | + +The minimum tracer version to get all supported AAP capabilities for PHP is 0.98.0. + + +
If you would like to see support added for any of the unsupported capabilities, let us know! Fill out this short form to send details.
+ +### Supported deployment types +| Type | Threat Detection support | Software Composition Analysis | +|-------------|--------------------------|-------------------------------| +| Docker | {{< X >}} | {{< X >}} | +| Kubernetes | {{< X >}} | {{< X >}} | +| Amazon ECS | {{< X >}} | {{< X >}} | +| AWS Fargate | | | +| AWS Lambda | | | + +## Language and framework compatibility + +
+Note: +It's recommended to use officially supported versions of PHP, especially 8.0, 8.1 and 8.2. +
+ +| PHP Version | Support level | Package version | +|:---------------|:--------------------------------------|:----------------| +| 8.3.x | General Availability | > `0.95.0+` | +| 8.2.x | General Availability | > `0.82.0+` | +| 8.1.x | General Availability | > `0.66.0+` | +| 8.0.x | General Availability | > `0.52.0+` | +| 7.4.x | General Availability | All | +| 7.3.x | General Availability | All | +| 7.2.x | General Availability | All | +| 7.1.x | General Availability | All | +| 7.0.x | General Availability | All | + +Application Security capabililties for PHP support the following SAPI's: + +| SAPI | Support type | +|:---------------|:----------------| +| apache2handler | Fully Supported | +| cli | Fully Supported | +| fpm-fcgi | Fully Supported | +| cgi-fcgi | Fully Supported | + +## Supported processor architectures + +Application Security capabililties for PHP support the following architectures: + +| Processor architectures | Support level | Package version | +| ------------------------------------------|-----------------------|----------------------------------------| +| Linux GNU amd64 (`x86-64-linux-gnu`) | GA | All | +| Linux MUSL amd64 (`x86-64-linux-musl`) | GA | All | +| Linux GNU arm64 (aarch64-linux-gnu) | GA | > `0.95.0` | +| Linux MUSL arm64 (aarch64-linux-musl) | GA | > `0.95.0` | +| Windows | Not supported | | + +The Datadog PHP library supports PHP version 7.0 and above on the following architectures: + +- Linux (GNU) x86-64 and arm64 +- Alpine Linux (musl) x86-64 and arm64 + +The library supports the use of all PHP frameworks, and also the use of no framework. + + +### Web framework compatibility + +- Attacker source HTTP request details +- Tags for the HTTP request (status code, method, etc) +- Distributed Tracing to see attack flows through your applications + +##### Application Security Capability Notes +- **Code Security** is not supported + +The following frameworks aren't directly instrumented by Application Security, but indirectly supported through runtime instrumentation. + +| Framework | Versions | Threat Detection supported? | Threat Protection supported? | +| ------------------------ | ----------- | --------------- | ---------------------------------------------- | +| CakePHP | 2.x | {{< X >}} | {{< X >}} | +| CodeIgniter | 2.x | {{< X >}} | {{< X >}} | +| FuelPHP | 1.1 | {{< X >}} | {{< X >}} | +| Laravel | 4.2, 5.x, 6.x, 8.x(tracer 0.52.0+), 9.x, 10.x | {{< X >}} | {{< X >}} | +| Lumen | 1.9-2.29 | {{< X >}} | {{< X >}} | +| Magento | 3.8+ | {{< X >}} | {{< X >}} | +| Neos Flow | 3.0.x | {{< X >}} | {{< X >}} | +| Phalcon | 3.1+ | {{< X >}} | {{< X >}} | +| Slim | 3.1+ | {{< X >}} | {{< X >}} | +| Symfony | 3.1+, 4.x, 5.x, 6.x | {{< X >}} | {{< X >}} | +| Wordpress | 3.1+, 4.x, 5.x, 6.x | {{< X >}} | {{< X >}} | +| Yii | 3.1+ | {{< X >}} | {{< X >}} | +| Zend | 3.1+ | {{< X >}} | {{< X >}} | +| RoadRunner | 2.x | {{< X >}} | {{< X >}} | + + +### Data store compatibility + +**Datastore tracing provides:** + +- SQL attack detection +- query info (for example, a sanitized query string) +- error and stacktrace capturing + +##### Application Security Capability Notes +- **Code Security** is not supported +- **Threat Protection** also works at the HTTP request (input) layer, and so works for all databases by default, even those not listed in the table below. + +| Framework | Versions | Threat Detection supported? | Threat Protection supported?| +|-------------------|-----------------|-----------------|---------------| +| Amazon RDS | Any supported PHP | {{< X >}} | {{< X >}} | +| Eloquent | Laravel supported versions | {{< X >}} | {{< X >}} | +| Memcached | Any supported PHP | {{< X >}} | {{< X >}} | +| MySQLi | Any supported PHP | {{< X >}} | {{< X >}} | +| PDO | Any supported PHP| {{< X >}}| {{< X >}} | +| PHPRedis | 3, 4, 5 | {{< X >}} | {{< X >}} | +| Predis | 1.1 | {{< X >}} | {{< X >}} | + +### User Authentication Frameworks compatibility + +**Integrations to User Authentication Frameworks provide:** + +- User login events, including the user IDs +- Account Takeover detection monitoring for user login events + +| Framework | Minimum Framework Version | +|-----------|---------------------------| +| Laravel | 4.2 | +| Symfony | 3.3 | +| Wordpress | 4.8 | + +[1]: /tracing/trace_collection/compatibility/php/ +[2]: /agent/remote_config/#enabling-remote-configuration diff --git a/content/en/security/application_security/setup/compatibility/python.md b/content/en/security/application_security/setup/compatibility/python.md new file mode 100644 index 0000000000000..371aef57ba525 --- /dev/null +++ b/content/en/security/application_security/setup/compatibility/python.md @@ -0,0 +1,109 @@ +--- +title: Python Compatibility Requirements +code_lang: python +type: multi-code-lang +code_lang_weight: 50 +--- +## Application Security capabilities support + +The following application security capabilities are supported in the Python library, for the specified tracer version: + +| Application Security capability | Minimum Python tracer version | +|----------------------------------------|-------------------------------| +| Threat Detection | 1.9.0 | +| Threat Protection | 1.10.0 | +| Customize response to blocked requests | 1.19.0 | +| Software Composition Analysis (SCA) | 1.5.0 | +| Code Security (Preview) | 2.9.3 | +| Automatic user activity event tracking | 1.17.0 | +| API Security | 2.6.0 | + +**Note**: Threat Protection requires enabling [Remote Configuration][2], which is included in the listed minimum tracer version. + +### Supported deployment types +| Type | Threat Detection support | Software Composition Analysis | +|-------------|--------------------------|-------------------------------| +| Docker | {{< X >}} | {{< X >}} | +| Kubernetes | {{< X >}} | {{< X >}} | +| Amazon ECS | {{< X >}} | {{< X >}} | +| AWS Fargate | {{< X >}} | {{< X >}} | +| AWS Lambda | {{< X >}} | | + + +## Language and framework compatibility + +### Supported Python versions + +The Python Application Security Client library follows a [versioning policy][3] that specifies the support level for the different versions of the library and Python runtime. + +Two release branches are supported: + +| Release | Support level | +|------------|----------------------| +| `<1` | Maintenance | +| `>=1.0,<2` | General Availability | + +And the library supports the following runtimes: + +| OS | CPU | Runtime | Runtime version | Support ddtrace versions | +|---------|-----------------------|---------|-----------------|--------------------------| +| Linux | x86-64, i686, AArch64 | CPython | 2.7, 3.5-3.11 | `<2` | +| MacOS | Intel, Apple Silicon | CPython | 2.7, 3.5-3.11 | `<2` | +| Windows | 64bit, 32bit | CPython | 2.7, 3.5-3.11 | `<2` | + + +### Web framework compatibility + +- Attacker source HTTP request details +- Tags for the HTTP request (status code, method, etc) +- Distributed Tracing to see attack flows through your applications + +##### Application Security Capability Notes +- **Software Composition Analysis** is supported on all frameworks + +### Supported frameworks + + +| Framework | Versions | Threat Detection supported? | Threat Protection supported? | +| ------------------------ | ----------- | --------------- | ---------------------------------------------- | +| Django | 2.2 | {{< X >}} | {{< X >}} | +| FastAPI | 0.86 | {{< X >}} | {{< X >}} | +| Flask | 1.1 | {{< X >}} | {{< X >}} | + + +
If you don't see your framework of choice listed, let us know! Fill out this short form to send details.
+ +### Data store compatibility + + +**Datastore tracing provides:** + +- timing request to response +- query info (for example, a sanitized query string) +- error and stacktrace capturing + +##### Application Security Capability Notes +- **Software Composition Analysis** is supported on all frameworks. +- **Threat Protection** also works at the HTTP request (input) layer, and so works for all databases by default, even those not listed in the table below. +- +The Python library supports the [database API specifications][4] and supports all generic SQL databases. This includes databases such as SQLite, Mysql, Postgres and MariaDB. + +### User Authentication Frameworks compatibility + +**Integrations to User Authentication Frameworks provide:** + +- User login events, including the user IDs +- Account Takeover detection monitoring for user login events + +| Framework | Framework Versions | +|-------------------| --------------------------- | +| Django | 1.11, 2.2, 3.2, >= 4.0 + +[1]: /tracing/trace_collection/compatibility/python/ +[2]: /agent/remote_config/#enabling-remote-configuration +[3]: https://ddtrace.readthedocs.io/en/stable/versioning.html +[4]: https://peps.python.org/pep-0249/ + + + + diff --git a/content/en/security/application_security/setup/compatibility/ruby.md b/content/en/security/application_security/setup/compatibility/ruby.md new file mode 100644 index 0000000000000..4c25811ff2198 --- /dev/null +++ b/content/en/security/application_security/setup/compatibility/ruby.md @@ -0,0 +1,126 @@ +--- +title: Ruby Compatibility Requirements +code_lang: ruby +type: multi-code-lang +code_lang_weight: 30 +--- + +## Application Security capabilities support + +The following application security capabilities are supported in the Ruby library, for the specified tracer version: + +| Application Security capability | Minimum Ruby tracer version | +| -------------------------------- | ----------------------------| +| Threat Detection | 1.9.0 | +| Threat Protection | 1.11.0 | +| Customize response to blocked requests | 1.15.0 | +| Software Composition Analysis (SCA) | 1.11.0 | +| Code Security | not supported | +| Automatic user activity event tracking | 1.14.0 | +| API Security | 2.4.0 | + +The minimum tracer version to get all supported application security capabilities for Ruby is 1.15.0. + +
If you would like to see support added for any of the unsupported capabilities, or for your Ruby framework, let us know! Fill out this short form to send details.
+ +### Supported deployment types +| Type | Threat Detection support | Software Composition Analysis | +|-------------|--------------------------|-------------------------------| +| Docker | {{< X >}} | | +| Kubernetes | {{< X >}} | | +| Amazon ECS | {{< X >}} | | +| AWS Fargate | {{< X >}} | | +| AWS Lambda | | | + +## Language and framework compatibility + + +**Supported Ruby interpreters** +The Datadog Ruby library supports the latest gem for the following Ruby interpreters: + +- [MRI][2] versions 2.5 to 3.3 +- [JRuby][3] versions 9.2.21.0+ and 9.3 + +These are supported on the following architectures: +- Linux (GNU) x86-64, aarch64 +- Alpine Linux (musl) x86-64, aarch64 +- macOS (Darwin) x86-64, arm64 + +### Supported web servers +- Attacker source HTTP request details +- Tags for the HTTP request (status code, method, etc) +- Distributed Tracing to see attack flows through your applications + +##### Application Security Capability Notes +- **Code Security** is not supported + +| Framework | Threat Detection supported? | Threat Protection supported? | +| ------------------------ | ----------- | --------------- | +| Rack | {{< X >}} | {{< X >}} | +| Rails | {{< X >}} | {{< X >}} | +| Sinatra | {{< X >}} | {{< X >}} | +| Grape | {{< X >}} | {{< X >}} | +| Unicorn | {{< X >}} | {{< X >}} | +| Passenger | {{< X >}} | {{< X >}} | +| GraphQL | {{< X >}} | {{< X >}} | + +| Framework Web Server | Minimum Framework Version | Minimum Tracer Version | +| ----------------------- | --------------------------- | ---------------------- | +| Rack | 1.1 | 1.9.0 | +| Rails | 3.2 (also depends on Ruby version) | 1.9.0 | +| Sinatra | 1.4 | 1.9.0 | +| GraphQL | 2.0.19 | 2.3.0 | + +### Networking framework compatibility + +**Networking tracing provides:** + +- Distributed tracing through your applications +- Request-based blocking + +##### Application Security Capability Notes +- **Code Security** is not supported + +| Framework | Threat Detection supported? | Threat Protection supported? | +|-------------------|-----------------|--------------------------------------------------------------------------| +| Rack | {{< X >}} | {{< X >}} | + +
If you don't see your framework of choice listed, let us know! Fill out this short form to send details.
+ + +### Data store compatibility + +**Datastore tracing provides:** + +- SQL attack detection +- query info (for example, a sanitized query string) +- error and stacktrace capturing + +##### Application Security Capability Notes +- **Code Security** is not supported +- **Threat Protection** also works at the HTTP request (input) layer, and so works for all databases by default, even those not listed in the table below. + +| Framework | Threat Detection supported? | Threat Protection supported? | +|-------------------|-----------------|--------------------------------------------------------------------------| +| MongoDB | {{< X >}} | {{< X >}} | +| Active Record | {{< X >}} | {{< X >}} | +| MySQL2 | {{< X >}} | {{< X >}} | +| Presto | {{< X >}} | {{< X >}} | +| Resque | {{< X >}} | {{< X >}} | +| Sequel | {{< X >}} | {{< X >}} | +| Elasticsearch | {{< X >}} | {{< X >}} | + +### User Authentication Frameworks compatibility + +**Integrations to User Authentication Frameworks provide:** + +- User login events, including the user IDs +- Account Takeover detection monitoring for user login events + +| Framework | Minimum Framework Version | +|-------------------| --------------------------- | +| Devise | 3.2.1 + +[1]: /tracing/trace_collection/compatibility/ruby/ +[2]: https://www.ruby-lang.org/ +[3]: https://www.jruby.org/ diff --git a/content/en/security/application_security/setup/compatibility/serverless.md b/content/en/security/application_security/setup/compatibility/serverless.md new file mode 100644 index 0000000000000..1bae1aa80e3cf --- /dev/null +++ b/content/en/security/application_security/setup/compatibility/serverless.md @@ -0,0 +1,92 @@ +--- +title: Serverless Compatibility Requirements +code_lang: serverless +type: multi-code-lang +code_lang_weight: 90 +--- + +Application Security provides serverless capability for the following platforms and libraries: + +{{< partial name="security-platform/appsec-libraries-serverless.html" >}}
+ +## AWS Lambda +**Note**: Threat Protection through Remote Configuration is not supported. Use [Workflows][5] to block IPs in your [WAF][6]. + +|Type | Threat Detection | Software Composition Analysis (SCA) | Code Security | +| --- | --- | ---- | ---- | +| Java | {{< X >}} | | | +| .NET | {{< X >}} | | | +| Node | {{< X >}} | Preview | | +| Python | {{< X >}} | Preview | | +| Ruby | {{< X >}} | | | +| PHP | | | | +| Go | {{< X >}} | | | + +### Supported trigger types +Threat Detection supports HTTP requests as function input only, as that channel has the highest likelihood of attackers exploiting a serverless application. HTTP requests typically come from AWS services such as: +- Application Load Balancer (ALB) +- API Gateway v1 (Rest API) +- API Gateway v2 (HTTP API) +- Function URL + +
If you would like to see support added for any of the unsupported capabilities, fill out this form to send feedback.
+ + +### Additional language specific compatibility information + +Node.js +: If you are bundling using webpack or esbuild, [follow the specific bundler instructions][4]. + +Python +: + +Java +: To fully instrument your serverless application with distributed tracing, your Java Lambda functions must use the Java 8 Corretto (`java8.al2`), Java 11 (`java11`) or Java 17 (`java17`) runtimes with at least 1024MB of memory. +: If you use the Datadog Lambda layers `dd-trace-java:4` (or older) and `Datadog-Extension:24` (or older), follow the instructions in [Upgrade Instrumentation for Java Lambda Functions][3]. + +Go +: + +.NET +: + + +## Google Cloud Run + +
Google Cloud Run support for Application Security serverless is in Preview.
+ +**Note**: Threat Protection through Remote Configuration is not supported. Use [Workflows][5] to block IPs in your [WAF][6]. + +|Type | Threat Detection | Software Composition Analysis | Code Security | +| --- | --- | ---- | ---- | +| Java | Preview | Preview | | +| .NET | Preview | Preview | | +| Node | Preview | Preview | | +| Python | Preview | Preview | | +| Ruby | Preview | Preview | | +| PHP | | | | +| Go | Preview | Preview | | + + +## Azure App Service + +Only *web applications* are supported. Azure Functions are not supported. + +**Note**: Threat Protection through Remote Configuration is not supported. Use [Workflows][5] to block IPs in your [WAF][6]. + +|Type | OS |Threat Detection | Software Composition Analysis | Code Security | +|-----------|--------------------|------------------|------------------------------------|------------------------------------------| +| Java | Windows, Linux | {{< X >}} | {{< X >}} | Preview | +| .NET | Windows, Linux | {{< X >}} | {{< X >}} | | +| Node | Linux | {{< X >}} | {{< X >}} | Preview | +| Python | Linux | {{< X >}} | {{< X >}} | | +| Ruby | Linux | {{< X >}} | {{< X >}} | | +| PHP | Linux | | {{< X >}} | | + + +[1]: /serverless/distributed_tracing/ +[2]: /serverless/guide/datadog_forwarder_python +[3]: /serverless/guide/upgrade_java_instrumentation +[4]: /serverless/guide/serverless_tracing_and_bundlers/ +[5]: /service_management/workflows/ +[6]: /security/application_security/threats/inapp_waf_rules/ diff --git a/content/en/security/application_security/setup/single_step/_index.md b/content/en/security/application_security/setup/single_step/_index.md new file mode 100644 index 0000000000000..bc13847fd2c4e --- /dev/null +++ b/content/en/security/application_security/setup/single_step/_index.md @@ -0,0 +1,274 @@ +--- +title: Enabling AAP threat detection and protection using single step instrumentation +external_redirect: /security/application_security/threats/threat_detection/ +--- + +
Enabling AAP threat detection and protection using single step instrumentation is in Preview.
+ +## Requirements + +- **Minimum Agent version 7.53.0** +- **Minimum Helm version 3.62.0** (For Kubernetes deployments) +- **Languages and architectures**: Single step AAP instrumentation only supports tracing Java, Python, Node.js, and .NET Core services on `x86_64` and `arm64` architectures. +- **Operating systems**: Linux VMs (Debian, Ubuntu, Amazon Linux, CentOS/Red Hat, Fedora), Docker, Kubernetes clusters with Linux containers. + +## Enabling in one step + +If you [install or update a Datadog Agent][1] with the **Enable Threat Protection (new)** option selected, the Agent is installed and configured to enable AAP. This allows you to automatically instrument your application, without any additional installation or configuration steps. Restart services for this instrumentation to take effect. + + +{{< img src="/security/application_security/single_step/asm_single_step_threat_detection_2.png" alt="Account settings Ubuntu setup page highlighting the toggle for Enabling APM instrumentation and Threat Protection." style="width:100%;" >}} + +The following examples show how it works on each infrastructure type. + +{{< tabs >}} +{{% tab "Linux host or VM" %}} + +With one command, you can install, configure, and start the Agent, while also instrumenting your services with AAP. + +For an Ubuntu host: + +1. Run the one-line installation command: + + ```shell + DD_API_KEY= DD_SITE="" DD_APM_INSTRUMENTATION_ENABLED=host DD_APM_INSTRUMENTATION_LIBRARIES="java:1,python:3,js:5,dotnet:3,php:1" DD_APPSEC_ENABLED=true bash -c "$(curl -L https://install.datadoghq.com/scripts/install_script_agent7.sh)" + ``` + + a. Replace `` with your [Datadog API key][4]. + + b. Replace `` with your [Datadog site][3]. +
+ You can also optionally configure the following: + +
+2. Exit your current shell session. +3. Start a new shell session. +4. Restart the services on the host or VM. +5. [Explore the performance observability of your services in Datadog][5]. + +**Note:** To configure single-step for both AAP Threat Protection and Code Security, add the environment variables `DD_APPSEC_ENABLED=true` _and_ `DD_IAST_ENABLED=true` to your one-line installation command. + +### Specifying tracing library versions {#lib-linux} + +By default, enabling APM on your server installs support for Java, Python, Node.js, and .NET Core services. If you only have services implemented in some of these languages, set `DD_APM_INSTRUMENTATION_LIBRARIES` in your one-line installation command: + +```shell +DD_APM_INSTRUMENTATION_LIBRARIES="java:1.25.0,python" DD_API_KEY= DD_SITE="" DD_APM_INSTRUMENTATION_ENABLED=host DD_APPSEC_ENABLED=true DD_ENV=staging bash -c "$(curl -L https://install.datadoghq.com/scripts/install_script_agent7.sh)" +``` + +You can optionally provide a version number for the tracing library by placing a colon after the language name and specifying the tracing library version. If you don't specify a version, it defaults to the latest version. Language names are comma-separated. + +Supported languages include: + +- .NET (`dotnet`) +- Python (`python`) +- Java (`java`) +- Node.js (`js`) +- PHP (`php`) + +**Note**: For the Node.js tracing library, different versions of Node.js are compatible with different versions of the Node.js tracing library. See [DataDog/dd-trace-js: JavaScript APM Tracer][6] for more information. + +### Tagging observability data by environment {#env-linux} + +Set `DD_ENV` in your one-line installation command for Linux to automatically tag instrumented services and other telemetry that pass through the Agent with a specific environment. For example, if the Agent is installed in your staging environment, set `DD_ENV=staging` to associate your observability data with `staging`. + +For example: + +```shell +DD_API_KEY= DD_SITE="" DD_APM_INSTRUMENTATION_ENABLED=host DD_APM_INSTRUMENTATION_LIBRARIES="java:1,python:3,js:5,dotnet:3,php:1" DD_APPSEC_ENABLED=true DD_ENV=staging bash -c "$(curl -L https://install.datadoghq.com/scripts/install_script_agent7.sh)" +``` + +[2]: /agent/remote_config +[3]: /getting_started/site/ +[4]: https://app.datadoghq.com/organization-settings/api-keys +[5]: /software_catalog/ +[6]: https://github.com/DataDog/dd-trace-js?tab=readme-ov-file#version-release-lines-and-maintenance + +{{% /tab %}} + +{{% tab "Docker" %}} + +For a Docker Linux container: + +1. Install the library injector: + ```shell + DD_APM_INSTRUMENTATION_ENABLED=docker DD_APM_INSTRUMENTATION_LIBRARIES="java:1,python:3,js:5,dotnet:3,php:1" DD_NO_AGENT_INSTALL=true DD_APPSEC_ENABLED=true bash -c "$(curl -L https://install.datadoghq.com/scripts/install_script_agent7.sh)" + ``` +2. Configure the Agent in Docker: + ```shell + docker run -d --name dd-agent \ + -e DD_API_KEY=${YOUR_DD_API_KEY} \ + -e DD_APM_ENABLED=true \ + -e DD_APPSEC_ENABLED=true \ + -e DD_APM_NON_LOCAL_TRAFFIC=true \ + -e DD_DOGSTATSD_NON_LOCAL_TRAFFIC=true \ + -e DD_APM_RECEIVER_SOCKET=/opt/datadog/apm/inject/run/apm.socket \ + -e DD_DOGSTATSD_SOCKET=/opt/datadog/apm/inject/run/dsd.socket \ + -v /opt/datadog/apm:/opt/datadog/apm \ + -v /var/run/docker.sock:/var/run/docker.sock:ro \ + gcr.io/datadoghq/agent:7 + ``` + Replace `` with your [Datadog API][5]. +
+ You can also optionally configure the following: + +
+3. Restart the Docker containers. +4. [Explore the performance observability of your services in Datadog][6]. + +### Specifying tracing library versions {#lib-docker} + +By default, enabling APM on your server installs support for Java, Python, Node.js, and .NET services. If you only have services implemented in some of these languages, set `DD_APM_INSTRUMENTATION_LIBRARIES` when running the installation script. + +For example, to install support for only v1.25.0 of the Java tracing library and the latest Python tracing library, add the following to the installation command: + +```shell +DD_APM_INSTRUMENTATION_LIBRARIES="java:1.25.0,python" DD_APM_INSTRUMENTATION_ENABLED=docker DD_NO_AGENT_INSTALL=true DD_APPSEC_ENABLED=true bash -c "$(curl -L https://install.datadoghq.com/scripts/install_script_agent7.sh)" +``` + +You can optionally provide a version number for the tracing library by placing a colon after the language name and specifying the tracing library version. If you don't specify a version, it defaults to the latest version. Language names are comma-separated. + +Supported languages include: + +- .NET (`dotnet`) +- Python (`python`) +- Java (`java`) +- Node.js (`js`) +- Ruby (`ruby`) +- PHP (`php`) + +**Note**: For the Node.js tracing library, different versions of Node.js are compatible with different versions of the Node.js tracing library. See [DataDog/dd-trace-js: JavaScript APM Tracer][7] for more information. + +### Tagging observability data by environment {#env-docker} + +Set `DD_ENV` in the library injector installation command for Docker to automatically tag instrumented services and other telemetry that pass through the Agent with a specific environment. For example, if the Agent is installed in your staging environment, set `DD_ENV=staging` to associate your observability data with `staging`. + +For example: + +{{< highlight shell "hl_lines=5" >}} +docker run -d --name dd-agent \ + -e DD_API_KEY=${YOUR_DD_API_KEY} \ + -e DD_APM_ENABLED=true \ + -e DD_APPSEC_ENABLED=true \ + -e DD_ENV=staging \ + -e DD_APM_NON_LOCAL_TRAFFIC=true \ + -e DD_DOGSTATSD_NON_LOCAL_TRAFFIC=true \ + -e DD_APM_RECEIVER_SOCKET=/opt/datadog/apm/inject/run/apm.socket \ + -e DD_DOGSTATSD_SOCKET=/opt/datadog/apm/inject/run/dsd.socket \ + -v /opt/datadog/apm:/opt/datadog/apm \ + -v /var/run/docker.sock:/var/run/docker.sock:ro \ + gcr.io/datadoghq/agent:7 +{{< /highlight >}} + +[5]: https://app.datadoghq.com/organization-settings/api-keys +[6]: /software_catalog/ +[7]: https://github.com/DataDog/dd-trace-js?tab=readme-ov-file#version-release-lines-and-maintenance + + +{{% /tab %}} + +{{% tab "Kubernetes" %}} + +You can enable APM by installing the Agent with the Datadog Helm chart. This deploys the Datadog Agent across all nodes in your Linux-based Kubernetes cluster with a DaemonSet. + +**Note**: Single step instrumentation doesn't instrument applications in the namespace where you install the Datadog Agent. It's recommended to install the Agent in a separate namespace in your cluster where you don't run your applications. + +### Requirements + +- Make sure you have [Helm][13] installed. + +### Installation + +To enable single step instrumentation with Helm: + +1. Add the Helm Datadog repo: + + ```bash + helm repo add datadog https://helm.datadoghq.com + helm repo update + ``` +2. Create a Kubernetes Secret to store your Datadog [API key][10]: + + ```bash + kubectl create secret generic datadog-secret --from-literal api-key=$DD_API_KEY +[7]: https://v3.helm.sh/docs/intro/install/ +[8]: https://kubernetes.io/docs/tasks/tools/install-kubectl/ +[9]: https://github.com/DataDog/helm-charts/tree/master/charts/datadog-operator +[10]: https://app.datadoghq.com/organization-settings/api-keys +[11]: https://app.datadoghq.com/organization-settings/application-keys +[12]: /getting_started/site +[13]: https://v3.helm.sh/docs/intro/install/ +[14]: https://github.com/DataDog/helm-charts/blob/master/charts/datadog/values.yaml +[15]: /tracing/trace_collection/automatic_instrumentation/single-step-apm/?tab=kubernetes#enabling-or-disabling-instrumentation-for-namespaces +[16]: /tracing/trace_collection/automatic_instrumentation/single-step-apm/?tab=kubernetes#specifying-tracing-library-versions +[17]: /tracing/trace_collection/automatic_instrumentation/single-step-apm/?tab=kubernetes#removing-instrumentation-for-specific-services +{{% /tab %}} +{{< /tabs >}} +## Removing Single Step APM and AAP instrumentation from your Agent +If you don't want to collect trace data for a particular service, host, VM, or container, complete the follow steps: +### Removing instrumentation for specific services +Run the following commands and restart the service to stop injecting the library into the service and stop producing traces from that service. +{{< tabs >}} +{{% tab "Linux host or VM" %}} +1. Add the `DD_INSTRUMENT_SERVICE_WITH_APM` environment variable to the service startup command: + ```shell + DD_INSTRUMENT_SERVICE_WITH_APM=false + ``` +2. Restart the service. +3. To disable AAP, remove the `DD_APPSEC_ENABLED=true` environment variable from your application configuration, and restart your service. +{{% /tab %}} +{{% tab "Docker" %}} +1. Add the `DD_INSTRUMENT_SERVICE_WITH_APM` environment variable to the service startup command: + ```shell + docker run -e DD_INSTRUMENT_SERVICE_WITH_APM=false + ``` +2. Restart the service. +3. To disable AAP, remove the `DD_APPSEC_ENABLED=true` environment variable from your application configuration, and restart your service. +{{% /tab %}} +{{% tab "Kubernetes" %}} +1. Set the `admission.datadoghq.com/enabled:` label to `"false"` for the pod spec: + ```yaml + spec: + template: + metadata: + labels: + admission.datadoghq.com/enabled: "false" +{{% /tab %}} +{{< /tabs >}} +### Removing APM for all services on the infrastructure +To stop producing traces, remove library injectors and restart the infrastructure: +{{< tabs >}} +{{% tab "Linux host or VM" %}} +1. Run: + ```shell + dd-host-install --uninstall + ``` +2. Restart your host. +{{% /tab %}} +{{% tab "Docker" %}} +1. Uninstall local library injection: + ```shell + dd-container-install --uninstall + ``` +2. Restart Docker: + ```shell + systemctl restart docker + ``` + Or use the equivalent for your environment. +{{% /tab %}} +{{% tab "Kubernetes" %}} +1. Under `apm:`, remove `instrumentation:` and all following configuration in `datadog-values.yaml`. +2. Under `asm:`, remove `threats:` and all following configuration in`datadog-values.yaml`. +3. Run the following command: + ```bash + helm upgrade datadog-agent -f datadog-values.yaml datadog/datadog +{{% /tab %}} +{{< /tabs >}} +[1]: https://app.datadoghq.com/account/settings/agent/latest +[2]: /agent/remote_config \ No newline at end of file diff --git a/content/en/security/application_security/setup/standalone/_index.md b/content/en/security/application_security/setup/standalone/_index.md new file mode 100644 index 0000000000000..4477c23b1671a --- /dev/null +++ b/content/en/security/application_security/setup/standalone/_index.md @@ -0,0 +1,49 @@ +--- +title: Enabling Application & API Protection using Datadog Tracing Libraries +type: multi-code-lang +further_reading: +- link: "/security/application_security/" + tag: "Documentation" + text: "Protect against Threats with Datadog Application & API Protection" +- link: "/security/application_security/add-user-info/" + tag: "Documentation" + text: "Tracking user activity" +- link: "/security/default_rules/?category=cat-application-security" + tag: "Documentation" + text: "OOTB Application & API Protection Rules" +- link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting Application & API Protection" +- link: "/security/application_security/how-appsec-works/" + tag: "Documentation" + text: "How Application & API Protection Works in Datadog" +--- + +## Prerequisites + +Before setting up Application & API Protection, ensure the following prerequisites are met: +- **Datadog Agent:** [Install the Datadog Agent][2] and configure it for your application's operating system or container, cloud, or virtual environment. +- **Supported Tracing Library:** The Datadog Tracing Library used by your application or service supports Application & API Protection capabilities for the language of your application or service. For more details, refer to the [Library Compatibility][1] page. + +## Using AAP without APM tracing + +If you want to use Application & API Protection without APM tracing functionality, you can deploy with tracing disabled: + +1. Configure your tracing library with the `DD_APM_TRACING_ENABLED=false` environment variable in addition to the `DD_APPSEC_ENABLED=true` environment variable. +2. This configuration will reduce the amount of APM data sent to Datadog to the minimum required by Application Security products. + +For more details, see [Standalone Application Security][3]. + +## Language-specific configuration + +Select your application language for details on how to enable Application & API Protection for your language and infrastructure types. + +{{< partial name="security-platform/appsec-languages.html" >}}
+ +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: /security/application_security/threats/setup/compatibility +[2]: /agent/ +[3]: /security/application_security/guide/standalone_application_security/ diff --git a/content/en/security/application_security/setup/standalone/dotnet.md b/content/en/security/application_security/setup/standalone/dotnet.md new file mode 100644 index 0000000000000..23cd6c60aed8c --- /dev/null +++ b/content/en/security/application_security/setup/standalone/dotnet.md @@ -0,0 +1,215 @@ +--- +title: Enabling Application & API Protection for .NET +code_lang: dotnet +type: multi-code-lang +code_lang_weight: 10 +aliases: + - /security_platform/application_security/getting_started/dotnet + - /security/application_security/getting_started/dotnet + - /security/application_security/enabling/tracing_libraries/threat_detection/dotnet/ +further_reading: + - link: "/security/application_security/add-user-info/" + tag: "Documentation" + text: "Adding user information to traces" + - link: 'https://github.com/DataDog/dd-trace-dotnet' + tag: "Source Code" + text: '.NET Datadog library source code' + - link: "/security/default_rules/?category=cat-application-security" + tag: "Documentation" + text: "OOTB App & API Protection Rules" + - link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting App & API Protection" +--- + +You can monitor application security for .NET apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate. + +{{% appsec-getstarted-standalone %}} + +## Enabling Application & API Protection +### Get started + +1. **Update your [Datadog .NET library][1]** to at least version 2.2.0 (at least version 2.16.0 for Software Composition Analysis detection features) for your target operating system architecture. + + To check that your service's language and framework versions are supported for Application & API Protection capabilities, see [Compatibility][2]. + +2. **Enable Application & API Protection** by setting the environment variables. For security-only use without APM tracing, set both `DD_APPSEC_ENABLED=true` and `DD_APM_TRACING_ENABLED=false`. For example, on Windows self-hosted, run the following PowerShell snippet as part of your application start up script: + ``` + $target=[System.EnvironmentVariableTarget]::Process + [System.Environment]::SetEnvironmentVariable("DD_APPSEC_ENABLED","true",$target) + [System.Environment]::SetEnvironmentVariable("DD_APM_TRACING_ENABLED","false",$target) + ``` + + **Or** one of the following methods, depending on where your application runs: + + {{< tabs >}} +{{% tab "Windows self-hosted" %}} + +In a Windows console: + +``` +rem Set environment variables +SET CORECLR_ENABLE_PROFILING=1 +SET CORECLR_PROFILER={846F5F1C-F9AE-4B07-969E-05C26BC060D8} +SET DD_APPSEC_ENABLED=true +SET DD_APM_TRACING_ENABLED=false + +rem Start application +dotnet.exe example.dll +``` + +{{% /tab %}} +{{% tab "IIS" %}} + +Run the following PowerShell command as administrator to configure the necessary environment variables in the registry `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment` and restart IIS. +``` +$target=[System.EnvironmentVariableTarget]::Machine +[System.Environment]::SetEnvironmentVariable("DD_APPSEC_ENABLED","true",$target) +[System.Environment]::SetEnvironmentVariable("DD_APM_TRACING_ENABLED","false",$target) +net stop was /y +net start w3svc +``` + +**Or**, for IIS services exclusively, on WAS and W3SVC with Powershell as an administrator, run: + +``` +$appsecPart = "DD_APPSEC_ENABLED=true DD_APM_TRACING_ENABLED=false" +[string[]] $defaultvariable = @("CORECLR_ENABLE_PROFILING=1", "CORECLR_PROFILER={846F5F1C-F9AE-4B07-969E-05C26BC060D8}", $appsecPart) + +function Add-AppSec { + + param ( + $path + ) + $v = (Get-ItemProperty -Path $path).Environment + If ($v -eq $null) { + Set-ItemProperty -Path $path -Name "Environment" -Value $defaultvariable + } + ElseIf (-not ($v -match $appsecPart)) { + $v += " " + $appsecPart; + Set-ItemProperty -Path $path -Name "Environment" -Value $v + } +} +Add-AppSec -path "HKLM:SYSTEM\CurrentControlSet\Services\WAS\" +Add-AppSec -path "HKLM:SYSTEM\CurrentControlSet\Services\W3SVC\" + +net stop was /y +net start w3svc +``` + +**Or**, to avoid editing registry keys, edit the application settings in the `web.config` file of your application: +```xml + + + + + + +``` + +This can also be done at the IIS application pools level in the `applicationHost.config` file, usually in `C:\Windows\System32\inetsrv\config\`: +```xml + + + + + + + + + (...) +``` + +{{% /tab %}} +{{% tab "Linux" %}} + +Add the following to your application configuration: +```conf +DD_APPSEC_ENABLED=true +DD_APM_TRACING_ENABLED=false +``` +{{% /tab %}} +{{% tab "Docker CLI" %}} + +Update your configuration container for APM by adding the following arguments in your `docker run` command: + +```shell +docker run [...] -e DD_APPSEC_ENABLED=true -e DD_APM_TRACING_ENABLED=false [...] +``` + +{{% /tab %}} +{{% tab "Dockerfile" %}} + +Add the following environment variable values to your container Dockerfile: + +```Dockerfile +ENV DD_APPSEC_ENABLED=true +ENV DD_APM_TRACING_ENABLED=false +``` + +{{% /tab %}} +{{% tab "Kubernetes" %}} + +Update your deployment configuration file for APM and add the Application & API Protection environment variables: + +```yaml +spec: + template: + spec: + containers: + - name: + image: / + env: + - name: DD_APPSEC_ENABLED + value: "true" + - name: DD_APM_TRACING_ENABLED + value: "false" +``` + +{{% /tab %}} +{{% tab "Amazon ECS" %}} + +Update your ECS task definition JSON file, by adding these in the environment section: + +```json +"environment": [ + ..., + { + "name": "DD_APPSEC_ENABLED", + "value": "true" + }, + { + "name": "DD_APM_TRACING_ENABLED", + "value": "false" + } +] +``` + +{{% /tab %}} +{{% tab "AWS Fargate" %}} + +Add the following lines to your container Dockerfile: +```Dockerfile +ENV DD_APPSEC_ENABLED=true +ENV DD_APM_TRACING_ENABLED=false +``` + +{{% /tab %}} + +{{< /tabs >}} + +3. **Restart the application** using a full stop and start. + +{{% appsec-getstarted-2-plusrisk %}} + +{{< img src="/security/application_security/appsec-getstarted-threat-and-vuln_2.mp4" alt="Video showing Signals explorer and details, and Vulnerabilities explorer and details." video="true" >}} + + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: https://github.com/DataDog/dd-trace-dotnet/releases/latest +[2]: /security/application_security/threats/setup/compatibility/dotnet/ +[3]: /agent/versions/upgrade_between_agent_minor_versions/ +[4]: /security/application_security/threats/setup/compatibility/ diff --git a/content/en/security/application_security/setup/standalone/envoy.md b/content/en/security/application_security/setup/standalone/envoy.md new file mode 100644 index 0000000000000..0073483d4a7e4 --- /dev/null +++ b/content/en/security/application_security/setup/standalone/envoy.md @@ -0,0 +1,118 @@ +--- +title: Enabling Application & API Protection for Envoy +code_lang: envoy +type: multi-code-lang +code_lang_weight: 50 +further_reading: + - link: 'https://github.com/DataDog/dd-trace-go/tree/main/contrib/envoyproxy/go-control-plane/cmd/serviceextensions' + tag: "Source Code" + text: "Envoy integration's source code" + - link: "/security/default_rules/?category=cat-application-security" + tag: "Documentation" + text: "OOTB App & API Protection Rules" + - link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting App & API Protection" +--- + +{{< callout url="#" btn_hidden="true" header="Application & API Protection for Envoy is in Preview" >}} +To try the preview of Application & API Protection for Envoy, follow the setup instructions below. +{{< /callout >}} + +You can enable application security for the Envoy proxy. The Datadog Envoy integration has support for threat detection and blocking. + +## Prerequisites + +- The [Datadog Agent][1] is installed and configured for your application's operating system or container, cloud, or virtual environment. +- [Configure the Agent with Remote Configuration][2] to block attackers using the Datadog UI. + +## Enabling Application & API Protection +### Get started + +The Application & API Protection Envoy integration uses the Envoy external processing filter. + +1. **Configure Envoy** to use the [external processing filter][3]. +For example: + + ```yaml + http_filters: + # ... other filters + - name: envoy.filters.http.ext_proc + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.ext_proc.v3.ExternalProcessor + config: + grpc_service: + envoy_grpc: + cluster_name: datadog_ext_proc_cluster + timeout: 1s + + clusters: + # ... other clusters + - name: datadog_ext_proc_cluster + type: STRICT_DNS + lb_policy: ROUND_ROBIN + http2_protocol_options: {} + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + load_assignment: + cluster_name: datadog_ext_proc_cluster + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: Your Datadog image host from step 2 + port_value: 443 + ``` + + **Note**: you need to replace `Your Datadog image host from step 2` in the above example with the host where the Datadog Envoy docker image is running. You will configure this host next. + + You can find more configuration options available in the [Envoy external processor documentation][4]. + +2. **Run a new container with the Datadog Envoy Docker image.** The image is available on the [Datadog GitHub Registry][5]. + + The Docker image exposes some settings specifically for the Envoy integration: + | Environment variable | Default value | Description | + |----------------------------------------|-----------------|-------------------------------------------------------------------| + | `DD_SERVICE_EXTENSION_HOST` | `0.0.0.0` | gRPC server listening address. | + | `DD_SERVICE_EXTENSION_PORT` | `443` | gRPC server port. | + | `DD_SERVICE_EXTENSION_HEALTHCHECK_PORT`| `80` | HTTP server port for health checks. | + + Configure the Datadog Agent to receive traces from the integration using the following environment variables: + | Environment variable | Default value | Description | + |----------------------------------------|---------------|-----------------------------------------------------------------------| + | `DD_AGENT_HOST` | `localhost` | Hostname where your Datadog Agent is running. | + | `DD_TRACE_AGENT_PORT` | `8126` | Port of the Datadog Agent for trace collection. | + +{{% appsec-getstarted-2-plusrisk %}} + +{{< img src="/security/application_security/appsec-getstarted-threat-and-vuln_2.mp4" alt="Video showing Signals explorer and details, and Vulnerabilities explorer and details." video="true" >}} + +## Datadog Go Tracer and Envoy integration + +
+ Note: The Application & API Protection Envoy integration is built on top of the Datadog Go Tracer. It follows the same release process as the tracer, and its Docker images are tagged with the corresponding tracer version. +
+ + The Envoy integration uses the [Datadog Go Tracer][6] and inherits all environment variables from the tracer. You can find more information in [Configuring the Go Tracing Library][7] and [Application & API Protection Library Configuration][8]. + +## Limitations + +The available functionality for Envoy version `1.71.0` has the following important limitations: + +* The request body is not inspected, regardless of its content type. + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: https://app.datadoghq.com/account/settings#agent +[2]: https://docs.datadoghq.com/agent/remote_config/?tab=configurationyamlfile#enabling-remote-configuration +[3]: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/ext_proc_filter +[4]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto#extensions-filters-http-ext-proc-v3-externalprocessor +[5]: https://github.com/DataDog/dd-trace-go/pkgs/container/dd-trace-go%2Fservice-extensions-callout +[6]: https://github.com/DataDog/dd-trace-go +[7]: https://docs.datadoghq.com/tracing/trace_collection/library_config/go/ +[8]: https://docs.datadoghq.com/security/application_security/threats/library_configuration/ diff --git a/content/en/security/application_security/setup/standalone/gcp-service-extensions.md b/content/en/security/application_security/setup/standalone/gcp-service-extensions.md new file mode 100644 index 0000000000000..ae421113aa069 --- /dev/null +++ b/content/en/security/application_security/setup/standalone/gcp-service-extensions.md @@ -0,0 +1,119 @@ +--- +title: Enabling Application & API Protection for GCP Service Extensions +code_lang: gcp-service-extensions +type: multi-code-lang +code_lang_weight: 50 +further_reading: + - link: 'https://github.com/DataDog/dd-trace-go/tree/main/contrib/envoyproxy/go-control-plane/cmd/serviceextensions' + tag: "Source Code" + text: "Application & API Protection Service Extension's source code" + - link: 'https://cloud.google.com/service-extensions/docs/overview' + tag: "Documentation" + text: "Google Cloud Service Extensions overview" + - link: "/security/default_rules/?category=cat-application-security" + tag: "Documentation" + text: "OOTB App & API Protection Rules" + - link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting App & API Protection" +--- + +{{< callout url="#" btn_hidden="true" header="Application & API Protection Service Extensions is in Preview" >}} +To try the preview of Application & API Protection Service Extensions for GCP, follow the setup instructions below. +{{< /callout >}} + +You can enable application security with GCP Service Extensions within GCP Cloud Load Balancing. The Datadog App & API Protection (AAP) Service Extensions integration has support for threat detection and blocking. + +## Prerequisites + +- The [Datadog Agent][1] is installed and configured for your application's operating system or container, cloud, or virtual environment. +- [Configure the Agent with Remote Configuration][2] to block attackers using the Datadog UI. +- In your GCP project, verify that you have either the project `owner` or `editor` role, or the relevant Compute Engine IAM roles: `compute.instanceAdmin.v1` (to spin up instances) and `compute.networkAdmin` (to set up load balancing). +- A GCP project with a Cloud Load Balancer configured with your services. Your Cloud Load Balancer must be one of the [Application Load Balancers that supports Traffic Callouts][3]. +- Ensure that the Compute Engine API and Network Services API are enabled: + + ```bash + gcloud services enable compute.googleapis.com networkservices.googleapis.com + ``` + +## Enabling Application & API Protection +### Get started + +On your GCP project, multiple steps are needed to fully create a Service Extension. Google Cloud provides guides to create [a callout backend service][4] and [create a Service Extension as a traffic extension][5]. + +To integrate a Service Extension with Application & API Protection, do the following: + +1. **Create a new VM Compute instance** using the Datadog Service Extensions Docker image. The image is available on the [Datadog Go tracer GitHub Registry][6]. + + The Docker image exposes some settings: + | Environment variable | Default value | Description | + |----------------------------------------|-----------------|-------------------------------------------------------------------| + | `DD_SERVICE_EXTENSION_HOST` | `0.0.0.0` | gRPC server listening address. | + | `DD_SERVICE_EXTENSION_PORT` | `443` | gRPC server port. | + | `DD_SERVICE_EXTENSION_HEALTHCHECK_PORT`| `80` | HTTP server port for health checks. | + + Configure the Datadog Agent to receive traces from the integration using the following environment variables: + | Environment variable | Default value | Description | + |----------------------------------------|---------------|-----------------------------------------------------------------------| + | `DD_AGENT_HOST` | `localhost` | Hostname where your Datadog Agent is running. | + | `DD_TRACE_AGENT_PORT` | `8126` | Port of the Datadog Agent for trace collection. | + +2. **Add the VM to an unmanaged instance group.** + + Specify `http:80` and `grpc:443` (or any other previously configured values) for the port mappings of the instance group. + +3. **Update the load balancer by creating a backend service and adding a backend.** + + Create a callout backend service that uses the HTTP/2 protocol and has an HTTP health check: + - Protocol: `HTTP2` + - Port name: `grpc` + - Region: `us-west1` + - Health check port number: `80` (or any other previously configured value) + + 1. Add the instance group with the extension server as a backend to the backend service. + + 2. Create a Traffic Service Extension callout. + + 1. In the Google Cloud console, go to **Service Extensions** and create a new Service Extension. + 2. Select your load balancer type. + 3. Select `Traffic extensions` as the type. + 4. Select your forwarding rules. +
+ 3. When creating a new Extension Chain, do the following: + + 1. To send all traffic to the extension, insert `true` in the **Match condition**. + 2. For **Programability type**, select `Callouts`. + 3. Select the backend service you created in the previous step. + 4. Select all **Events** from the list where you want Application & API Protection to run detection.
+
+{{% appsec-getstarted-2-plusrisk %}} + +{{< img src="/security/application_security/appsec-getstarted-threat-and-vuln_2.mp4" alt="Video showing Signals explorer and details, and Vulnerabilities explorer and details." video="true" >}} + +## Datadog Go tracer and GCP Service Extensions + +
+ Note: The GCP Service Extensions integration is built on top of the Datadog Go Tracer. It follows the same release process as the tracer, and its Docker images are tagged with the corresponding tracer version. +
+ + The GCP Service Extensions integration uses the [Datadog Go Tracer][7] and inherits all environment variables from the tracer. You can find more information in [Configuring the Go Tracing Library][8] and [Application & API Protection Library Configuration][9]. + +## Limitations + +The available functionality for GCP Service Extensions version `1.71.0` has the following important limitations: + +* The request body is not inspected, regardless of its content type. + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: https://app.datadoghq.com/account/settings#agent +[2]: https://docs.datadoghq.com/agent/remote_config/?tab=configurationyamlfile#enabling-remote-configuration +[3]: https://cloud.google.com/service-extensions/docs/lb-extensions-overview#supported-lbs +[4]: https://cloud.google.com/service-extensions/docs/configure-callout-backend-service +[5]: https://cloud.google.com/service-extensions/docs/configure-traffic-extensions +[6]: https://github.com/DataDog/dd-trace-go/pkgs/container/dd-trace-go%2Fservice-extensions-callout +[7]: https://github.com/DataDog/dd-trace-go +[8]: https://docs.datadoghq.com/tracing/trace_collection/library_config/go/ +[9]: https://docs.datadoghq.com/security/application_security/threats/library_configuration/ diff --git a/content/en/security/application_security/setup/standalone/go.md b/content/en/security/application_security/setup/standalone/go.md new file mode 100644 index 0000000000000..ee6b58546b950 --- /dev/null +++ b/content/en/security/application_security/setup/standalone/go.md @@ -0,0 +1,131 @@ +--- +title: Enabling Application & API Protection for Go +code_lang: go +type: multi-code-lang +code_lang_weight: 20 +aliases: + - /security_platform/application_security/getting_started/go + - /security/application_security/getting_started/go + - /security/application_security/enabling/tracing_libraries/threat_detection/go/ +further_reading: + - link: "/security/application_security/add-user-info/" + tag: "Documentation" + text: "Adding user information to traces" + - link: 'https://github.com/DataDog/dd-trace-go/tree/v1' + tag: "Source Code" + text: 'Go Datadog library source code' + - link: "/security/default_rules/?category=cat-application-security" + tag: "Documentation" + text: "OOTB App & API Protection Rules" + - link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting App & API Protection" +--- + +You can monitor application security for Go apps running in Docker, Kubernetes, and Amazon ECS. + +{{% appsec-getstarted-standalone %}} +- Your service is [supported][2]. + +## Enabling Application & API Protection +### Get started + +1. **Add to your program's go.mod dependencies** the latest version of the Datadog Go library (version 1.53.0 or later): + + ```shell + $ go get -v -u gopkg.in/DataDog/dd-trace-go.v1 # v1 + # $ go get -v -u github.com/DataDog/dd-trace-go/v2/ddtrace/tracer # v2 + ``` + +2. Datadog has a series of pluggable packages which provide out-of-the-box support for instrumenting a series of Go libraries and frameworks. + A list of these packages can be found in the [compatibility requirements][1] page. Import these packages into your application and follow the configuration instructions listed alongside each integration. + +3. **Recompile your program** with Application & API Protection enabled: + ```console + $ go build -v -tags appsec my-program + ``` + + **Notes**: + - The Go build tag `appsec` is not necessary if CGO is enabled with `CGO_ENABLED=1`. + - Datadog WAF needs the following shared libraries on Linux: `libc.so.6` and `libpthread.so.0`. + - When using the build tag `appsec` and CGO is disabled, the produced binary is still linked dynamically to these libraries. + - The Go build tag `datadog.no_waf` can be used to disable Application & API Protection at build time in any situation where the requirements above are a hinderance. + +4. **Redeploy your Go service and enable Application & API Protection** by setting the environment variables: + ```console + $ env DD_APPSEC_ENABLED=true DD_APM_TRACING_ENABLED=false ./my-program + ``` + + Or one of the following methods, depending on where your application runs: + + {{< tabs >}} +{{% tab "Docker CLI" %}} + +Add the following environment variable values to your Docker command line: + +```console +$ docker run -e DD_APPSEC_ENABLED=true -e DD_APM_TRACING_ENABLED=false [...] +``` + +{{% /tab %}} +{{% tab "Dockerfile" %}} + +Add the following environment variable values to your application container's Dockerfile: + +```Dockerfile +ENV DD_APPSEC_ENABLED=true +ENV DD_APM_TRACING_ENABLED=false +``` + +{{% /tab %}} +{{% tab "Kubernetes" %}} + +Update your application's deployment configuration file for APM and add the Application & API Protection environment variables: + +```yaml +spec: + template: + spec: + containers: + - name: + image: / + env: + - name: DD_APPSEC_ENABLED + value: "true" + - name: DD_APM_TRACING_ENABLED + value: "false" +``` + +{{% /tab %}} +{{% tab "Amazon ECS" %}} + +Update your application's ECS task definition JSON file, by adding these in the environment section: + +```json +"environment": [ + ..., + { + "name": "DD_APPSEC_ENABLED", + "value": "true" + }, + { + "name": "DD_APM_TRACING_ENABLED", + "value": "false" + } +] +``` + +{{% /tab %}} + +{{< /tabs >}} + +{{% appsec-getstarted-2 %}} + +{{< img src="/security/application_security/appsec-getstarted-threat-and-vuln_2.mp4" alt="Video showing Signals explorer and details, and Vulnerabilities explorer and details." video="true" >}} + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: /security/application_security/threats/setup/compatibility/go/#web-framework-compatibility +[2]: /security/application_security/threats/setup/compatibility/go/ diff --git a/content/en/security/application_security/setup/standalone/java.md b/content/en/security/application_security/setup/standalone/java.md new file mode 100644 index 0000000000000..5cf0fcadfb51b --- /dev/null +++ b/content/en/security/application_security/setup/standalone/java.md @@ -0,0 +1,154 @@ +--- +title: Enabling Application & API Protection for Java +code_lang: java +type: multi-code-lang +code_lang_weight: 0 +aliases: + - /security_platform/application_security/getting_started/java + - /security/application_security/getting_started/java +further_reading: +- link: "/security/application_security/add-user-info/" + tag: "Documentation" + text: "Adding user information to traces" +- link: 'https://github.com/DataDog/dd-trace-java' + tag: "Source Code" + text: 'Java Datadog library source code' +- link: "/security/default_rules/?category=cat-application-security" + tag: "Documentation" + text: "OOTB App & API Protection Rules" +- link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting App & API Protection" + +--- + +You can monitor application security for Java apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate. + +{{% appsec-getstarted-standalone %}} + +## Enabling Application & API Protection +### Get started + +1. **Update your [Datadog Java library][1]** to at least version 0.94.0 (at least version 1.1.4 for Software Composition Analysis detection features): + + {{< tabs >}} + {{% tab "Wget" %}} + ```shell + wget -O dd-java-agent.jar 'https://dtdg.co/latest-java-tracer' + ``` +{{% /tab %}} +{{% tab "cURL" %}} + ```shell + curl -Lo dd-java-agent.jar 'https://dtdg.co/latest-java-tracer' + ``` +{{% /tab %}} +{{% tab "Dockerfile" %}} + ```dockerfile + ADD 'https://dtdg.co/latest-java-tracer' dd-java-agent.jar + ``` +{{% /tab %}} +{{< /tabs >}} + + To check that your service's language and framework versions are supported for Application & API Protection capabilities, see [Compatibility][2]. + +2. **Run your Java application with Application & API Protection enabled.** From the command line: + ```shell + java -javaagent:/path/to/dd-java-agent.jar -Ddd.appsec.enabled=true -Ddd.trace.enabled=false -Ddd.service= -Ddd.env= -jar path/to/app.jar + ``` + + Or one of the following methods, depending on where your application runs: + + **Note:** Read-only file systems are not currently supported. The application must have access to a writable `/tmp` directory. + + {{< tabs >}} +{{% tab "Docker CLI" %}} + +Update your configuration container for APM by adding the following arguments in your `docker run` command: + + +```shell +docker run [...] -e DD_APPSEC_ENABLED=true -e DD_APM_TRACING_ENABLED=false [...] +``` + +{{% /tab %}} +{{% tab "Dockerfile" %}} + +Add the following environment variable values to your container Dockerfile: + +```Dockerfile +ENV DD_APPSEC_ENABLED=true +ENV DD_APM_TRACING_ENABLED=false +``` + +{{% /tab %}} +{{% tab "Kubernetes" %}} + +Update your deployment configuration file for APM and add the Application & API Protection environment variables: + +```yaml +spec: + template: + spec: + containers: + - name: + image: / + env: + - name: DD_APPSEC_ENABLED + value: "true" + - name: DD_APM_TRACING_ENABLED + value: "false" +``` + +{{% /tab %}} +{{% tab "Amazon ECS" %}} + +Update your ECS task definition JSON file, by adding these in the environment section: + +```json +"environment": [ + ..., + { + "name": "DD_APPSEC_ENABLED", + "value": "true" + }, + { + "name": "DD_APM_TRACING_ENABLED", + "value": "false" + } +] +``` + +{{% /tab %}} +{{% tab "AWS Fargate" %}} + +Set the appropriate flags or environment variables in your service invocation: + +```shell +java -javaagent:dd-java-agent.jar \ + -Ddd.appsec.enabled=true \ + -Ddd.trace.enabled=false \ + -jar .jar \ + +``` + +{{% /tab %}} + + {{< /tabs >}} + +{{% appsec-getstarted-2-plusrisk %}} + +{{< img src="/security/application_security/appsec-getstarted-threat-and-vuln_2.mp4" alt="Video showing Signals explorer and details, and Vulnerabilities explorer and details." video="true" >}} + + +If you need additional assistance, contact [Datadog support][5]. + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: https://github.com/DataDog/dd-trace-java/releases +[2]: /security/application_security/threats/setup/compatibility/java/ +[3]: /security/application_security/threats/setup/compatibility/java/ +[4]: https://app.datadoghq.com/security/appsec/vm +[5]: /help +[6]: /agent/versions/upgrade_between_agent_minor_versions/ diff --git a/content/en/security/application_security/setup/standalone/nginx.md b/content/en/security/application_security/setup/standalone/nginx.md new file mode 100644 index 0000000000000..ac7effbafbd37 --- /dev/null +++ b/content/en/security/application_security/setup/standalone/nginx.md @@ -0,0 +1,82 @@ +--- +title: Enabling Application & API Protection for Nginx +code_lang: nginx +type: multi-code-lang +code_lang_weight: 50 +aliases: + - /security_platform/application_security/getting_started/nginx + - /security/application_security/getting_started/nginx + - /security/application_security/enabling/tracing_libraries/threat_detection/nginx/ +further_reading: + - link: 'https://github.com/DataDog/nginx-datadog/' + tag: "Source Code" + text: "nginx integration's source code" + - link: "/security/default_rules/?category=cat-application-security" + tag: "Documentation" + text: "OOTB App & API Protection Rules" + - link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting App & API Protection" +--- + +The Datadog nginx tracing module has experimental support for threat detection and blocking. + +## Enabling Application & API Protection +### Get started + +1. Verify that your nginx build was compiled with the flag + `--with-threads`. Most distributions ship with this flag enabled by default. + To check if your nginx installation was built with thread support, run `nginx + -V` and check the `configure arguments` line. If you cannot find + `--with-threads` in the output, you will need to rebuild nginx with this flag + enabled. For more information on how to build nginx from sources, see the + [nginx documentation][3]. + +2. **Update your nginx tracing library module** to at least version 1.2.0. Visit + the [GitHub releases page][2] and select the artifact named according to the + pattern "ngx_http_datadog_module-appsec-<amd64/arm64>-<nginx + version>.so.tgz". Note that this artifact includes "appsec" in the name. + +3. **Enable Application & API Protection in the nginx configuration**. + You need to: + * define one or more thread pools with the [`thread_pool`][4] directive, + * explicitly enable Application & API Protection with [`datadog_appsec_enabled`][5], and + * map requests to a thread pool or pools that you defined with the directive + [`datadog_waf_thread_pool_name`][6]. + + For example: + + ```nginx + load_module /path/to/ngx_http_datadog_module.so; + thread_pool waf_thread_pool threads=4 max_queue=128; + http { + datadog_appsec_enabled on; + datadog_waf_thread_pool_name waf_thread_pool; + } + ``` + + For more information, see the [reference documentation][3]. + +{{% appsec-getstarted-2-plusrisk %}} + +{{< img src="/security/application_security/appsec-getstarted-threat-and-vuln_2.mp4" alt="Video showing Signals explorer and details, and Vulnerabilities explorer and details." video="true" >}} + +## Limitations + +As of version 1.3.0, the available functionality has the following important limitations: + +* The request body is not inspected, regardless of its content type. + +* It's not possible to block the request based on characteristics of the + response, such as its status code, headers, or body. + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: https://github.com/DataDog/nginx-datadog/blob/master/doc/API.md +[2]: https://github.com/DataDog/nginx-datadog/releases +[3]: https://nginx.org/en/docs/configure.html +[4]: https://nginx.org/en/docs/ngx_core_module.html#thread_pool +[5]: https://github.com/DataDog/nginx-datadog/blob/master/doc/API.md#datadog_appsec_enabled-appsec-builds +[6]: https://github.com/DataDog/nginx-datadog/blob/master/doc/API.md#datadog_waf_thread_pool_name-appsec-builds diff --git a/content/en/security/application_security/setup/standalone/nodejs.md b/content/en/security/application_security/setup/standalone/nodejs.md new file mode 100644 index 0000000000000..d34fdf69b988f --- /dev/null +++ b/content/en/security/application_security/setup/standalone/nodejs.md @@ -0,0 +1,171 @@ +--- +title: Enabling Application & API Protection for Node.js +code_lang: nodejs +type: multi-code-lang +code_lang_weight: 50 +aliases: + - /security_platform/application_security/getting_started/nodejs + - /security/application_security/getting_started/nodejs + - /security/application_security/enabling/tracing_libraries/threat_detection/nodejs/ +further_reading: + - link: "/security/application_security/add-user-info/" + tag: "Documentation" + text: "Adding user information to traces" + - link: 'https://github.com/DataDog/dd-trace-js' + tag: "Source Code" + text: 'Node.js Datadog library source code' + - link: "/security/default_rules/?category=cat-application-security" + tag: "Documentation" + text: "OOTB App & API Protection Rules" + - link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting App & API Protection" +--- + +You can monitor application security for Node.js apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate. + +{{% appsec-getstarted-standalone %}} + +## Enabling Application & API Protection +### Get started + +1. **Update your Datadog Node.js library package** to at least version 5.0.0 (for Node 18+) or 4.0.0 (for Node 16+) or 3.10.0 (for Node.js 14+), by running one of these commands: + ```shell + npm install dd-trace@^5 + npm install dd-trace@^4 + npm install dd-trace@^3.10.0 + ``` + Use this [migration guide][1] to assess any breaking changes if you upgraded your library. + + App & API Protection is compatible with Express v4+ and Node.js v14+. For additional information, see [Compatibility][2]. + +2. **Where you import and initialize the Node.js library for APM, also enable Application & API Protection.** This might be either in your code or with environment variables. If you initialized APM in code, add `{appsec: true}` to your init statement: + {{< tabs >}} +{{% tab "In JavaScript code" %}} + +```js +// This line must come before importing any instrumented module. +const tracer = require('dd-trace').init({ + appsec: true, + tracing: false // To disable APM tracing and use security features only +}) +``` + +{{% /tab %}} +{{% tab "In TypeScript code" %}} + +For TypeScript and bundlers that support EcmaScript Module syntax, initialize the tracer in a separate file in order to maintain correct load order. +```typescript +// server.ts +import './tracer'; // must come before importing any instrumented module. + +// tracer.ts +import tracer from 'dd-trace'; +tracer.init({ + appsec: true, + tracing: false // To disable APM tracing and use security features only +}); // initialized in a different file to avoid hoisting. +export default tracer; +``` +If the default config is sufficient, or all configuration is done through environment variables, you can also use `dd-trace/init`, which loads and initializes in one step. +```typescript +import `dd-trace/init`; +``` +{{% /tab %}} + +{{< /tabs >}} + + **Or** if you initialize the APM library on the command line using the `--require` option to Node.js: + ```shell + node --require dd-trace/init app.js + ``` + Then use environment variables to enable Application & API Protection: + ```shell + DD_APPSEC_ENABLED=true DD_APM_TRACING_ENABLED=false node app.js + ``` + How you do this varies depending on where your service runs: + {{< tabs >}} +{{% tab "Docker CLI" %}} + +Update your configuration container for APM by adding the following arguments in your `docker run` command: + +```shell +docker run [...] -e DD_APPSEC_ENABLED=true -e DD_APM_TRACING_ENABLED=false [...] +``` + +{{% /tab %}} +{{% tab "Dockerfile" %}} + +Add the following environment variable values to your container Dockerfile: + +```Dockerfile +ENV DD_APPSEC_ENABLED=true +ENV DD_APM_TRACING_ENABLED=false +``` + +{{% /tab %}} +{{% tab "Kubernetes" %}} + +Update your configuration yaml file container for APM and add the Application & API Protection env variables: + +```yaml +spec: + template: + spec: + containers: + - name: + image: / + env: + - name: DD_APPSEC_ENABLED + value: "true" + - name: DD_APM_TRACING_ENABLED + value: "false" +``` + +{{% /tab %}} +{{% tab "Amazon ECS" %}} + +Update your ECS task definition JSON file, by adding these in the environment section: + +```json +"environment": [ + ..., + { + "name": "DD_APPSEC_ENABLED", + "value": "true" + }, + { + "name": "DD_APM_TRACING_ENABLED", + "value": "false" + } +] +``` + +{{% /tab %}} +{{% tab "AWS Fargate" %}} + +Initialize Application & API Protection in your code or set environment variables in your service invocation: +```shell +DD_APPSEC_ENABLED=true DD_APM_TRACING_ENABLED=false node app.js +``` + +{{% /tab %}} +{{< /tabs >}} + +{{% appsec-getstarted-2-plusrisk %}} + +{{< img src="/security/application_security/appsec-getstarted-threat-and-vuln_2.mp4" alt="Video showing Signals explorer and details, and Vulnerabilities explorer and details." video="true" >}} + + +If you need additional assistance, contact [Datadog support][6]. + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: https://github.com/DataDog/dd-trace-js/blob/master/MIGRATING.md +[2]: /security/application_security/threats/setup/threat_detection/nodejs +[3]: /security/application_security/threats/setup/threat_detection/nodejs +[4]: /agent/versions/upgrade_between_agent_minor_versions/ +[5]: https://app.datadoghq.com/security/appsec/vm +[6]: /help diff --git a/content/en/security/application_security/setup/standalone/php.md b/content/en/security/application_security/setup/standalone/php.md new file mode 100644 index 0000000000000..3a5ed8c6e56a8 --- /dev/null +++ b/content/en/security/application_security/setup/standalone/php.md @@ -0,0 +1,109 @@ +--- +title: Enabling Application & API Protection for PHP +code_lang: php +type: multi-code-lang +code_lang_weight: 40 +aliases: + - /security_platform/application_security/getting_started/php + - /security/application_security/getting_started/php + - /security/application_security/enabling/tracing_libraries/threat_detection/php/ +further_reading: + - link: "/security/application_security/add-user-info/" + tag: "Documentation" + text: "Adding user information to traces" + - link: 'https://github.com/DataDog/dd-trace-php' + tag: "Source Code" + text: 'PHP Datadog Tracer Library source code' + - link: "/security/default_rules/?category=cat-application-security" + tag: "Documentation" + text: "OOTB App & API Protection Rules" + - link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting App & API Protection" +--- + +You can monitor application security for PHP apps running in host-based or container-based environments such as Docker, Kubernetes, AWS ECS, and AWS EKS. + +{{% appsec-getstarted-standalone %}} + +## Enabling Application & API Protection +### Get started + +1. **Install the latest Datadog PHP library** by downloading and running the installer: + ```shell + wget https://github.com/DataDog/dd-trace-php/releases/latest/download/datadog-setup.php -O datadog-setup.php + php datadog-setup.php --php-bin all --enable-appsec + ``` + To check that your service's language and framework versions are supported for Application & API Protection capabilities, see [Compatibility][1]. + +2. **Enable the library in your code** by restarting PHP-FPM or Apache. In a containerized environment, if you previously installed the library without enabling Application & API Protection, you can optionally enable it after by setting the following environment variables: + {{< tabs >}} +{{% tab "Docker CLI" %}} + +Update your configuration container for APM by adding the following arguments in your `docker run` command: + +```shell +docker run [...] -e DD_APPSEC_ENABLED=true -e DD_APM_TRACING_ENABLED=false [...] +``` + +{{% /tab %}} +{{% tab "Dockerfile" %}} + +Add the following environment variable values to your container Dockerfile: + +```Dockerfile +ENV DD_APPSEC_ENABLED=true +ENV DD_APM_TRACING_ENABLED=false +``` + +{{% /tab %}} +{{% tab "Kubernetes" %}} + +Update your configuration yaml file container for APM and add the environment variables: + +```yaml +spec: + template: + spec: + containers: + - name: + image: / + env: + - name: DD_APPSEC_ENABLED + value: "true" + - name: DD_APM_TRACING_ENABLED + value: "false" +``` + +{{% /tab %}} +{{% tab "AWS ECS" %}} + +Update your ECS task definition JSON file, by adding these in the environment section: + +```json +"environment": [ + ..., + { + "name": "DD_APPSEC_ENABLED", + "value": "true" + }, + { + "name": "DD_APM_TRACING_ENABLED", + "value": "false" + } +] +``` + +{{% /tab %}} + +{{< /tabs >}} + +{{% appsec-getstarted-2-canary %}} + +{{< img src="/security/application_security/appsec-getstarted-threat-and-vuln_2.mp4" alt="Video showing Signals explorer and details, and Vulnerabilities explorer and details." video="true" >}} + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: /security/application_security/threats/setup/compatibility/php/ diff --git a/content/en/security/application_security/setup/standalone/python.md b/content/en/security/application_security/setup/standalone/python.md new file mode 100644 index 0000000000000..93746cc7d9282 --- /dev/null +++ b/content/en/security/application_security/setup/standalone/python.md @@ -0,0 +1,122 @@ +--- +title: Enabling Application & API Protection for Python +code_lang: python +type: multi-code-lang +code_lang_weight: 50 +aliases: + - /security_platform/application_security/getting_started/python + - /security/application_security/getting_started/python + - /security/application_security/enabling/tracing_libraries/threat_detection/python +further_reading: + - link: "/security/application_security/add-user-info/" + tag: "Documentation" + text: "Adding user information to traces" + - link: 'https://github.com/DataDog/dd-trace-py' + tag: "Source Code" + text: 'Python Datadog library source code' + - link: "/security/default_rules/?category=cat-application-security" + tag: "Documentation" + text: "OOTB App & API Protection Rules" + - link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting App & API Protection" +--- + +You can monitor the security of your Python apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate. + +{{% appsec-getstarted-standalone %}} + +## Enabling Application & API Protection +### Get started + +1. **Update your Datadog Python library package** to at least version 1.2.2 (at least version 1.5.0 for Software Composition Analysis detection features). Run the following: + ```shell + pip install --upgrade ddtrace + ``` + + To check that your service's language and framework versions are supported for Application & API Protection capabilities, see [Compatibility][1]. + +2. **Enable Application & API Protection when starting the Python application**. + + ```bash + DD_APPSEC_ENABLED=true DD_APM_TRACING_ENABLED=false ddtrace-run python app.py + ``` + + You can also use one of the following methods, depending on where your application runs: + {{< tabs >}} + {{% tab "Docker CLI" %}} + + Update your configuration container for APM by adding the following arguments in your `docker run` command: + + ```shell + docker run [...] -e DD_APPSEC_ENABLED=true -e DD_APM_TRACING_ENABLED=false [...] + ``` + + {{% /tab %}} + {{% tab "Dockerfile" %}} + + Add the following environment variable values to your container Dockerfile: + + ```Dockerfile + ENV DD_APPSEC_ENABLED=true + ENV DD_APM_TRACING_ENABLED=false + ``` + + {{% /tab %}} + {{% tab "Kubernetes" %}} + + Update your configuration YAML file container for APM and add the environment variables: + + ```yaml + spec: + template: + spec: + containers: + - name: + image: / + env: + - name: DD_APPSEC_ENABLED + value: "true" + - name: DD_APM_TRACING_ENABLED + value: "false" + ``` + + {{% /tab %}} + {{% tab "Amazon ECS" %}} + + Update your ECS task definition JSON file by adding the following in the environment section: + + ```json + "environment": [ + ..., + { + "name": "DD_APPSEC_ENABLED", + "value": "true" + }, + { + "name": "DD_APM_TRACING_ENABLED", + "value": "false" + } + ] + ``` + + {{% /tab %}} + {{% tab "AWS Fargate" %}} + + Initialize Application & API Protection in your code or set the environment variables in your service invocation: + ```shell + DD_APPSEC_ENABLED=true DD_APM_TRACING_ENABLED=false ddtrace-run python app.py + ``` + + {{% /tab %}} + {{< /tabs >}} + +{{% appsec-getstarted-2-plusrisk %}} + +{{< img src="/security/application_security/appsec-getstarted-threat-and-vuln_2.mp4" alt="Video showing Signals explorer and details, and Vulnerabilities explorer and details." video="true" >}} + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: /security/application_security/threats/setup/compatibility/php/ diff --git a/content/en/security/application_security/setup/standalone/ruby.md b/content/en/security/application_security/setup/standalone/ruby.md new file mode 100644 index 0000000000000..121a54546b314 --- /dev/null +++ b/content/en/security/application_security/setup/standalone/ruby.md @@ -0,0 +1,233 @@ +--- +title: Enabling Application & API Protection for Ruby +code_lang: ruby +type: multi-code-lang +code_lang_weight: 30 +aliases: + - /security_platform/application_security/getting_started/ruby + - /security/application_security/getting_started/ruby + - /security/application_security/enabling/tracing_libraries/threat_detection/ruby/ +further_reading: + - link: "/security/application_security/add-user-info/" + tag: "Documentation" + text: "Adding user information to traces" + - link: 'https://github.com/DataDog/dd-trace-rb' + tag: "Source Code" + text: 'Ruby Datadog library source code' + - link: "/security/default_rules/?category=cat-application-security" + tag: "Documentation" + text: "OOTB App & API Protection Rules" + - link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting App & API Protection" +--- + +You can monitor application security for Ruby apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate. + +{{% appsec-getstarted-standalone %}} + +## Enabling Application & API Protection +### Get started + +1. **Update your Gemfile to include the Datadog library**: + + ```ruby + gem 'datadog', '~> 2.0' # Use 'ddtrace' if you're using v1.x + ``` + + To check that your service's language and framework versions are supported for Application & API Protection capabilities, see [Compatibility][1]. + + For more information about upgrading to v2 from a `dd-trace` 1.x version, see [the Ruby tracer upgrade guide][2]. + +2. **Enable Application & API Protection** by enabling the APM tracer. The following options describe a quick setup that covers the most common cases. Read [the Ruby tracer documentation][3] for more details. + + You can enable Application & API Protection either in your code: + + {{< tabs >}} + +{{% tab "Rails" %}} + Enable the APM tracer by adding an initializer in your application code: + + ```ruby + # config/initializers/datadog.rb + + require 'datadog/appsec' + + Datadog.configure do |c| + # enable the APM tracer but disable trace processing - for security-only use + c.tracing.instrument :rails + c.tracing.enabled = false + + # enable Application & API Protection + c.appsec.enabled = true + c.appsec.instrument :rails + end + ``` + + Or enable the APM tracer through auto-instrumentation by updating your Gemfile to auto-instrument: + + ```ruby + gem 'datadog', '~> 2.0', require: 'datadog/auto_instrument' + ``` + + And also enable `appsec` and disable tracing: + + ```ruby + # config/initializers/datadog.rb + + require 'datadog/appsec' + + Datadog.configure do |c| + # the APM tracer is enabled by auto-instrumentation + c.tracing.enabled = false + + # enable Application & API Protection + c.appsec.enabled = true + c.appsec.instrument :rails + end + ``` + +{{% /tab %}} + +{{% tab "Sinatra" %}} + Enable the APM tracer by adding the following to your application's startup: + + ```ruby + require 'sinatra' + require 'datadog' + require 'datadog/appsec' + + Datadog.configure do |c| + # enable the APM tracer but disable trace processing - for security-only use + c.tracing.instrument :sinatra + c.tracing.enabled = false + + # enable Application & API Protection for Sinatra + c.appsec.enabled = true + c.appsec.instrument :sinatra + end + ``` + + Or enable the APM tracer through auto-instrumentation: + + ```ruby + require 'sinatra' + require 'datadog/auto_instrument' + + Datadog.configure do |c| + # the APM tracer is enabled by auto-instrumentation + c.tracing.enabled = false + + # enable Application & API Protection for Sinatra + c.appsec.enabled = true + c.appsec.instrument :sinatra + end + ``` +{{% /tab %}} + +{{% tab "Rack" %}} + Enable the APM tracer by adding the following to your `config.ru` file: + + ```ruby + require 'datadog' + require 'datadog/appsec' + + Datadog.configure do |c| + # enable the APM tracer but disable trace processing - for security-only use + c.tracing.instrument :rack + c.tracing.enabled = false + + # enable Application & API Protection for Rack + c.appsec.enabled = true + c.appsec.instrument :rack + end + + use Datadog::Tracing::Contrib::Rack::TraceMiddleware + use Datadog::AppSec::Contrib::Rack::RequestMiddleware + ``` +{{% /tab %}} + +{{< /tabs >}} + + Or one of the following methods, depending on where your application runs: + + {{< tabs >}} +{{% tab "Docker CLI" %}} + +Update your configuration container for APM by adding the following arguments in your `docker run` command: + +```shell +docker run [...] -e DD_APPSEC_ENABLED=true -e DD_APM_TRACING_ENABLED=false [...] +``` + +{{% /tab %}} +{{% tab "Dockerfile" %}} + +Add the following environment variable values to your container Dockerfile: + +```Dockerfile +ENV DD_APPSEC_ENABLED=true +ENV DD_APM_TRACING_ENABLED=false +``` + +{{% /tab %}} +{{% tab "Kubernetes" %}} + +Update your configuration yaml file container for APM and add the environment variables: + +```yaml +spec: + template: + spec: + containers: + - name: + image: / + env: + - name: DD_APPSEC_ENABLED + value: "true" + - name: DD_APM_TRACING_ENABLED + value: "false" +``` + +{{% /tab %}} +{{% tab "Amazon ECS" %}} + +Update your ECS task definition JSON file, by adding these in the environment section: + +```json +"environment": [ + ..., + { + "name": "DD_APPSEC_ENABLED", + "value": "true" + }, + { + "name": "DD_APM_TRACING_ENABLED", + "value": "false" + } +] +``` + +{{% /tab %}} +{{% tab "AWS Fargate" %}} + +Initialize Application & API Protection in your code or set the environment variables in your service invocation: +```shell +env DD_APPSEC_ENABLED=true DD_APM_TRACING_ENABLED=false rails server +``` + +{{% /tab %}} + +{{< /tabs >}} + +{{% appsec-getstarted-2-canary %}} + +{{< img src="/security/application_security/appsec-getstarted-threat-and-vuln_2.mp4" alt="Video showing Signals explorer and details, and Vulnerabilities explorer and details." video="true" >}} + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: /security/application_security/threats/setup/compatibility/ruby/ +[2]: https://github.com/DataDog/dd-trace-rb/blob/master/docs/UpgradeGuide2.md +[3]: /tracing/trace_collection/dd_libraries/ruby/ diff --git a/content/en/security/application_security/setup/threat_detection/_index.md b/content/en/security/application_security/setup/threat_detection/_index.md new file mode 100644 index 0000000000000..534ea48f6b1d1 --- /dev/null +++ b/content/en/security/application_security/setup/threat_detection/_index.md @@ -0,0 +1,40 @@ +--- +title: Enabling AAP Threat Detection using Datadog Tracing Libraries +type: multi-code-lang +aliases: +- /security/application_security/enabling/tracing_libraries/threat_detection/ +- /security/application_security/threats/threat_detection/ +further_reading: +- link: "/security/application_security/" + tag: "Documentation" + text: "Protect against Threats with Datadog App and API Protection" +- link: "/security/application_security/add-user-info/" + tag: "Documentation" + text: "Tracking user activity" +- link: "/security/default_rules/?category=cat-application-security" + tag: "Documentation" + text: "OOTB App and API Protection Rules" +- link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting App and API Protection" +- link: "/security/application_security/how-appsec-works/" + tag: "Documentation" + text: "How App and API Protection Works in Datadog" +--- + +## Prerequisites + +Before setting up Threat Management, ensure the following prerequisites are met: +- **Datadog Agent Installation:** The Datadog Agent is installed and configured for your application's operating system or container, cloud, or virtual environment. +- **Datadog APM Configuration:** Datadog APM is configured for your application or service, and web traces (`type:web`) are being received by Datadog. +- **Supported Tracing Library:** The Datadog Tracing Library used by your application or service supports Threat Management capabilities for the language of your application or service. For more details, refer to the [Library Compatibility][1] page. + +Select your application language for details on how to enable AAP Threat Detection for your language and infrastructure types. + +{{< partial name="security-platform/appsec-languages.html" >}}
+ +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: /security/application_security/threats/setup/compatibility diff --git a/content/en/security/application_security/setup/threat_detection/dotnet.md b/content/en/security/application_security/setup/threat_detection/dotnet.md new file mode 100644 index 0000000000000..5ad4767192c47 --- /dev/null +++ b/content/en/security/application_security/setup/threat_detection/dotnet.md @@ -0,0 +1,201 @@ +--- +title: Enabling AAP for .NET +code_lang: dotnet +type: multi-code-lang +code_lang_weight: 10 +aliases: + - /security_platform/application_security/getting_started/dotnet + - /security/application_security/getting_started/dotnet + - /security/application_security/enabling/tracing_libraries/threat_detection/dotnet/ +further_reading: + - link: "/security/application_security/add-user-info/" + tag: "Documentation" + text: "Adding user information to traces" + - link: 'https://github.com/DataDog/dd-trace-dotnet' + tag: "Source Code" + text: '.NET Datadog library source code' + - link: "/security/default_rules/?category=cat-application-security" + tag: "Documentation" + text: "OOTB App and API Protection Rules" + - link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting App and API Protection" +--- + +You can monitor application security for .NET apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate. + +{{% appsec-getstarted %}} + +## Enabling threat detection +### Get started + +1. **Update your [Datadog .NET library][1]** to at least version 2.2.0 (at least version 2.16.0 for Software Composition Analysis detection features) for your target operating system architecture. + + To check that your service's language and framework versions are supported for AAP capabilities, see [Compatibility][2]. + +2. **Enable AAP** by setting the `DD_APPSEC_ENABLED` environment variable to `true`. For example, on Windows self-hosted, run the following PowerShell snippet as part of your application start up script: + ``` + $target=[System.EnvironmentVariableTarget]::Process + [System.Environment]::SetEnvironmentVariable("DD_APPSEC_ENABLED","true",$target) + ``` + + **Or** one of the following methods, depending on where your application runs: + + {{< tabs >}} +{{% tab "Windows self-hosted" %}} + +In a Windows console: + +``` +rem Set environment variables +SET CORECLR_ENABLE_PROFILING=1 +SET CORECLR_PROFILER={846F5F1C-F9AE-4B07-969E-05C26BC060D8} +SET DD_APPSEC_ENABLED=true + +rem Start application +dotnet.exe example.dll +``` + +{{% /tab %}} +{{% tab "IIS" %}} + +Run the following PowerShell command as administrator to configure the necessary environment variables in the registry `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment` and restart IIS. +``` +$target=[System.EnvironmentVariableTarget]::Machine +[System.Environment]::SetEnvironmentVariable("DD_APPSEC_ENABLED","true",$target) +net stop was /y +net start w3svc +``` + +**Or**, for IIS services exclusively, on WAS and W3SVC with Powershell as an administrator, run: + +``` +$appsecPart = "DD_APPSEC_ENABLED=true" +[string[]] $defaultvariable = @("CORECLR_ENABLE_PROFILING=1", "CORECLR_PROFILER={846F5F1C-F9AE-4B07-969E-05C26BC060D8}", $appsecPart) + +function Add-AppSec { + + param ( + $path + ) + $v = (Get-ItemProperty -Path $path).Environment + If ($v -eq $null) { + Set-ItemProperty -Path $path -Name "Environment" -Value $defaultvariable + } + ElseIf (-not ($v -match $appsecPart)) { + $v += " " + $appsecPart; + Set-ItemProperty -Path $path -Name "Environment" -Value $v + } +} +Add-AppSec -path "HKLM:SYSTEM\CurrentControlSet\Services\WAS\" +Add-AppSec -path "HKLM:SYSTEM\CurrentControlSet\Services\W3SVC\" + +net stop was /y +net start w3svc +``` + +**Or**, to avoid editing registry keys, edit the application settings in the `web.config` file of your application: +```xml + + + + + +``` + +This can also be done at the IIS application pools level in the `applicationHost.config` file, usually in `C:\Windows\System32\inetsrv\config\`: +```xml + + + + + + + + (...) +``` + +{{% /tab %}} +{{% tab "Linux" %}} + +Add the following to your application configuration: +```conf +DD_APPSEC_ENABLED=true +``` +{{% /tab %}} +{{% tab "Docker CLI" %}} + +Update your configuration container for APM by adding the following argument in your `docker run` command: + +```shell +docker run [...] -e DD_APPSEC_ENABLED=true [...] +``` + +{{% /tab %}} +{{% tab "Dockerfile" %}} + +Add the following environment variable value to your container Dockerfile: + +```Dockerfile +ENV DD_APPSEC_ENABLED=true +``` + +{{% /tab %}} +{{% tab "Kubernetes" %}} + +Update your deployment configuration file for APM and add the AAP environment variable: + +```yaml +spec: + template: + spec: + containers: + - name: + image: / + env: + - name: DD_APPSEC_ENABLED + value: "true" +``` + +{{% /tab %}} +{{% tab "Amazon ECS" %}} + +Update your ECS task definition JSON file, by adding this in the environment section: + +```json +"environment": [ + ..., + { + "name": "DD_APPSEC_ENABLED", + "value": "true" + } +] +``` + +{{% /tab %}} +{{% tab "AWS Fargate" %}} + +Add the following line to your container Dockerfile: +```Dockerfile +ENV DD_APPSEC_ENABLED=true +``` + +{{% /tab %}} + +{{< /tabs >}} + +3. **Restart the application** using a full stop and start. + +{{% appsec-getstarted-2-plusrisk %}} + +{{< img src="/security/application_security/appsec-getstarted-threat-and-vuln_2.mp4" alt="Video showing Signals explorer and details, and Vulnerabilities explorer and details." video="true" >}} + + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: https://github.com/DataDog/dd-trace-dotnet/releases/latest +[2]: /security/application_security/threats/setup/compatibility/dotnet/ +[3]: /agent/versions/upgrade_between_agent_minor_versions/ +[4]: /security/application_security/threats/setup/compatibility/ diff --git a/content/en/security/application_security/setup/threat_detection/envoy.md b/content/en/security/application_security/setup/threat_detection/envoy.md new file mode 100644 index 0000000000000..28775ef0651d5 --- /dev/null +++ b/content/en/security/application_security/setup/threat_detection/envoy.md @@ -0,0 +1,118 @@ +--- +title: Enabling AAP for Envoy +code_lang: envoy +type: multi-code-lang +code_lang_weight: 50 +further_reading: + - link: 'https://github.com/DataDog/dd-trace-go/tree/main/contrib/envoyproxy/go-control-plane/cmd/serviceextensions' + tag: "Source Code" + text: "Envoy integration's source code" + - link: "/security/default_rules/?category=cat-application-security" + tag: "Documentation" + text: "OOTB App and API Protection Rules" + - link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting App and API Protection" +--- + +{{< callout url="#" btn_hidden="true" header="AAP for Envoy is in Preview" >}} +To try the preview of AAP for Envoy, follow the setup instructions below. +{{< /callout >}} + +You can enable application security for the Envoy proxy. The Datadog Envoy integration has support for threat detection and blocking. + +## Prerequisites + +- The [Datadog Agent][1] is installed and configured for your application's operating system or container, cloud, or virtual environment. +- [Configure the Agent with Remote Configuration][2] to block attackers using the Datadog UI. + +## Enabling threat detection +### Get started + +The AAP Envoy integration uses the Envoy external processing filter. + +1. **Configure Envoy** to use the [external processing filter][3]. +For example: + + ```yaml + http_filters: + # ... other filters + - name: envoy.filters.http.ext_proc + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.ext_proc.v3.ExternalProcessor + config: + grpc_service: + envoy_grpc: + cluster_name: datadog_ext_proc_cluster + timeout: 1s + + clusters: + # ... other clusters + - name: datadog_ext_proc_cluster + type: STRICT_DNS + lb_policy: ROUND_ROBIN + http2_protocol_options: {} + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + load_assignment: + cluster_name: datadog_ext_proc_cluster + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: Your Datadog image host from step 2 + port_value: 443 + ``` + + **Note**: you need to replace `Your Datadog image host from step 2` in the above example with the host where the Datadog Envoy docker image is running. You will configure this host next. + + You can find more configuration options available in the [Envoy external processor documentation][4]. + +2. **Run a new container with the Datadog Envoy Docker image.** The image is available on the [Datadog GitHub Registry][5]. + + The Docker image exposes some settings specifically for the Envoy integration: + | Environment variable | Default value | Description | + |----------------------------------------|-----------------|-------------------------------------------------------------------| + | `DD_SERVICE_EXTENSION_HOST` | `0.0.0.0` | gRPC server listening address. | + | `DD_SERVICE_EXTENSION_PORT` | `443` | gRPC server port. | + | `DD_SERVICE_EXTENSION_HEALTHCHECK_PORT`| `80` | HTTP server port for health checks. | + + Configure the Datadog Agent to receive traces from the integration using the following environment variables: + | Environment variable | Default value | Description | + |----------------------------------------|---------------|-----------------------------------------------------------------------| + | `DD_AGENT_HOST` | `localhost` | Hostname where your Datadog Agent is running. | + | `DD_TRACE_AGENT_PORT` | `8126` | Port of the Datadog Agent for trace collection. | + +{{% appsec-getstarted-2-plusrisk %}} + +{{< img src="/security/application_security/appsec-getstarted-threat-and-vuln_2.mp4" alt="Video showing Signals explorer and details, and Vulnerabilities explorer and details." video="true" >}} + +## Datadog Go Tracer and Envoy integration + +
+ Note: The AAP Envoy integration is built on top of the Datadog Go Tracer. It follows the same release process as the tracer, and its Docker images are tagged with the corresponding tracer version. +
+ + The Envoy integration uses the [Datadog Go Tracer][6] and inherits all environment variables from the tracer. You can find more information in [Configuring the Go Tracing Library][7] and [AAP Library Configuration][8]. + +## Limitations + +The available functionality for Envoy version `1.71.0` has the following important limitations: + +* The request body is not inspected, regardless of its content type. + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: https://app.datadoghq.com/account/settings#agent +[2]: https://docs.datadoghq.com/agent/remote_config/?tab=configurationyamlfile#enabling-remote-configuration +[3]: https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/ext_proc_filter +[4]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto#extensions-filters-http-ext-proc-v3-externalprocessor +[5]: https://github.com/DataDog/dd-trace-go/pkgs/container/dd-trace-go%2Fservice-extensions-callout +[6]: https://github.com/DataDog/dd-trace-go +[7]: https://docs.datadoghq.com/tracing/trace_collection/library_config/go/ +[8]: https://docs.datadoghq.com/security/application_security/threats/library_configuration/ diff --git a/content/en/security/application_security/setup/threat_detection/gcp-service-extensions.md b/content/en/security/application_security/setup/threat_detection/gcp-service-extensions.md new file mode 100644 index 0000000000000..0badbc4bc55c1 --- /dev/null +++ b/content/en/security/application_security/setup/threat_detection/gcp-service-extensions.md @@ -0,0 +1,489 @@ +--- +title: Enabling AAP for GCP Service Extensions +code_lang: gcp-service-extensions +type: multi-code-lang +code_lang_weight: 50 +further_reading: + - link: 'https://github.com/DataDog/dd-trace-go/tree/main/contrib/envoyproxy/go-control-plane/cmd/serviceextensions' + tag: "Source Code" + text: "AAP Service Extension's source code" + - link: 'https://cloud.google.com/service-extensions/docs/overview' + tag: "Documentation" + text: "Google Cloud Service Extensions overview" + - link: "/security/default_rules/?category=cat-application-security" + tag: "Documentation" + text: "OOTB App and API Protection Rules" + - link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting App and API Protection" +--- + +{{< callout url="#" btn_hidden="true" header="AAP Service Extensions is in Preview" >}} +To try the preview of AAP Service Extensions for GCP, follow the setup instructions below. +{{< /callout >}} + +You can enable application security with GCP Service Extensions within GCP Cloud Load Balancing. The Datadog App and API Protection (AAP) Service Extensions integration provides threat detection and blocking capabilities directly in your GCP environment. + +## Prerequisites + +- The [Datadog Agent][1] is installed and configured for your application's operating system or container, cloud, or virtual environment. +- [Remote Configuration][2] is configured to enable blocking attackers through the Datadog UI. +- In your GCP project, you have either the project `owner` or `editor` role, or the relevant Compute Engine IAM roles: `compute.instanceAdmin.v1` (to create instances) and `compute.networkAdmin` (to set up load balancing). +- A GCP project with a Cloud Load Balancer is configured for your services. The Cloud Load Balancer must be one of the [Application Load Balancers that supports Traffic Callouts][3]. +- Compute Engine API and Network Services API are enabled: + + ```bash + gcloud services enable compute.googleapis.com networkservices.googleapis.com + ``` + +## Enabling threat detection + +To set up the AAP Service Extension in your GCP environment, use the Google Cloud Console or Terraform scripts and complete the following steps. + +**Note:** Google Cloud provides guides for creating [a callout backend service][4] and [configuring a Service Extension as a traffic extension][5]. The following steps use the same general setup but include custom configurations specific to Datadog's App and API Protection integration. + +{{< tabs >}} +{{% tab "Google Cloud Console" %}} + +1. Create a VM Compute instance using the [Datadog AAP Service Extensions Docker image][1]. + + See [Configuration](#configuration) for available environment variables when setting up your VM instance. + +
+ Note: Be sure to update your Firewall rules to allow the Load Balancer and Datadog agent to communicate with the Callout VM instance. +
+ +2. Add the VM to an unmanaged instance group. + + Specify `http:80` and `grpc:443` (or your configured values) for the port mappings of the instance group. + +3. Create a backend service with the following settings: + - Protocol: `HTTP2` + - Port name: `grpc` + - Region: select your region + - Health check port number: `80` (or your configured value) + +4. Add the instance group with the service extension VM as a backend to this backend service. + +5. Configure the Traffic Service Extension callout: + 1. In the Google Cloud console, go to **Service Extensions** and create a new Service Extension. + 2. Select your load balancer type. + 3. Select `Traffic extensions` as the type. + 4. Select your forwarding rules. +

+ +6. Create an Extension Chain + + 1. To send all traffic to the extension, insert `true` in the **Match condition**. + 2. For **Programability type**, select `Callouts`. + 3. Select the backend service you created in the previous step. + 4. Select all **Events** from the list where you want AAP to run detection (Request Headers and Response Headers are **required**). + +
+ +{{% appsec-getstarted-2-plusrisk %}} + +{{< img src="/security/application_security/appsec-getstarted-threat-and-vuln_2.mp4" alt="Video showing Signals explorer and details, and Vulnerabilities explorer and details." video="true" >}} + +[1]: https://github.com/DataDog/dd-trace-go/pkgs/container/dd-trace-go%2Fservice-extensions-callout +{{% /tab %}} + +{{% tab "Terraform" %}} + +You can use Terraform to automate the deployment of the AAP GCP Service Extension. This simplifies the process of setting up the service extension to work with your existing load balancer. + +### Prerequisites for Terraform deployment + +- [Terraform][1] installed on your local machine (version 1.0.0 or later) +- GCP credentials with appropriate permissions +- A Datadog API key (used to configure the Datadog Agent) +- An existing GCP Cloud Load Balancer for your application + +### Infrastructure Overview + +The Terraform deployment will create the following components: +- A Datadog Agent VM for collecting traces with security events +- A VM running the Datadog Service Extension Callout in a container +- A firewall rule allowing communication between the extension and the Agent +- An unmanaged instance group containing the Service Extension VM +- A backend service configured for HTTP/2 with health checks +- A service extension connected to your existing load balancer + +### Deployment Steps + +The AAP Service Extension deployment requires several components that work together. We'll create a Terraform module that encapsulates all these components, making the deployment process repeatable and easier to maintain. + +1. Create a new directory and the necessary Terraform files: + + ```bash + mkdir gcp-aap-service-extension && cd gcp-aap-service-extension + touch main.tf variables.tf + ``` + +2. Add the following code to your `main.tf` file. This file defines all the infrastructure components needed for the AAP Service Extension, including network rules, VM instances, and load balancer configuration: + + ```hcl + # main.tf + + #---------------------------------------------------------- + # Network Configuration + #---------------------------------------------------------- + + # Firewall rule to allow the Service Extension to communicate with the Datadog Agent + resource "google_compute_firewall" "aap_se_firewall" { + name = "${var.project_prefix}-dd-agent-firewall" + network = "default" + + allow { + protocol = "tcp" + ports = ["8126"] + } + + source_tags = ["http-server"] + target_tags = ["datadog-agent"] + } + + #---------------------------------------------------------- + # Datadog Agent Configuration + #---------------------------------------------------------- + + # Datadog Agent container configuration + module "gce-container-datadog-agent" { + source = "terraform-google-modules/container-vm/google" + + container = { + image = "public.ecr.aws/datadog/agent:latest" + env = [ + { + name = "DD_API_KEY", + value = var.datadog_agent_api_key, + }, + { + name = "DD_ENV", + value = "dev", + }, + ] + } + } + + # Datadog Agent VM instance that collects traces from the Service Extension + resource "google_compute_instance" "datadog_agent" { + name = "${var.project_prefix}-datadog-agent" + machine_type = "e2-medium" + zone = var.zone + + boot_disk { + auto_delete = true + + initialize_params { + image = module.gce-container-datadog-agent.source_image + } + + } + + network_interface { + network = "default" + subnetwork = var.application_vpc_subnetwork + } + + metadata = { + gce-container-declaration = module.gce-container-datadog-agent.metadata_value + google-logging-enabled = "true" + } + + lifecycle { + create_before_destroy = true + } + + tags = ["datadog-agent"] + } + + #---------------------------------------------------------- + # Service Extension Callout Container Configuration + #---------------------------------------------------------- + + # Datadog AAP GCP Service Extension container configuration + module "gce-container-aap-service-extension" { + source = "terraform-google-modules/container-vm/google" + + container = { + image = "ghcr.io/datadog/dd-trace-go/service-extensions-callout:v1.72.1" # Replace with the latest version + env = [ + { + name = "DD_AGENT_HOST", + value = google_compute_instance.datadog_agent.network_interface.0.network_ip, + } + ] + } + } + + # Service Extension VM instance (callout instance) + resource "google_compute_instance" "default" { + name = "${var.project_prefix}-instance" + machine_type = "e2-medium" + zone = var.zone + + boot_disk { + auto_delete = true + + initialize_params { + image = module.gce-container-aap-service-extension.source_image + } + + } + + network_interface { + network = var.application_vpc_network + subnetwork = var.application_vpc_subnetwork + } + + metadata = { + gce-container-declaration = module.gce-container-aap-service-extension.metadata_value + google-logging-enabled = "true" + } + + lifecycle { + create_before_destroy = true + } + + # http-server: Allow access on the http server for health checks + # https-server: Allow access on the 443 port for the AAP Service Extension + tags = ["http-server", "https-server", "lb-health-check"] + } + + #---------------------------------------------------------- + # Load Balancer Integration + #---------------------------------------------------------- + + # Unmanaged Instance Group including the AAP Service Extension instance + resource "google_compute_instance_group" "aap_se_instance_group" { + name = "${var.project_prefix}-instance-group" + description = "Unmanaged instance group for the AAP Service Extension" + zone = var.zone + + named_port { + name = "http" + port = 80 + } + + named_port { + name = "grpc" + port = "443" + } + + instances = [ + google_compute_instance.default.self_link + ] + } + + # Health Check for the Backend Service + resource "google_compute_health_check" "aap_se_health_check" { + name = "${var.project_prefix}-health-check" + check_interval_sec = 5 + timeout_sec = 5 + healthy_threshold = 2 + unhealthy_threshold = 2 + + http_health_check { + port = 80 + request_path = "/" + } + } + + # Backend Service that points to the Service Extension instance group + resource "google_compute_backend_service" "se_backend_service" { + name = "${var.project_prefix}-backend-service" + port_name = "grpc" + protocol = "HTTP2" + timeout_sec = 10 + health_checks = [google_compute_health_check.aap_se_health_check.self_link] + load_balancing_scheme = "EXTERNAL_MANAGED" + + backend { + group = google_compute_instance_group.aap_se_instance_group.self_link + } + } + + #---------------------------------------------------------- + # GCP Service Extension + #---------------------------------------------------------- + + # GCP Service Extension configuration for traffic interception + resource "google_network_services_lb_traffic_extension" "default" { + name = "${var.project_prefix}-service-extension" + description = "Datadog AAP Service Extension" + location = "global" + + load_balancing_scheme = "EXTERNAL_MANAGED" + forwarding_rules = [var.load_balancer_forwarding_rule] + + extension_chains { + name = "${var.project_prefix}-service-extension-chain" + + match_condition { + cel_expression = "true" # Match all traffic + } + + extensions { + name = "${var.project_prefix}-service-extension-chain-ext" + authority = "datadoghq.com" + service = google_compute_backend_service.se_backend_service.self_link + timeout = "0.5s" + fail_open = false # If the extension fails, the request is dropped + + # Supported events for the AAP Service Extension + supported_events = ["REQUEST_HEADERS", "REQUEST_BODY", "RESPONSE_HEADERS", "RESPONSE_BODY"] + } + } + } + ``` + + +3. Add the following content to the `variables.tf` file. This file defines all the required input variables for your Terraform configuration: + + ```hcl + # variables.tf + + variable "region" { + description = "The GCP region where resources will be created (e.g., us-central1)" + type = string + validation { + condition = length(var.region) > 0 + error_message = "Region cannot be empty." + } + } + + variable "zone" { + description = "The GCP zone where zonal resources will be created (e.g., us-central1-a)" + type = string + validation { + condition = length(var.zone) > 0 + error_message = "Zone cannot be empty." + } + } + + # Project configuration + variable "project_prefix" { + description = "Prefix for the project. All resource names will be prefixed with this value" + type = string + validation { + condition = length(var.project_prefix) > 0 + error_message = "Project prefix cannot be empty." + } + } + + # Network configuration + variable "application_vpc_network" { + + description = "Name of the VPC network for the application" + type = string + validation { + condition = length(var.application_vpc_network) > 0 + error_message = "VPC network name cannot be empty." + } + } + + variable "application_vpc_subnetwork" { + + description = "Name of the VPC subnetwork for the application" + type = string + validation { + condition = length(var.application_vpc_subnetwork) > 0 + error_message = "VPC subnetwork name cannot be empty." + } + } + + # Authentication and API keys + variable "datadog_agent_api_key" { + description = "Datadog API key" + type = string + sensitive = true + validation { + condition = length(var.datadog_agent_api_key) > 0 + error_message = "Datadog API key cannot be empty." + } + } + + # Load balancer configuration + variable "load_balancer_forwarding_rule" { + description = "Self link to the forwarding rule for the load balancer" + } + ``` + +4. Include the module in your main Terraform project. This example shows how to reference the module you created above: + + ```hcl + # main.tf + + module "service_extension" { + source = "./gcp-aap-service-extension" + zone = "us-central1-a" + region = "us-central1" + project_prefix = "datadog-aap" + application_vpc_subnetwork = "your-subnet-name" + datadog_agent_api_key = "your-datadog-api-key" + load_balancer_forwarding_rule = "projects/your-project/regions/us-central1/forwardingRules/your-lb-rule" # or with a self link on your resource + } + ``` + +5. Deploy the infrastructure by running these commands in the directory where your Terraform files are located: + + ```bash + terraform init + terraform plan + terraform apply + ``` + +### Post-deployment validation + +The service extension automatically inspects all traffic passing through your load balancer for security threats. + +{{% appsec-getstarted-2-plusrisk %}} + +{{< img src="/security/application_security/appsec-getstarted-threat-and-vuln_2.mp4" alt="Video showing Signals explorer and details, and Vulnerabilities explorer and details." video="true" >}} + +[1]: https://www.terraform.io/ +{{% /tab %}} +{{< /tabs >}} + +## Configuration + +The Datadog AAP Service Extension Docker image supports the following configuration settings: + +| Environment variable | Default value | Description | +|----------------------------------------|-----------------|-------------------------------------------------------------------| +| `DD_SERVICE_EXTENSION_HOST` | `0.0.0.0` | gRPC server listening address. | +| `DD_SERVICE_EXTENSION_PORT` | `443` | gRPC server port. | +| `DD_SERVICE_EXTENSION_HEALTHCHECK_PORT`| `80` | HTTP server port for health checks. | + +Configure the container to send traces to your Datadog Agent using the following environment variables: + +| Environment variable | Default value | Description | +|----------------------------------------|---------------|-----------------------------------------------------------------------| +| `DD_AGENT_HOST` | `localhost` | Hostname where your Datadog Agent is running. | +| `DD_TRACE_AGENT_PORT` | `8126` | Port of the Datadog Agent for trace collection. | + +
+ Note: The GCP Service Extensions integration is built on top of the Datadog Go Tracer. It follows the same release process as the tracer, and its Docker images are tagged with the corresponding tracer version. +
+ +The GCP Service Extensions integration uses the [Datadog Go Tracer][6] and inherits all environment variables from the tracer. You can find more configuration options in [Configuring the Go Tracing Library][7] and [AAP Library Configuration][8]. + +## Limitations + +The GCP Service Extensions have the following limitations: + +* The request body is not inspected, regardless of its content type. + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: https://app.datadoghq.com/account/settings#agent +[2]: https://docs.datadoghq.com/agent/remote_config/?tab=configurationyamlfile#enabling-remote-configuration +[3]: https://cloud.google.com/service-extensions/docs/lb-extensions-overview#supported-lbs +[4]: https://cloud.google.com/service-extensions/docs/configure-callout-backend-service +[5]: https://cloud.google.com/service-extensions/docs/configure-traffic-extensions +[6]: https://github.com/DataDog/dd-trace-go +[7]: https://docs.datadoghq.com/tracing/trace_collection/library_config/go/ +[8]: https://docs.datadoghq.com/security/application_security/threats/library_configuration/ \ No newline at end of file diff --git a/content/en/security/application_security/setup/threat_detection/go.md b/content/en/security/application_security/setup/threat_detection/go.md new file mode 100644 index 0000000000000..bc1a328c69c56 --- /dev/null +++ b/content/en/security/application_security/setup/threat_detection/go.md @@ -0,0 +1,124 @@ +--- +title: Enabling AAP for Go +code_lang: go +type: multi-code-lang +code_lang_weight: 20 +aliases: + - /security_platform/application_security/getting_started/go + - /security/application_security/getting_started/go + - /security/application_security/enabling/tracing_libraries/threat_detection/go/ +further_reading: + - link: "/security/application_security/add-user-info/" + tag: "Documentation" + text: "Adding user information to traces" + - link: 'https://github.com/DataDog/dd-trace-go/tree/v1' + tag: "Source Code" + text: 'Go Datadog library source code' + - link: "/security/default_rules/?category=cat-application-security" + tag: "Documentation" + text: "OOTB App and API Protection Rules" + - link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting App and API Protection" +--- + +You can monitor application security for Go apps running in Docker, Kubernetes, and Amazon ECS. + +{{% appsec-getstarted %}} +- Your service is [supported][2]. + +## Enabling threat detection +### Get started + +1. **Add to your program's go.mod dependencies** the latest version of the Datadog Go library (version 1.53.0 or later): + + ```shell + $ go get -v -u gopkg.in/DataDog/dd-trace-go.v1 # v1 + # $ go get -v -u github.com/DataDog/dd-trace-go/v2/ddtrace/tracer # v2 + ``` + +2. Datadog has a series of pluggable packages which provide out-of-the-box support for instrumenting a series of Go libraries and frameworks. + A list of these packages can be found in the [compatibility requirements][1] page. Import these packages into your application and follow the configuration instructions listed alongside each integration. + +3. **Recompile your program** with AAP enabled: + ```console + $ go build -v -tags appsec my-program + ``` + + **Notes**: + - The Go build tag `appsec` is not necessary if CGO is enabled with `CGO_ENABLED=1`. + - Datadog WAF needs the following shared libraries on Linux: `libc.so.6` and `libpthread.so.0`. + - When using the build tag `appsec` and CGO is disabled, the produced binary is still linked dynamically to these libraries. + - The Go build tag `datadog.no_waf` can be used to disable AAP at build time in any situation where the requirements above are a hinderance. + +4. **Redeploy your Go service and enable AAP** by setting the `DD_APPSEC_ENABLED` environment variable to `true`: + ```console + $ env DD_APPSEC_ENABLED=true ./my-program + ``` + + Or one of the following methods, depending on where your application runs: + + {{< tabs >}} +{{% tab "Docker CLI" %}} + +Add the following environment variable value to your Docker command line: + +```console +$ docker run -e DD_APPSEC_ENABLED=true [...] +``` + +{{% /tab %}} +{{% tab "Dockerfile" %}} + +Add the following environment variable value to your application container's Dockerfile: + +```Dockerfile +ENV DD_APPSEC_ENABLED=true +``` + +{{% /tab %}} +{{% tab "Kubernetes" %}} + +Update your application's deployment configuration file for APM and add the AAP environment variable: + +```yaml +spec: + template: + spec: + containers: + - name: + image: / + env: + - name: DD_APPSEC_ENABLED + value: "true" +``` + +{{% /tab %}} +{{% tab "Amazon ECS" %}} + +Update your application's ECS task definition JSON file, by adding this in the environment section: + +```json +"environment": [ + ..., + { + "name": "DD_APPSEC_ENABLED", + "value": "true" + } +] +``` + +{{% /tab %}} + +{{< /tabs >}} + +{{% appsec-getstarted-2 %}} + +{{< img src="/security/application_security/appsec-getstarted-threat-and-vuln_2.mp4" alt="Video showing Signals explorer and details, and Vulnerabilities explorer and details." video="true" >}} + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: /security/application_security/threats/setup/compatibility/go/#web-framework-compatibility +[2]: /security/application_security/threats/setup/compatibility/go/ diff --git a/content/en/security/application_security/setup/threat_detection/java.md b/content/en/security/application_security/setup/threat_detection/java.md new file mode 100644 index 0000000000000..ba9b849792bb2 --- /dev/null +++ b/content/en/security/application_security/setup/threat_detection/java.md @@ -0,0 +1,146 @@ +--- +title: Enabling AAP for Java +code_lang: java +type: multi-code-lang +code_lang_weight: 0 +aliases: + - /security_platform/application_security/getting_started/java + - /security/application_security/getting_started/java +further_reading: +- link: "/security/application_security/add-user-info/" + tag: "Documentation" + text: "Adding user information to traces" +- link: 'https://github.com/DataDog/dd-trace-java' + tag: "Source Code" + text: 'Java Datadog library source code' +- link: "/security/default_rules/?category=cat-application-security" + tag: "Documentation" + text: "OOTB App and API Protection Rules" +- link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting App and API Protection" + +--- + +You can monitor application security for Java apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate. + +{{% appsec-getstarted %}} + +## Enabling threat detection +### Get started + +1. **Update your [Datadog Java library][1]** to at least version 0.94.0 (at least version 1.1.4 for Software Composition Analysis detection features): + + {{< tabs >}} + {{% tab "Wget" %}} + ```shell + wget -O dd-java-agent.jar 'https://dtdg.co/latest-java-tracer' + ``` +{{% /tab %}} +{{% tab "cURL" %}} + ```shell + curl -Lo dd-java-agent.jar 'https://dtdg.co/latest-java-tracer' + ``` +{{% /tab %}} +{{% tab "Dockerfile" %}} + ```dockerfile + ADD 'https://dtdg.co/latest-java-tracer' dd-java-agent.jar + ``` +{{% /tab %}} +{{< /tabs >}} + + To check that your service's language and framework versions are supported for AAP capabilities, see [Compatibility][2]. + +2. **Run your Java application with AAP enabled.** From the command line: + ```shell + java -javaagent:/path/to/dd-java-agent.jar -Ddd.appsec.enabled=true -Ddd.service= -Ddd.env= -jar path/to/app.jar + ``` + + Or one of the following methods, depending on where your application runs: + + **Note:** Read-only file systems are not currently supported. The application must have access to a writable `/tmp` directory. + + {{< tabs >}} +{{% tab "Docker CLI" %}} + +Update your configuration container for APM by adding the following argument in your `docker run` command: + + +```shell +docker run [...] -e DD_APPSEC_ENABLED=true [...] +``` + +{{% /tab %}} +{{% tab "Dockerfile" %}} + +Add the following environment variable value to your container Dockerfile: + +```Dockerfile +ENV DD_APPSEC_ENABLED=true +``` + +{{% /tab %}} +{{% tab "Kubernetes" %}} + +Update your deployment configuration file for APM and add the AAP environment variable: + +```yaml +spec: + template: + spec: + containers: + - name: + image: / + env: + - name: DD_APPSEC_ENABLED + value: "true" +``` + +{{% /tab %}} +{{% tab "Amazon ECS" %}} + +Update your ECS task definition JSON file, by adding this in the environment section: + +```json +"environment": [ + ..., + { + "name": "DD_APPSEC_ENABLED", + "value": "true" + } +] +``` + +{{% /tab %}} +{{% tab "AWS Fargate" %}} + +Set the `-Ddd.appsec.enabled` flag or the `DD_APPSEC_ENABLED` environment variable to `true` in your service invocation: + +```shell +java -javaagent:dd-java-agent.jar \ + -Ddd.appsec.enabled=true \ + -jar .jar \ + +``` + +{{% /tab %}} + + {{< /tabs >}} + +{{% appsec-getstarted-2-plusrisk %}} + +{{< img src="/security/application_security/appsec-getstarted-threat-and-vuln_2.mp4" alt="Video showing Signals explorer and details, and Vulnerabilities explorer and details." video="true" >}} + + +If you need additional assistance, contact [Datadog support][5]. + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: https://github.com/DataDog/dd-trace-java/releases +[2]: /security/application_security/threats/setup/compatibility/java/ +[3]: /security/application_security/threats/setup/compatibility/java/ +[4]: https://app.datadoghq.com/security/appsec/vm +[5]: /help +[6]: /agent/versions/upgrade_between_agent_minor_versions/ diff --git a/content/en/security/application_security/setup/threat_detection/nginx.md b/content/en/security/application_security/setup/threat_detection/nginx.md new file mode 100644 index 0000000000000..3a7237b722b34 --- /dev/null +++ b/content/en/security/application_security/setup/threat_detection/nginx.md @@ -0,0 +1,82 @@ +--- +title: Enabling AAP for Nginx +code_lang: nginx +type: multi-code-lang +code_lang_weight: 50 +aliases: + - /security_platform/application_security/getting_started/nginx + - /security/application_security/getting_started/nginx + - /security/application_security/enabling/tracing_libraries/threat_detection/nginx/ +further_reading: + - link: 'https://github.com/DataDog/nginx-datadog/' + tag: "Source Code" + text: "nginx integration's source code" + - link: "/security/default_rules/?category=cat-application-security" + tag: "Documentation" + text: "OOTB App and API Protection Rules" + - link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting App and API Protection" +--- + +The Datadog nginx tracing module has experimental support for threat detection and blocking. + +## Enabling threat detection +### Get started + +1. Verify that your nginx build was compiled with the flag + `--with-threads`. Most distributions ship with this flag enabled by default. + To check if your nginx installation was built with thread support, run `nginx + -V` and check the `configure arguments` line. If you cannot find + `--with-threads` in the output, you will need to rebuild nginx with this flag + enabled. For more information on how to build nginx from sources, see the + [nginx documentation][3]. + +2. **Update your nginx tracing library module** to at least version 1.2.0. Visit + the [GitHub releases page][2] and select the artifact named according to the + pattern "ngx_http_datadog_module-appsec-<amd64/arm64>-<nginx + version>.so.tgz". Note that this artifact includes "appsec" in the name. + +3. **Enable AAP in the nginx configuration**. + You need to: + * define one or more thread pools with the [`thread_pool`][4] directive, + * explicitly enable AppSec with [`datadog_appsec_enabled`][5], and + * map requests to a thread pool or pools that you defined with the directive + [`datadog_waf_thread_pool_name`][6]. + + For example: + + ```nginx + load_module /path/to/ngx_http_datadog_module.so; + thread_pool waf_thread_pool threads=4 max_queue=128; + http { + datadog_appsec_enabled on; + datadog_waf_thread_pool_name waf_thread_pool; + } + ``` + + For more information, see the [reference documentation][3]. + +{{% appsec-getstarted-2-plusrisk %}} + +{{< img src="/security/application_security/appsec-getstarted-threat-and-vuln_2.mp4" alt="Video showing Signals explorer and details, and Vulnerabilities explorer and details." video="true" >}} + +## Limitations + +As of version 1.3.0, the available functionality has the following important limitations: + +* The request body is not inspected, regardless of its content type. + +* It's not possible to block the request based on characteristics of the + response, such as its status code, headers, or body. + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: https://github.com/DataDog/nginx-datadog/blob/master/doc/API.md +[2]: https://github.com/DataDog/nginx-datadog/releases +[3]: https://nginx.org/en/docs/configure.html +[4]: https://nginx.org/en/docs/ngx_core_module.html#thread_pool +[5]: https://github.com/DataDog/nginx-datadog/blob/master/doc/API.md#datadog_appsec_enabled-appsec-builds +[6]: https://github.com/DataDog/nginx-datadog/blob/master/doc/API.md#datadog_waf_thread_pool_name-appsec-builds diff --git a/content/en/security/application_security/setup/threat_detection/nodejs.md b/content/en/security/application_security/setup/threat_detection/nodejs.md new file mode 100644 index 0000000000000..799043bca57e9 --- /dev/null +++ b/content/en/security/application_security/setup/threat_detection/nodejs.md @@ -0,0 +1,162 @@ +--- +title: Enabling AAP for Node.js +code_lang: nodejs +type: multi-code-lang +code_lang_weight: 50 +aliases: + - /security_platform/application_security/getting_started/nodejs + - /security/application_security/getting_started/nodejs + - /security/application_security/enabling/tracing_libraries/threat_detection/nodejs/ +further_reading: + - link: "/security/application_security/add-user-info/" + tag: "Documentation" + text: "Adding user information to traces" + - link: 'https://github.com/DataDog/dd-trace-js' + tag: "Source Code" + text: 'Node.js Datadog library source code' + - link: "/security/default_rules/?category=cat-application-security" + tag: "Documentation" + text: "OOTB App and API Protection Rules" + - link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting App and API Protection" +--- + +You can monitor application security for Node.js apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate. + +{{% appsec-getstarted %}} + +## Enabling threat detection +### Get started + +1. **Update your Datadog Node.js library package** to at least version 5.0.0 (for Node 18+) or 4.0.0 (for Node 16+) or 3.10.0 (for Node.js 14+), by running one of these commands: + ```shell + npm install dd-trace@^5 + npm install dd-trace@^4 + npm install dd-trace@^3.10.0 + ``` + Use this [migration guide][1] to assess any breaking changes if you upgraded your library. + + App and API Protection is compatible with Express v4+ and Node.js v14+. For additional information, see [Compatibility][2]. + +2. **Where you import and initialize the Node.js library for APM, also enable AAP.** This might be either in your code or with environment variables. If you initialized APM in code, add `{appsec: true}` to your init statement: + {{< tabs >}} +{{% tab "In JavaScript code" %}} + +```js +// This line must come before importing any instrumented module. +const tracer = require('dd-trace').init({ + appsec: true +}) +``` + +{{% /tab %}} +{{% tab "In TypeScript code" %}} + +For TypeScript and bundlers that support EcmaScript Module syntax, initialize the tracer in a separate file in order to maintain correct load order. +```typescript +// server.ts +import './tracer'; // must come before importing any instrumented module. + +// tracer.ts +import tracer from 'dd-trace'; +tracer.init({ + appsec: true +}); // initialized in a different file to avoid hoisting. +export default tracer; +``` +If the default config is sufficient, or all configuration is done through environment variables, you can also use `dd-trace/init`, which loads and initializes in one step. +```typescript +import `dd-trace/init`; +``` +{{% /tab %}} + +{{< /tabs >}} + + **Or** if you initialize the APM library on the command line using the `--require` option to Node.js: + ```shell + node --require dd-trace/init app.js + ``` + Then use environment variables to enable AAP: + ```shell + DD_APPSEC_ENABLED=true node app.js + ``` + How you do this varies depending on where your service runs: + {{< tabs >}} +{{% tab "Docker CLI" %}} + +Update your configuration container for APM by adding the following argument in your `docker run` command: + +```shell +docker run [...] -e DD_APPSEC_ENABLED=true [...] +``` + +{{% /tab %}} +{{% tab "Dockerfile" %}} + +Add the following environment variable value to your container Dockerfile: + +```Dockerfile +ENV DD_APPSEC_ENABLED=true +``` + +{{% /tab %}} +{{% tab "Kubernetes" %}} + +Update your configuration yaml file container for APM and add the AppSec env variable: + +```yaml +spec: + template: + spec: + containers: + - name: + image: / + env: + - name: DD_APPSEC_ENABLED + value: "true" +``` + +{{% /tab %}} +{{% tab "Amazon ECS" %}} + +Update your ECS task definition JSON file, by adding this in the environment section: + +```json +"environment": [ + ..., + { + "name": "DD_APPSEC_ENABLED", + "value": "true" + } +] +``` + +{{% /tab %}} +{{% tab "AWS Fargate" %}} + +Initialize AAP in your code or set `DD_APPSEC_ENABLED` environment variable to `true` in your service invocation: +```shell +DD_APPSEC_ENABLED=true node app.js +``` + +{{% /tab %}} +{{< /tabs >}} + +{{% appsec-getstarted-2-plusrisk %}} + +{{< img src="/security/application_security/appsec-getstarted-threat-and-vuln_2.mp4" alt="Video showing Signals explorer and details, and Vulnerabilities explorer and details." video="true" >}} + + +If you need additional assistance, contact [Datadog support][6]. + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: https://github.com/DataDog/dd-trace-js/blob/master/MIGRATING.md +[2]: /security/application_security/threats/setup/threat_detection/nodejs +[3]: /security/application_security/threats/setup/threat_detection/nodejs +[4]: /agent/versions/upgrade_between_agent_minor_versions/ +[5]: https://app.datadoghq.com/security/appsec/vm +[6]: /help diff --git a/content/en/security/application_security/setup/threat_detection/php.md b/content/en/security/application_security/setup/threat_detection/php.md new file mode 100644 index 0000000000000..8dffd75efe13c --- /dev/null +++ b/content/en/security/application_security/setup/threat_detection/php.md @@ -0,0 +1,102 @@ +--- +title: Enabling AAP for PHP +code_lang: php +type: multi-code-lang +code_lang_weight: 40 +aliases: + - /security_platform/application_security/getting_started/php + - /security/application_security/getting_started/php + - /security/application_security/enabling/tracing_libraries/threat_detection/php/ +further_reading: + - link: "/security/application_security/add-user-info/" + tag: "Documentation" + text: "Adding user information to traces" + - link: 'https://github.com/DataDog/dd-trace-php' + tag: "Source Code" + text: 'PHP Datadog Tracer Library source code' + - link: "/security/default_rules/?category=cat-application-security" + tag: "Documentation" + text: "OOTB App and API Protection Rules" + - link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting App and API Protection" +--- + +You can monitor application security for PHP apps running in host-based or container-based environments such as Docker, Kubernetes, AWS ECS, and AWS EKS. + +{{% appsec-getstarted %}} + +## Enabling threat detection +### Get started + +1. **Install the latest Datadog PHP library** by downloading and running the installer: + ```shell + wget https://github.com/DataDog/dd-trace-php/releases/latest/download/datadog-setup.php -O datadog-setup.php + php datadog-setup.php --php-bin all --enable-appsec + ``` + To check that your service's language and framework versions are supported for AAP capabilities, see [Compatibility][1]. + +2. **Enable the library in your code** by restarting PHP-FPM or Apache. In a containerized environment, if you previously installed the library without enabling AAP, you can optionally enable it after by setting the following environment variable: + {{< tabs >}} +{{% tab "Docker CLI" %}} + +Update your configuration container for APM by adding the following argument in your `docker run` command: + +```shell +docker run [...] -e DD_APPSEC_ENABLED=true [...] +``` + +{{% /tab %}} +{{% tab "Dockerfile" %}} + +Add the following environment variable value to your container Dockerfile: + +```Dockerfile +ENV DD_APPSEC_ENABLED=true +``` + +{{% /tab %}} +{{% tab "Kubernetes" %}} + +Update your configuration yaml file container for APM and add the AppSec env variable: + +```yaml +spec: + template: + spec: + containers: + - name: + image: / + env: + - name: DD_APPSEC_ENABLED + value: "true" +``` + +{{% /tab %}} +{{% tab "AWS ECS" %}} + +Update your ECS task definition JSON file, by adding this in the environment section: + +```json +"environment": [ + ..., + { + "name": "DD_APPSEC_ENABLED", + "value": "true" + } +] +``` + +{{% /tab %}} + +{{< /tabs >}} + +{{% appsec-getstarted-2-canary %}} + +{{< img src="/security/application_security/appsec-getstarted-threat-and-vuln_2.mp4" alt="Video showing Signals explorer and details, and Vulnerabilities explorer and details." video="true" >}} + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: /security/application_security/threats/setup/compatibility/php/ diff --git a/content/en/security/application_security/setup/threat_detection/python.md b/content/en/security/application_security/setup/threat_detection/python.md new file mode 100644 index 0000000000000..60819553ba2f7 --- /dev/null +++ b/content/en/security/application_security/setup/threat_detection/python.md @@ -0,0 +1,115 @@ +--- +title: Enabling AAP for Python +code_lang: python +type: multi-code-lang +code_lang_weight: 50 +aliases: + - /security_platform/application_security/getting_started/python + - /security/application_security/getting_started/python + - /security/application_security/enabling/tracing_libraries/threat_detection/python +further_reading: + - link: "/security/application_security/add-user-info/" + tag: "Documentation" + text: "Adding user information to traces" + - link: 'https://github.com/DataDog/dd-trace-py' + tag: "Source Code" + text: 'Python Datadog library source code' + - link: "/security/default_rules/?category=cat-application-security" + tag: "Documentation" + text: "OOTB App and API Protection Rules" + - link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting App and API Protection" +--- + +You can monitor the security of your Python apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate. + +{{% appsec-getstarted %}} + +## Enabling threat detection +### Get started + +1. **Update your Datadog Python library package** to at least version 1.2.2 (at least version 1.5.0 for Software Composition Analysis detection features). Run the following: + ```shell + pip install --upgrade ddtrace + ``` + + To check that your service's language and framework versions are supported for AAP capabilities, see [Compatibility][1]. + +2. **Enable AAP when starting the Python application**. + + ```bash + DD_APPSEC_ENABLED=true ddtrace-run python app.py + ``` + + You can also use one of the following methods, depending on where your application runs: + {{< tabs >}} + {{% tab "Docker CLI" %}} + + Update your configuration container for APM by adding the following argument in your `docker run` command: + + ```shell + docker run [...] -e DD_APPSEC_ENABLED=true [...] + ``` + + {{% /tab %}} + {{% tab "Dockerfile" %}} + + Add the following environment variable value to your container Dockerfile: + + ```Dockerfile + ENV DD_APPSEC_ENABLED=true + ``` + + {{% /tab %}} + {{% tab "Kubernetes" %}} + + Update your configuration YAML file container for APM and add the `DD_APPSEC_ENABLED` environment variable: + + ```yaml + spec: + template: + spec: + containers: + - name: + image: / + env: + - name: DD_APPSEC_ENABLED + value: "true" + ``` + + {{% /tab %}} + {{% tab "Amazon ECS" %}} + + Update your ECS task definition JSON file by adding the following in the environment section: + + ```json + "environment": [ + ..., + { + "name": "DD_APPSEC_ENABLED", + "value": "true" + } + ] + ``` + + {{% /tab %}} + {{% tab "AWS Fargate" %}} + + Initialize AAP in your code or set the `DD_APPSEC_ENABLED` environment variable to `true` in your service invocation: + ```shell + DD_APPSEC_ENABLED=true ddtrace-run python app.py + ``` + + {{% /tab %}} + {{< /tabs >}} + +{{% appsec-getstarted-2-plusrisk %}} + +{{< img src="/security/application_security/appsec-getstarted-threat-and-vuln_2.mp4" alt="Video showing Signals explorer and details, and Vulnerabilities explorer and details." video="true" >}} + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: /security/application_security/threats/setup/compatibility/php/ diff --git a/content/en/security/application_security/setup/threat_detection/ruby.md b/content/en/security/application_security/setup/threat_detection/ruby.md new file mode 100644 index 0000000000000..d9470e308646a --- /dev/null +++ b/content/en/security/application_security/setup/threat_detection/ruby.md @@ -0,0 +1,221 @@ +--- +title: Enabling AAP for Ruby +code_lang: ruby +type: multi-code-lang +code_lang_weight: 30 +aliases: + - /security_platform/application_security/getting_started/ruby + - /security/application_security/getting_started/ruby + - /security/application_security/enabling/tracing_libraries/threat_detection/ruby/ +further_reading: + - link: "/security/application_security/add-user-info/" + tag: "Documentation" + text: "Adding user information to traces" + - link: 'https://github.com/DataDog/dd-trace-rb' + tag: "Source Code" + text: 'Ruby Datadog library source code' + - link: "/security/default_rules/?category=cat-application-security" + tag: "Documentation" + text: "OOTB App and API Protection Rules" + - link: "/security/application_security/troubleshooting" + tag: "Documentation" + text: "Troubleshooting App and API Protection" +--- + +You can monitor application security for Ruby apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate. + +{{% appsec-getstarted %}} + +## Enabling threat detection +### Get started + +1. **Update your Gemfile to include the Datadog library**: + + ```ruby + gem 'datadog', '~> 2.0' # Use 'ddtrace' if you're using v1.x + ``` + + To check that your service's language and framework versions are supported for AAP capabilities, see [Compatibility][1]. + + For more information about upgrading to v2 from a `dd-trace` 1.x version, see [the Ruby tracer upgrade guide][2]. + +2. **Enable AAP** by enabling the APM tracer. The following options describe a quick setup that covers the most common cases. Read [the Ruby tracer documentation][3] for more details. + + You can enable AAP either in your code: + + {{< tabs >}} + +{{% tab "Rails" %}} + Enable the APM tracer by adding an initializer in your application code: + + ```ruby + # config/initializers/datadog.rb + + require 'datadog/appsec' + + Datadog.configure do |c| + # enable the APM tracer + c.tracing.instrument :rails + + # enable AAP + c.appsec.enabled = true + c.appsec.instrument :rails + end + ``` + + Or enable the APM tracer through auto-instrumentation by updating your Gemfile to auto-instrument: + + ```ruby + gem 'datadog', '~> 2.0', require: 'datadog/auto_instrument' + ``` + + And also enable `appsec`: + + ```ruby + # config/initializers/datadog.rb + + require 'datadog/appsec' + + Datadog.configure do |c| + # the APM tracer is enabled by auto-instrumentation + + # enable AAP + c.appsec.enabled = true + c.appsec.instrument :rails + end + ``` + +{{% /tab %}} + +{{% tab "Sinatra" %}} + Enable the APM tracer by adding the following to your application's startup: + + ```ruby + require 'sinatra' + require 'datadog' + require 'datadog/appsec' + + Datadog.configure do |c| + # enable the APM tracer + c.tracing.instrument :sinatra + + # enable AAP for Sinatra + c.appsec.enabled = true + c.appsec.instrument :sinatra + end + ``` + + Or enable the APM tracer through auto-instrumentation: + + ```ruby + require 'sinatra' + require 'datadog/auto_instrument' + + Datadog.configure do |c| + # the APM tracer is enabled by auto-instrumentation + + # enable AAP for Sinatra + c.appsec.enabled = true + c.appsec.instrument :sinatra + end + ``` +{{% /tab %}} + +{{% tab "Rack" %}} + Enable the APM tracer by adding the following to your `config.ru` file: + + ```ruby + require 'datadog' + require 'datadog/appsec' + + Datadog.configure do |c| + # enable the APM tracer + c.tracing.instrument :rack + + # enable AAP for Rack + c.appsec.enabled = true + c.appsec.instrument :rack + end + + use Datadog::Tracing::Contrib::Rack::TraceMiddleware + use Datadog::AppSec::Contrib::Rack::RequestMiddleware + ``` +{{% /tab %}} + +{{< /tabs >}} + + Or one of the following methods, depending on where your application runs: + + {{< tabs >}} +{{% tab "Docker CLI" %}} + +Update your configuration container for APM by adding the following argument in your `docker run` command: + +```shell +docker run [...] -e DD_APPSEC_ENABLED=true [...] +``` + +{{% /tab %}} +{{% tab "Dockerfile" %}} + +Add the following environment variable value to your container Dockerfile: + +```Dockerfile +ENV DD_APPSEC_ENABLED=true +``` + +{{% /tab %}} +{{% tab "Kubernetes" %}} + +Update your configuration yaml file container for APM and add the AppSec env variable: + +```yaml +spec: + template: + spec: + containers: + - name: + image: / + env: + - name: DD_APPSEC_ENABLED + value: "true" +``` + +{{% /tab %}} +{{% tab "Amazon ECS" %}} + +Update your ECS task definition JSON file, by adding this in the environment section: + +```json +"environment": [ + ..., + { + "name": "DD_APPSEC_ENABLED", + "value": "true" + } +] +``` + +{{% /tab %}} +{{% tab "AWS Fargate" %}} + +Initialize AAP in your code or set `DD_APPSEC_ENABLED` environment variable to true in your service invocation: +```shell +env DD_APPSEC_ENABLED=true rails server +``` + +{{% /tab %}} + +{{< /tabs >}} + +{{% appsec-getstarted-2-canary %}} + +{{< img src="/security/application_security/appsec-getstarted-threat-and-vuln_2.mp4" alt="Video showing Signals explorer and details, and Vulnerabilities explorer and details." video="true" >}} + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: /security/application_security/threats/setup/compatibility/ruby/ +[2]: https://github.com/DataDog/dd-trace-rb/blob/master/docs/UpgradeGuide2.md +[3]: /tracing/trace_collection/dd_libraries/ruby/ diff --git a/content/en/security/application_security/waf-integration.md b/content/en/security/application_security/waf-integration.md new file mode 100644 index 0000000000000..6ce0f426926fb --- /dev/null +++ b/content/en/security/application_security/waf-integration.md @@ -0,0 +1,62 @@ +--- +title: WAF Integrations +disable_toc: false +further_reading: +- link: "https://www.datadoghq.com/blog/aws-waf-datadog/" + tag: "Blog" + text: "Monitor AWS WAF activity with Datadog" +--- + +Protecting web applications and APIs requires a multi-layered approach that combines in-app monitoring and perimeter defenses. These complementary strategies enable you to have a defense-in-depth application security approach leveraging AWS Web Application Firewall (WAF) as the first line of defense, followed by AAP Threat Management to block attacks that slip by the WAF. + +### In-app monitoring: deep visibility with distributed tracing + +At the application level, Datadog AAP Threat Management leverages distributed tracing to monitor microservices in real time. The AAP approach provides detailed, context-rich insights into the behavior of requests as they traverse various services. These insights detect sophisticated threats such as: + +- SQL Injection (SQLi) and Local File Inclusion (LFI) attempts. +- Application logic abuse, such as bypassing business rules or exploiting edge cases. +- Misuse of exposed endpoints. + +### Perimeter defense: blocking threats at the edge with AWS WAF + +At the perimeter, AWS Web Application Firewall (WAF) acts as the first line of defense, filtering traffic before it reaches the application. These solutions are essential for blocking: + +- Large-scale botnet attacks or Distributed Denial of Service (DDoS) attacks. +- Malicious bots attempting credential stuffing or scraping. + +### The importance of contextual, adaptive protection + +Depending on the nature of the threat, protection controls should be applied at the appropriate layer: either in-app or at the perimeter. For example: + +- Perimeter protection use case: Blocking malicious IPs or volumetric attacks that can be mitigated efficiently at the network edge. +- In-app protection use case: Detecting and blocking vulnerability exploits, abuse of business logic, or subtle anomalies in API usage. + +This layered approach ensures threats are neutralized as early as possible without sacrificing the precision needed to protect legitimate traffic. + + +## AWS WAF integration with AAP + +There are two main use cases supported with this [integration][1]: + +1. Gain visibility of AWS WAF actions in Datadog AAP. For example: + 1. Metrics such as total requests allowed vs. blocked by the AWS WAF. + 2. Drill down and view individual AWS WAF logs (requires you to [ingest AWS WAF logs into Datadog][2]). + 3. How AWS WAF inspected the request: rules that were applied and the decision made (allow, block, or count). + +
Note that AAP converts AWS WAF logs into AAP Traces, enabling you to view application activity (traces) and AWS WAF activity (logs converted to AAP traces) in the AAP Trace Explorer.
+ + {{< img src="security/application_security/threats/aws-waf-int-asm.png" alt="AWS WAF integration details in Datadog UI" style="width:100%;" >}} + +2. Leverage AWS WAF to block attackers: + 1. Connect your AWS WAF IP set(s) with Datadog AAP. You can use an existing set or create a new one. Datadog will add blocked IP addresses to this IP set. You can block attackers from AAP [Signals][3] or [Traces][4] explorers. + + {{< img src="/security/application_security/threats/aws-waf-blocked-ips.png" alt="AAP denylist blocked IPs" style="width:100%;" >}} + +## Further reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: https://app.datadoghq.com/security/appsec/protection?use-case=amazon_waf +[2]: /integrations/amazon_waf/#log-collection +[3]: https://app.datadoghq.com/security?query=@workflow.rule.type:%22Application%20Security%22&product=appsec +[4]: https://app.datadoghq.com/security/appsec/traces \ No newline at end of file diff --git a/layouts/partials/nav/left-nav.html b/layouts/partials/nav/left-nav.html index a10cf40fd31c0..2d2f951d3d0bb 100644 --- a/layouts/partials/nav/left-nav.html +++ b/layouts/partials/nav/left-nav.html @@ -69,7 +69,7 @@
    + "application_security_code_security_setup" "appsec_threats_management_setup" "observability_pipelines_log_volume_control" "observability_pipelines_dual_ship_logs" "observability_pipelines_archive_logs" "observability_pipelines_split_logs" "observability_pipelines_sensitive_data_redaction" "observability_pipelines_log_enrichment" "csm_setup_agentless_scanning" "observability_pipelines_generate_metrics" "log_explorer_calculated_fields" "test_impact_analysis_setup" "dbm_setup_postgres_rds" "sca_setup_runtime" "ndm_setup" "otel-setup-collector-exporter" "otel-setup-intake-endpoint" "otel_guides_migration" "otel-api-dd-sdk" "csm_setup_iac_scanning" "ide_plugins_idea" "asm_serverless") .Identifier) }}d-none{{ end }}"> {{/* LEVEL 4 */}} {{ range .Children }} From 0ac3529ab749138538e17cca293552dd623ddb63 Mon Sep 17 00:00:00 2001 From: Michael Cretzman Date: Thu, 8 May 2025 14:34:26 -0700 Subject: [PATCH 3/6] Updating Application Security to AAP MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit I missed a number of instances in my last rename PR. Updates: Application Security → App and API Protection Application Security Management → App and API Protection Application Threat Management → App and API Protection Threat Management → App and API Protection Application Security is an industry term used throughout our docs (such as in our Code Security docs) so this was delicate work. --- config/_default/menus/main.en.yaml | 82 +------------------ content/en/agent/remote_config/_index.md | 3 - content/en/dashboards/widgets/geomap.md | 2 +- content/en/getting_started/security/_index.md | 2 +- .../security/application_security.md | 6 +- .../guide/source-code-integration.md | 12 +-- .../security/application_security/_index.md | 6 +- .../api-inventory/_index.md | 2 +- .../exploit-prevention.md | 4 +- .../application_security/guide/_index.md | 2 +- .../guide/automate_risk_reduction_sca.md | 2 +- .../guide/manage_account_theft_appsec.md | 2 +- .../guide/standalone_application_security.md | 14 ++-- .../how-it-works/_index.md | 34 ++++---- .../application_security/policies/_index.md | 10 +-- .../application_security/serverless/_index.md | 6 +- .../serverless/compatibility/_index.md | 4 +- .../setup/compatibility/dotnet.md | 14 ++-- .../setup/compatibility/envoy.md | 4 +- .../compatibility/gcp-service-extensions.md | 4 +- .../setup/compatibility/go.md | 12 +-- .../setup/compatibility/java.md | 16 ++-- .../setup/compatibility/nginx.md | 6 +- .../setup/compatibility/nodejs.md | 16 ++-- .../setup/compatibility/php.md | 16 ++-- .../setup/compatibility/python.md | 12 +-- .../setup/compatibility/ruby.md | 14 ++-- .../setup/compatibility/serverless.md | 4 +- .../setup/standalone/_index.md | 4 +- .../setup/standalone/dotnet.md | 2 +- .../setup/standalone/envoy.md | 2 +- .../standalone/gcp-service-extensions.md | 2 +- .../setup/standalone/go.md | 2 +- .../setup/standalone/java.md | 2 +- .../setup/standalone/nodejs.md | 2 +- .../setup/standalone/php.md | 2 +- .../setup/standalone/ruby.md | 2 +- .../setup/threat_detection/_index.md | 2 +- .../setup/threat_detection/dotnet.md | 2 +- .../setup/threat_detection/envoy.md | 2 +- .../gcp-service-extensions.md | 2 +- .../setup/threat_detection/go.md | 2 +- .../setup/threat_detection/java.md | 2 +- .../setup/threat_detection/nodejs.md | 2 +- .../setup/threat_detection/php.md | 2 +- .../setup/threat_detection/ruby.md | 2 +- .../en/security/application_security/terms.md | 18 ++-- .../application_security/threats/_index.md | 16 ++-- .../threats/exploit-prevention.md | 4 +- .../threats/inapp_waf_rules.md | 4 +- .../threats/protection.md | 10 +-- .../threats/setup/_index.md | 8 +- .../threats/setup/compatibility/dotnet.md | 14 ++-- .../threats/setup/compatibility/envoy.md | 4 +- .../compatibility/gcp-service-extensions.md | 4 +- .../threats/setup/compatibility/go.md | 12 +-- .../threats/setup/compatibility/java.md | 16 ++-- .../threats/setup/compatibility/nginx.md | 6 +- .../threats/setup/compatibility/nodejs.md | 16 ++-- .../threats/setup/compatibility/php.md | 16 ++-- .../threats/setup/compatibility/python.md | 10 +-- .../threats/setup/compatibility/ruby.md | 10 +-- .../threats/setup/compatibility/serverless.md | 4 +- .../threats/setup/standalone/_index.md | 4 +- .../threats/setup/threat_detection/_index.md | 4 +- .../threats/threat_management_setup.md | 12 +-- .../threats/waf-integration.md | 4 +- .../application_security/troubleshooting.md | 2 +- .../application_security/waf-integration.md | 4 +- .../cloud_security_management/_index.md | 2 +- content/en/security/detection_rules/_index.md | 4 +- .../aws_lambda/securing_functions.md | 2 +- .../azure_app_services_windows.md | 2 +- .../endpoints/monitor_endpoints.md | 2 +- .../use_cases/appsec_management.md | 2 +- content/en/tracing/services/service_page.md | 2 +- .../trace_collection/library_config/java.md | 2 +- .../tracing/trace_pipeline/trace_retention.md | 2 +- 78 files changed, 244 insertions(+), 327 deletions(-) diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml index 8d78260c10940..0a6e42880888c 100644 --- a/config/_default/menus/main.en.yaml +++ b/config/_default/menus/main.en.yaml @@ -6478,7 +6478,7 @@ menu: parent: appsec_threats_management_setup identifier: appsec_threats_setup_threat_detection_setup weight: 2 - - name: Application Security for Serverless + - name: App and API Protection for Serverless url: security/application_security/serverless/ parent: appsec_threats_management_setup identifier: asm_serverless @@ -6538,86 +6538,6 @@ menu: parent: application_security identifier: aws_waf_int weight: 8 - # - name: Threat Management - # url: security/application_security/threats/ - # parent: application_security - # identifier: appsec_threats - # weight: 6 - # - name: Setup - # url: security/application_security/setup/ - # parent: application_security - # identifier: appsec_threats_management_setup - # weight: 700 - # - name: Library Compatibility - # url: security/application_security/setup/compatibility/ - # parent: appsec_threats_management_setup - # identifier: appsec_compat_threats_mgmt - # weight: 701 - # - name: Using Datadog Tracing Libraries - # url: security/application_security/setup/threat_detection/ - # parent: appsec_threats_management_setup - # identifier: appsec_threats_setup_threat_detection_setup - # weight: 703 - # - name: Attack Summary - # url: security/application_security/threats/attack-summary/ - # parent: appsec_threats - # identifier: attack_summary_overview - # weight: 704 - # - name: Custom Detection Rules - # url: security/application_security/threats/custom_rules/ - # parent: appsec_threats - # identifier: threats_custom_rules - # weight: 706 - # - name: Exploit Prevention - # url: security/application_security/threats/exploit-prevention/ - # parent: appsec_threats - # identifier: exploit_prevention - # weight: 707 - # - name: WAF Integrations - # url: security/application_security/threats/waf-integration/ - # parent: appsec_threats - # identifier: aws_waf_int - # weight: 708 - # - name: In-App WAF Rules - # url: security/application_security/threats/inapp_waf_rules/ - # parent: appsec_threats - # identifier: threats_event_rules - # weight: 709 - # - name: OOTB Rules - # url: security/default_rules/#cat-application-security - # parent: appsec_threats - # identifier: appsec_default_rules - # weight: 710 - # - name: Protection - # url: security/application_security/threats/protection/ - # parent: appsec_threats - # identifier: threats_protection - # weight: 718 - # - name: Security Signals - # url: security/application_security/threats/security_signals/ - # parent: appsec_threats - # identifier: threats_security_signals - # weight: 719 - # - name: Trace Qualification - # url: security/application_security/threats/trace_qualification/ - # parent: appsec_threats - # identifier: threats_trace_qualification - # weight: 721 - # - name: User Monitoring and Protection - # url: security/application_security/threats/add-user-info/ - # parent: appsec_threats - # identifier: threats_user_info - # weight: 722 - # - name: Application Security for Serverless - # url: security/application_security/serverless/ - # parent: application_security - # identifier: asm_serverless - # weight: 9 - # - name: Library Compatibility - # url: security/application_security/serverless/compatibility/ - # parent: asm_serverless - # identifier: asm_serverless_compat - # weight: 1 - name: API Security Inventory url: security/application_security/api-inventory/ parent: application_security diff --git a/content/en/agent/remote_config/_index.md b/content/en/agent/remote_config/_index.md index 441c74b2927b4..a73944713adfc 100644 --- a/content/en/agent/remote_config/_index.md +++ b/content/en/agent/remote_config/_index.md @@ -4,9 +4,6 @@ aliases: - /agent/guide/how_rc_works - /agent/guide/how_remote_config_works further_reading: -- link: "/security/application_security/how-appsec-works/#built-in-protection" - tag: "Documentation" - text: "How Application Security Monitoring Works" - link: "/dynamic_instrumentation/?tab=configurationyaml#enable-remote-configuration" tag: "Documentation" text: "Dynamic Instrumentation" diff --git a/content/en/dashboards/widgets/geomap.md b/content/en/dashboards/widgets/geomap.md index 8c2ec1866a24d..e386567bcf8e0 100644 --- a/content/en/dashboards/widgets/geomap.md +++ b/content/en/dashboards/widgets/geomap.md @@ -39,7 +39,7 @@ The geomap widget visualizes geographic data with shaded regions or points. It c |Metric | The group by tag must include a country ISO Code (alpha-2 ISO format) or a country subdivision ISO Code (ISO-3166-2 format). You can [generate metrics from ingested logs][4], or manually include the [tags on ingest][2]. See the [querying documentation][5] to configure a metric query.| |RUM | See the [RUM documentation][6] to configure a RUM query. | |SLO | See the [SLO search documentation][7] to configure an SLO query. | - |Security Signals
    Application Security
    Audit Trail | See the [Log search documentation][3] to configure a query. | + |Security Signals
    App and API Protection
    Audit Trail | See the [Log search documentation][3] to configure a query. | [1]: /logs/log_configuration/processors/#geoip-parser [2]: /getting_started/tagging/#define-tags diff --git a/content/en/getting_started/security/_index.md b/content/en/getting_started/security/_index.md index f448d59c59e2a..5a9d36f63e45a 100644 --- a/content/en/getting_started/security/_index.md +++ b/content/en/getting_started/security/_index.md @@ -3,7 +3,7 @@ title: Getting Started with Security --- {{< whatsnext desc=" " >}} - {{< nextlink href="getting_started/security/application_security" tag="documentation" >}}Getting Started with Application Security{{< /nextlink >}} + {{< nextlink href="getting_started/security/application_security" tag="documentation" >}}Getting Started with App and API Protection{{< /nextlink >}} {{< nextlink href="getting_started/security/cloud_security_management" tag="documentation" >}}Getting Started with Cloud Security{{< /nextlink >}} {{< nextlink href="getting_started/security/cloud_siem" tag="documentation" >}}Getting Started with Cloud SIEM{{< /nextlink >}} {{< nextlink href="getting_started/code_security" tag="documentation" >}}Getting Started with Code Security{{< /nextlink >}} diff --git a/content/en/getting_started/security/application_security.md b/content/en/getting_started/security/application_security.md index 92580220d7c97..f228730a79205 100644 --- a/content/en/getting_started/security/application_security.md +++ b/content/en/getting_started/security/application_security.md @@ -6,7 +6,7 @@ aliases: further_reading: - link: "/security/application_security/terms" tag: "Documentation" - text: "Application Security terms and concepts" + text: "App and API Protection terms and concepts" - link: "/security/application_security/how-appsec-works" tag: "Documentation" text: "How App and API Protection works" @@ -44,7 +44,7 @@ These security insights are detected from data reported by APM. The insights hel ## Enable AAP ### Enable AAP with in-app instructions -- To enable Threat Management in-app, navigate to [**Application Security > Setup**][29]. +- To enable App and API Protection in-app, navigate to [**App and API Protection > Setup**][29]. - To enable Code Security in-app, navigate to [**Code Security > Setup**][29]. @@ -54,7 +54,7 @@ These security insights are detected from data reported by APM. The insights hel - Restarting your services.
    1. Click **Get Started with AAP**. -2. Select **Get Started** to detect vulnerabilities in open-source libraries (Software Composition Analysis), find and fix code-level vulnerabilities (Runtime Code Analysis), and find and enable threat detection on your services (Threat Management). +2. Select **Get Started** to detect vulnerabilities in open-source libraries (Software Composition Analysis), find and fix code-level vulnerabilities (Runtime Code Analysis), and find and enable threat detection on your services (App and API Protection). 3. Follow the instructions to get started with AAP. {{< img src="getting_started/appsec/asm_sca_setup.png" alt="Software Composition Analysis setup page." style="width:100%;" >}} --> diff --git a/content/en/integrations/guide/source-code-integration.md b/content/en/integrations/guide/source-code-integration.md index 0025e4f74e250..da5cb5b0c681b 100644 --- a/content/en/integrations/guide/source-code-integration.md +++ b/content/en/integrations/guide/source-code-integration.md @@ -401,7 +401,7 @@ The source code integration supports the following Git providers: Install Datadog's [GitHub integration][101] on the [GitHub integration tile][102] to allow Datadog to synchronize your repository metadata automatically. When specifying permissions on the integration tile, select at least **Read** permissions for **Contents**. -Setting up the GitHub integration also allows you to see inline code snippets in [**Error Tracking**][103], [**Continuous Profiler**][104], [**Serverless Monitoring**][105], [**CI Visibility**][106], and [**Application Security Monitoring**][107]. +Setting up the GitHub integration also allows you to see inline code snippets in [**Error Tracking**][103], [**Continuous Profiler**][104], [**Serverless Monitoring**][105], [**CI Visibility**][106], and [**App and API Protection Monitoring**][107]. [101]: https://docs.datadoghq.com/integrations/github/ [102]: https://app.datadoghq.com/integrations/github/ @@ -424,7 +424,7 @@ When you run `datadog-ci git-metadata upload` within a Git repository, Datadog r Run this command for every commit that you need to be synchronized with Datadog. -If you are using [gitlab.com][1], this also allows you to see inline code snippets in [**Error Tracking**][3], [**Continuous Profiler**][4], [**Serverless Monitoring**][5], [**CI Visibility**][6], and [**Application Security Monitoring**][7]. +If you are using [gitlab.com][1], this also allows you to see inline code snippets in [**Error Tracking**][3], [**Continuous Profiler**][4], [**Serverless Monitoring**][5], [**CI Visibility**][6], and [**App and API Protection Monitoring**][7]. ### Validation @@ -567,17 +567,17 @@ For more information, see the [Code Security documentation][102]. [102]: /security/code_security/ {{% /tab %}} -{{% tab "Application Security Monitoring" %}} +{{% tab "App and API Protection Monitoring" %}} -You can see links from errors in your security signals' associated stack traces to their source repository in **Application Security Monitoring**. +You can see links from errors in your security signals' associated stack traces to their source repository in **App and API Protection Monitoring**. -1. Navigate to [**Security** > **Application Security**][101] and select a security signal. +1. Navigate to [**Security** > **App and API Protection**][101] and select a security signal. 2. Scroll down to the **Traces** section on the **Related Signals** tab and click on an associated stack trace. 3. Click **View Code** to open the error in its source code repository. If you're using the GitHub integration, click **Connect to preview** on error frames. You can see inline code snippets directly in the security signal's stack trace. -{{< img src="integrations/guide/source_code_integration/asm-signal-trace-blur.png" alt="Link to GitHub from Application Security Monitoring" style="width:100%;">}} +{{< img src="integrations/guide/source_code_integration/asm-signal-trace-blur.png" alt="Link to GitHub from App and API Protection Monitoring" style="width:100%;">}} [101]: https://app.datadoghq.com/security/appsec diff --git a/content/en/security/application_security/_index.md b/content/en/security/application_security/_index.md index 6ce8402674442..aa441a0e3abe2 100644 --- a/content/en/security/application_security/_index.md +++ b/content/en/security/application_security/_index.md @@ -13,7 +13,7 @@ further_reading: text: "How App and API Protection Works" - link: "/security/application_security/threats/" tag: "Documentation" - text: "Threat Management" + text: "App and API Protection" - link: "/security/code_security/software_composition_analysis/" tag: "Documentation" text: "Software Composition Analysis" @@ -36,7 +36,7 @@ further_reading: tag: "Blog" text: "Mitigate account takeovers with Datadog App and API Protection" algolia: - tags: ["asm", "application security"] + tags: ["asm", "App and API Protection"] --- {{< site-region region="gov" >}} @@ -57,7 +57,7 @@ With AAP, you can cut through the noise of continuous trace data to focus on sec Until you fully remediate the potential vulnerabilities in your application code, AAP enables you to slow down attackers by blocking their IPs temporarily or permanently, with a single click. -## Understanding how application security is implemented in Datadog +## Understanding how App and API Protection is implemented in Datadog If you're curious how App and API Protection is structured and how it uses tracing data to identify security problems, read [How App and API Protection Works][3]. diff --git a/content/en/security/application_security/api-inventory/_index.md b/content/en/security/application_security/api-inventory/_index.md index 8199880772776..24c74b593488e 100644 --- a/content/en/security/application_security/api-inventory/_index.md +++ b/content/en/security/application_security/api-inventory/_index.md @@ -14,7 +14,7 @@ further_reading: - **Authentication Method**: Type of authentication used, such as Basic Auth and API key. - **Public Exposure**: Whether the API is processing traffic from the internet. - **Sensitive data flows**: Sensitive data handled by the API and flows between APIs. -- **Attack Exposure**: If the endpoint is targeted by attacks (powered by [Application Threat Management][2]). +- **Attack Exposure**: If the endpoint is targeted by attacks (powered by [App and API Protection][2]). - **Business Logic**: Business logic and associated business logic suggestions for this API. - **Vulnerabilities**: If the endpoint contains a vulnerability (powered by [Code Security][8] and [Software Composition Analysis][3]). - **Findings**: Security findings found on this API. diff --git a/content/en/security/application_security/exploit-prevention.md b/content/en/security/application_security/exploit-prevention.md index 7bec2b7a061ca..2d4dfab1ee92f 100644 --- a/content/en/security/application_security/exploit-prevention.md +++ b/content/en/security/application_security/exploit-prevention.md @@ -55,7 +55,7 @@ AAP Exploit Prevention intercepts all SQL queries to determine if a user paramet ## Prerequisites - Ensure that your applications are instrumented with the Datadog tracer. -- AAP Threat Management must be enabled. See [Threat Management Setup][1]. +- AAP must be enabled. See [Setup][1]. - Ensure Remote Configuration is enabled to push rule updates and In-App WAF policies. See [Enabling Remote Configuration][2]. ### Library Compatibility @@ -71,7 +71,7 @@ AAP Exploit Prevention intercepts all SQL queries to determine if a user paramet ## Enabling Exploit Prevention -1. Navigate to [In-App WAF][4] (**Security > Application Security > Protection > In-App WAF**). +1. Navigate to [In-App WAF][4] (**Security > App and API Protection > Protection > In-App WAF**). 2. If you have applied a Datadog managed policy to your services, then follow these steps: a. Clone the policy. For example, you can use the **Managed - Block attack tools** policy. diff --git a/content/en/security/application_security/guide/_index.md b/content/en/security/application_security/guide/_index.md index 14630099354cc..788048a036305 100644 --- a/content/en/security/application_security/guide/_index.md +++ b/content/en/security/application_security/guide/_index.md @@ -9,6 +9,6 @@ disable_toc: true {{< /whatsnext >}} {{< whatsnext desc="Advanced Topics" >}} - {{< nextlink href="/security/application_security/guide/standalone_application_security/" >}}Standalone Application Security{{< /nextlink >}} + {{< nextlink href="/security/application_security/guide/standalone_application_security/" >}}Standalone App and API Protection{{< /nextlink >}} {{< nextlink href="/security/application_security/guide/manage_account_theft_appsec/" >}}Managing account theft with AAP{{< /nextlink >}} {{< /whatsnext >}} diff --git a/content/en/security/application_security/guide/automate_risk_reduction_sca.md b/content/en/security/application_security/guide/automate_risk_reduction_sca.md index 7ad4be908f1b1..560b7c2b026c5 100644 --- a/content/en/security/application_security/guide/automate_risk_reduction_sca.md +++ b/content/en/security/application_security/guide/automate_risk_reduction_sca.md @@ -35,7 +35,7 @@ The Libraries catalog displays the libraries and versions used across your servi The catalog surfaces all library details using several public data sources (GuardDog, NIST, osv.dev, OpenSSF scores, etc.) and private data sources (including Datadog’s Security Research group). -To use the Libraries catalog, see [Libraries][1] or select **Security > Application Security > Catalogs > Libraries**. +To use the Libraries catalog, see [Libraries][1] or select **Security > App and API Protection > Catalogs > Libraries**. {{< img src="/security/code_security/software_composition_analysis/libraries_catalog.png" alt="Libraries catalog dashboard" style="width:100%;" >}} diff --git a/content/en/security/application_security/guide/manage_account_theft_appsec.md b/content/en/security/application_security/guide/manage_account_theft_appsec.md index 10c67684eac60..3628bbf40a746 100644 --- a/content/en/security/application_security/guide/manage_account_theft_appsec.md +++ b/content/en/security/application_security/guide/manage_account_theft_appsec.md @@ -166,7 +166,7 @@ The actions covered in the next sections help you to identify and leverage detec 1. Open [Create a new rule][18]. 2. Enter a name for the rule. -3. Select **Signal** and remove all entries except **Application Security**. +3. Select **Signal** and remove all entries except **App and API Protection**. 4. Restrict the rule to `category:account_takeover`, and expand the severities to include `Medium`. 5. Add notification recipients (Slack, Teams, PagerDuty). To learn more, see [Notification channels][19]. diff --git a/content/en/security/application_security/guide/standalone_application_security.md b/content/en/security/application_security/guide/standalone_application_security.md index 13c571603b522..5eb063994a59f 100644 --- a/content/en/security/application_security/guide/standalone_application_security.md +++ b/content/en/security/application_security/guide/standalone_application_security.md @@ -1,20 +1,20 @@ --- -title: Set Up Application Security Products without using APM +title: Set Up App and API Protection Products without using APM disable_toc: false --- -Datadog AAP [Threat Management][1] and [Code Security][2] are built on top of [APM][3]. While Datadog recommends using these security products with APM and adopting DevSecOps practices, you can also use these security products without using APM. This configuration is referred to as Standalone Application Security. This guide explains how to set up Standalone Application Security. +Datadog AAP [Threat Management][1] and [Code Security][2] are built on top of [APM][3]. While Datadog recommends using these security products with APM and adopting DevSecOps practices, you can also use these security products without using APM. This configuration is referred to as Standalone App and API Protection. This guide explains how to set up Standalone App and API Protection. ## Prerequisites This guide assumes you have the following: - **Datadog Agent:** [Install the Datadog Agent][6] and configure it for your application's operating system, container, cloud, or virtual environment. -- **Supported Tracing Library:** The Datadog Tracing Library used by your application or service supports application security. For more details, see the guides for [Application Threat Management][4] or [Code Security][5]. +- **Supported Tracing Library:** The Datadog Tracing Library used by your application or service supports App and API Protection. For more details, see the guides for [App and API Protection][4] or [Code Security][5]. ## Compatibility -Standalone Application Security is currently supported for the following tracing library versions: +Standalone App and API Protection is currently supported for the following tracing library versions: | Language | Version | | -------- | ------- | @@ -29,11 +29,11 @@ Standalone Application Security is currently supported for the following tracing ## Setup -Set up the Datadog Agent using the standard method for APM or Application Security setup, but set up the Tracing Library by adding the `DD_APM_TRACING_ENABLED=false` environment variable to the service that runs the Tracing Library. +Set up the Datadog Agent using the standard method for APM or App and API Protection setup, but set up the Tracing Library by adding the `DD_APM_TRACING_ENABLED=false` environment variable to the service that runs the Tracing Library. -This environment variable will reduce the amount of APM data sent to Datadog to the minimum required by Application Security products. The environment variable can then be combined with environment variables to enable AAP Threat Management or Code Security. +This environment variable will reduce the amount of APM data sent to Datadog to the minimum required by App and API Protection products. The environment variable can then be combined with environment variables to enable App and API Protection or Code Security. -For AAP Threat Management, add the `DD_APM_TRACING_ENABLED=false DD_APPSEC_ENABLED=true` environment variable. +For App and API Protection, add the `DD_APM_TRACING_ENABLED=false DD_APPSEC_ENABLED=true` environment variable. For Code Security, add the `DD_APM_TRACING_ENABLED=false DD_IAST_ENABLED=true` environment variable. diff --git a/content/en/security/application_security/how-it-works/_index.md b/content/en/security/application_security/how-it-works/_index.md index dc2655a4973a6..00ba94337840d 100644 --- a/content/en/security/application_security/how-it-works/_index.md +++ b/content/en/security/application_security/how-it-works/_index.md @@ -1,5 +1,5 @@ --- -title: How Application Security Works in Datadog +title: How App and API Protection Works in Datadog aliases: - /security_platform/guide/how-appsec-works/ - /security_platform/application_security/how-appsec-works/ @@ -12,7 +12,7 @@ aliases: ## Overview -Datadog Application Security provides observability into application-level attacks that aim to exploit code-level vulnerabilities or abuse the business logic of your application, and into any bad actors targeting your systems. It provides: +Datadog App and API Protection provides observability into application-level attacks that aim to exploit code-level vulnerabilities or abuse the business logic of your application, and into any bad actors targeting your systems. It provides: - **Observability into attacks**: Provides insight into application-level attacks targeting code vulnerabilities or business logic. - **Trace-based monitoring**: Utilizes the same tracing libraries as Datadog APM to monitor traffic and detect security threats. @@ -23,44 +23,44 @@ Datadog Application Security provides observability into application-level attac ### Identify services exposed to application attacks -Datadog Application Security [Threat Management][1] uses the information APM is already collecting to flag traces containing attack attempts. While APM collects a sample of your application traffic, enabling Application Security in the tracing library is necessary to effectively monitor and protect your services. +Datadog App and API Protection [Threat Management][1] uses the information APM is already collecting to flag traces containing attack attempts. While APM collects a sample of your application traffic, enabling App and API Protection in the tracing library is necessary to effectively monitor and protect your services. Services exposed to application attacks are highlighted directly in the security views embedded in APM ([Software Catalog][2], [Service Page][3], [Traces][4]). Datadog Threat Monitoring and Detection identifies bad actors by collecting client IP addresses, login account info (for example, user account/ID), and manually-added user tags on all requests.
    1-Click Enablement
    -If your service is running with an Agent with Remote Configuration enabled and a tracing library version that supports it, you can enable Application Security from the Datadog UI without additional configuration of the Agent or tracing libraries.
    +If your service is running with an Agent with Remote Configuration enabled and a tracing library version that supports it, you can enable App and API Protection from the Datadog UI without additional configuration of the Agent or tracing libraries. ## Compatibility -For Datadog Application Security to be compatible with your Datadog configuration, you must have APM enabled and [sending traces to Datadog][6]. Application Security uses the same libraries used by APM, so you don't need to deploy and maintain another library. +For Datadog App and API Protection to be compatible with your Datadog configuration, you must have APM enabled and [sending traces to Datadog][6]. App and API Protection uses the same libraries used by APM, so you don't need to deploy and maintain another library. -Steps to enable Datadog Application Security are specific to each runtime language. Check to see if your language is supported in the Application Security prerequisites for each product. +Steps to enable Datadog App and API Protectionon are specific to each runtime language. Check to see if your language is supported in the App and API Protection prerequisites for each product. ## Serverless monitoring -Datadog Application Security for AWS Lambda provides deep visibility into attackers targeting your functions. With distributed tracing providing a context-rich picture of the attack, you can assess the impact and remediate the threat effectively. +Datadog App and API Protection for AWS Lambda provides deep visibility into attackers targeting your functions. With distributed tracing providing a context-rich picture of the attack, you can assess the impact and remediate the threat effectively. -Read [Enabling Application Security for Serverless][8] for information on setting it up. +Read [Enabling App and API Protection for Serverless][8] for information on setting it up. ## Performance -Datadog Application Security uses processes already contained in the Agent and APM, so there are negligible performance implications when using it. +Datadog App and API Protection uses processes already contained in the Agent and APM, so there are negligible performance implications when using it. -When APM is enabled, the Datadog library generates distributed traces. Datadog Application Security flags security activity in traces by using known attack patterns. Correlation between the attack patterns and the execution context provided by the distributed trace triggers security signals based on detection rules. +When APM is enabled, the Datadog library generates distributed traces. Datadog App and API Protection flags security activity in traces by using known attack patterns. Correlation between the attack patterns and the execution context provided by the distributed trace triggers security signals based on detection rules. {{< img src="security/application_security/How_Appsec_Works_June2023.png" alt="A diagram illustrates that the Datadog tracer library operates at the application service level and sends traces to the Datadog backend. The Datadog backend flags actionable security signals and sends a notification to the relevant application, such as PagerDuty, Jira or Slack." >}} ## Data sampling and retention -In the tracing library, Datadog Application Security collects all traces that include security data. A default [retention filter][9] ensures the retention of all security-related traces in the Datadog platform. +In the tracing library, Datadog App and API Protection collects all traces that include security data. A default [retention filter][9] ensures the retention of all security-related traces in the Datadog platform. Data for security traces is kept for 90 days. The underlying trace data is kept for 15 days. ## Data privacy -By default, Application Security collects information from security traces to help you understand why the request was flagged as suspicious. Before sending the data, Application Security scans it for patterns and keywords that indicate that the data is sensitive. If the data is deemed sensitive, it is replaced with a `` flag. This indicates that the request was suspicious, but that the request data could not be collected because of data security concerns. +By default, App and API Protection collects information from security traces to help you understand why the request was flagged as suspicious. Before sending the data, App and API Protection scans it for patterns and keywords that indicate that the data is sensitive. If the data is deemed sensitive, it is replaced with a `` flag. This indicates that the request was suspicious, but that the request data could not be collected because of data security concerns. Here are some examples of data that is flagged as sensitive by default: * `pwd`, `password`, `ipassword`, `pass_phrase` @@ -74,7 +74,7 @@ Here are some examples of data that is flagged as sensitive by default: * `BEGIN PRIVATE KEY` * `ssh-rsa` -To configure the information redacted by Application Security, refer to the [data security configuration][17] +To configure the information redacted by App and API Protection, refer to the [data security configuration][17] ## Threat detection methods @@ -101,7 +101,7 @@ Leveraging distributed tracing information, attacks attempts are qualified as sa ## Threat monitoring coverage -Datadog Application Security includes over 100 attack signatures that help protect against [many different kinds of attacks][14], including, but not limited to, the following categories: +Datadog App and API Protection includes over 100 attack signatures that help protect against [many different kinds of attacks][14], including, but not limited to, the following categories: * SQL injections * Code injections @@ -114,11 +114,11 @@ Datadog Application Security includes over 100 attack signatures that help prote
    API security is in Preview.
    -Datadog Application Security provides visibility into threats targeting your APIs. Use the [Endpoints list][27] in Software Catalog to monitor API health and performance metrics, where you can view attacks targeting your APIs. This view includes the attacker's IP and authentication information, as well as request headers showing details about how the attack was formed. Using both Application Security and API management, you can maintain a comprehensive view of your API attack surface, and respond to mitigate threats. +Datadog App and API Protection provides visibility into threats targeting your APIs. Use the [Endpoints list][27] in Software Catalog to monitor API health and performance metrics, where you can view attacks targeting your APIs. This view includes the attacker's IP and authentication information, as well as request headers showing details about how the attack was formed. Using both App and API Protection and API management, you can maintain a comprehensive view of your API attack surface, and respond to mitigate threats. -## How Datadog Application Security protects against Log4Shell +## How Datadog App and API Protection protects against Log4Shell -Datadog Application Security identifies Log4j Log4Shell attack payloads and provides visibility into vulnerable apps that attempt to remotely load malicious code. When used in tandem with the rest of [Datadog's Cloud SIEM][16], you can investigate to identify common post-exploitation activity, and proactively remediate potentially vulnerable Java web services acting as an attack vector. +Datadog App and API Protection identifies Log4j Log4Shell attack payloads and provides visibility into vulnerable apps that attempt to remotely load malicious code. When used in tandem with the rest of [Datadog's Cloud SIEM][16], you can investigate to identify common post-exploitation activity, and proactively remediate potentially vulnerable Java web services acting as an attack vector. [1]: /security/workload_protection/ [2]: /tracing/software_catalog/#security-view diff --git a/content/en/security/application_security/policies/_index.md b/content/en/security/application_security/policies/_index.md index c6a2a67315358..0fdd65115a8de 100644 --- a/content/en/security/application_security/policies/_index.md +++ b/content/en/security/application_security/policies/_index.md @@ -27,7 +27,7 @@ From there, all AAP-protected services block incoming requests performed by the In addition to manually blocking attackers, you can configure automation rules to have AAP automatically block attackers that are flagged in Security Signals. -To get started, navigate to **Security > Application Security > Protection > [Detection Rules][14]**. You can create a new rule or edit an existing rule with type _Application security_. For example, you can create a rule to trigger `Critical` severity signals when Credential Stuffing attacks are detected, and automatically block the associated attackers' IP addresses for 30 minutes. +To get started, navigate to **Security > App and API Protection > Protection > [Detection Rules][14]**. You can create a new rule or edit an existing rule with type _App and API Protection_. For example, you can create a rule to trigger `Critical` severity signals when Credential Stuffing attacks are detected, and automatically block the associated attackers' IP addresses for 30 minutes. **Note**: You must instrument your services to be able to block authenticated attackers. See [User Monitoring and Protection][15] for more details. @@ -60,7 +60,7 @@ For fine-grained control, you can clone a Datadog managed policy or create a cus As In-App WAF rules are toggled between modes, the changes are reflected in near real-time for services with [Remote Configuration enabled][2]. For other services, you can update the policy on the [In-App WAF page][9] and then [define In-App WAF rules][10] for the change in behavior to be applied. -Manage In-App WAF by navigating to Security --> Application Security --> Configuration --> [In-App WAF][9]. +Manage In-App WAF by navigating to Security --> App and API Protection --> Configuration --> [In-App WAF][9]. View blocked security traces in the [Trace Explorer][11] by filtering on the facet `Blocked:true`. @@ -70,7 +70,7 @@ View blocked security traces in the [Trace Explorer][11] by filtering on the fac 1. [**Enable Remote Configuration**][2] so that your AAP-enabled services show up under In-App WAF. This is required to securely push In-App WAF configuration from your Datadog backend to the tracing library in your infrastructure. -2. **Associate your AAP/Remote Configuration-enabled services with a policy**. After Remote Configuration is enabled on a service, navigate to **Security > Application Security > Protection > [In-App WAF][9]**. The service appears under the _Datadog Monitoring-only_ policy by default. Datadog Monitoring-only is a managed policy and is read-only, meaning you cannot modify the status (monitoring, blocking, or disabled) for individual rules. +2. **Associate your AAP/Remote Configuration-enabled services with a policy**. After Remote Configuration is enabled on a service, navigate to **Security > App and API Protection > Protection > [In-App WAF][9]**. The service appears under the _Datadog Monitoring-only_ policy by default. Datadog Monitoring-only is a managed policy and is read-only, meaning you cannot modify the status (monitoring, blocking, or disabled) for individual rules. If you need granular control, clone one of the available policies to create a custom policy where rule statuses can be modified. Associate one or more of your services with this custom policy. @@ -84,7 +84,7 @@ View blocked security traces in the [Trace Explorer][11] by filtering on the fac {{< img src="/security/application_security/asm-blocking-page-html.png" alt="The page displayed as AAP blocks requests originating from blocked IPs" width="75%" >}} -The default HTTP response status code while serving the deny page to attackers is `403 FORBIDDEN`. To customize the response, navigate to **Security > Application Security > Protection > In-App Waf > [Custom Responses][16]**. +The default HTTP response status code while serving the deny page to attackers is `403 FORBIDDEN`. To customize the response, navigate to **Security > App and API Protection > Protection > In-App Waf > [Custom Responses][16]**. You can optionally mask the fact that the attacker has been detected and blocked by overriding the response code to be `200 OK` or `404 NOT FOUND` when the deny page is served. @@ -94,7 +94,7 @@ You can also optionally redirect attackers to a custom deny page and away from y Protection mode is **on** by default and is a toggle available to quickly disable blocking across **all** your services. Requests can be blocked from two sections in Datadog: all attacker requests from Security Signals, and security traces from In-App WAF. -As important as it is for you to be able to apply protection granularly and reduce the likelihood of legitimate users getting blocked, you sometimes need a simple off switch to quickly stop **all** blocking across **all** services. To turn off protection, navigate to **Security > Application Security > Protection > [In-App WAF][9]** and toggle **Allow Request Blocking** to off. +As important as it is for you to be able to apply protection granularly and reduce the likelihood of legitimate users getting blocked, you sometimes need a simple off switch to quickly stop **all** blocking across **all** services. To turn off protection, navigate to **Security > App and API Protection > Protection > [In-App WAF][9]** and toggle **Allow Request Blocking** to off. ## Further reading diff --git a/content/en/security/application_security/serverless/_index.md b/content/en/security/application_security/serverless/_index.md index e4a74d183e18d..ff00637782e74 100644 --- a/content/en/security/application_security/serverless/_index.md +++ b/content/en/security/application_security/serverless/_index.md @@ -6,7 +6,7 @@ aliases: further_reading: - link: "/security/application_security/how-appsec-works/" tag: "Documentation" - text: "How Application Security Works" + text: "How App and API Protection Works" - link: "/security/default_rules/?category=cat-application-security" tag: "Documentation" text: "OOTB App and API Protection Rules" @@ -15,7 +15,7 @@ further_reading: text: "Troubleshooting App and API Protection" - link: "/security/application_security/threats/" tag: "Documentation" - text: "Application Threat Management" + text: "App and API Protection" - link: "https://www.datadoghq.com/blog/datadog-security-google-cloud/" tag: "Blog" text: "Datadog Security extends compliance and threat protection capabilities for Google Cloud" @@ -953,7 +953,7 @@ To enable AAP on your application, begin by adding the following key-value pairs - `DD_SITE` is the Datadog site [parameter][2]. Your site is {{< region-param key="dd_site" code="true" >}}. This value defaults to `datadoghq.com`. - `DD_SERVICE` is the service name used for this program. Defaults to the name field value in `package.json`. - `DD_START_APP` is the command used to start your application. For example, `node ./bin/www` (unnecessary for applications running in Tomcat). -- `DD_APPSEC_ENABLED` value should be 1 in order to enable Application Security +- `DD_APPSEC_ENABLED` value should be 1 in order to enable App and API Protection ### Identifying your startup command diff --git a/content/en/security/application_security/serverless/compatibility/_index.md b/content/en/security/application_security/serverless/compatibility/_index.md index 1cecb4db66287..7f4be73dbc3bd 100644 --- a/content/en/security/application_security/serverless/compatibility/_index.md +++ b/content/en/security/application_security/serverless/compatibility/_index.md @@ -7,7 +7,7 @@ type: multi-code-lang code_lang_weight: 90 --- -Application Security provides serverless capability for the following platforms and libraries: +App and API Protection provides serverless capability for the following platforms and libraries: {{< partial name="security-platform/appsec-libraries-serverless.html" >}}
    @@ -55,7 +55,7 @@ Go ## Google Cloud Run -
    Google Cloud Run support for Application Security serverless is in Preview.
    +
    Google Cloud Run support for App and API Protection serverless is in Preview.
    **Note**: Threat Protection through Remote Configuration is not supported. Use [Workflows][5] to block IPs in your [WAF][6]. diff --git a/content/en/security/application_security/setup/compatibility/dotnet.md b/content/en/security/application_security/setup/compatibility/dotnet.md index c56c36a493274..507b215ac4686 100644 --- a/content/en/security/application_security/setup/compatibility/dotnet.md +++ b/content/en/security/application_security/setup/compatibility/dotnet.md @@ -5,11 +5,11 @@ type: multi-code-lang code_lang_weight: 10 --- -## Application Security capabilities support +## App and API Protection capabilities support -The following application security capabilities are supported in the .NET library, for the specified tracer version: +The following App and API Protection capabilities are supported in the .NET library, for the specified tracer version: -| Application Security capability | Minimum .NET tracer version | +| App and API Protection capability | Minimum .NET tracer version | | -------------------------------- | ----------------------------| | Threat Detection | 2.23.0| | Threat Protection | 2.26.0| @@ -19,7 +19,7 @@ The following application security capabilities are supported in the .NET librar | Automatic user activity event tracking | 2.32.0 | | API Security | 2.42.0 | -The minimum tracer version to get all supported application security capabilities for .NET is 2.42.0. +The minimum tracer version to get all supported App and API Protection capabilities for .NET is 2.42.0. **Note**: Threat Protection requires enabling [Remote Configuration][3], which is included in the listed minimum tracer version. @@ -33,7 +33,7 @@ The minimum tracer version to get all supported application security capabilitie | AWS Lambda | {{< X >}} | | | Azure App Service | {{< X >}} | {{< X >}} | -**Note**: Azure App Service is supported for **web applications only**. Application Security capabilities are not supported for Azure Functions. +**Note**: Azure App Service is supported for **web applications only**. App and API Protection capabilities are not supported for Azure Functions. ## Language and framework compatibility @@ -62,7 +62,7 @@ These are supported on the following architectures: - Tags for the HTTP request (status code, method, etc) - Distributed Tracing to see attack flows through your applications -##### Application Security Capability Notes +##### App and API Protection Capability Notes - **Software Composition Analysis** is supported on all frameworks. - If your framework is not listed below, **Code Security** will still detect Insecure Cookie vulnerabilities. @@ -82,7 +82,7 @@ These are supported on the following architectures: - query info (for example, a sanitized query string) - error and stacktrace capturing -##### Application Security Capability Notes +##### App and API Protection Capability Notes - **Threat Protection** also works at the HTTP request (input) layer, and so works for all databases by default, even those not listed in the table below. | Framework | Threat Detection supported? | Threat Protection supported? | Code Security? | diff --git a/content/en/security/application_security/setup/compatibility/envoy.md b/content/en/security/application_security/setup/compatibility/envoy.md index 9655f95945dce..2a18870400f73 100644 --- a/content/en/security/application_security/setup/compatibility/envoy.md +++ b/content/en/security/application_security/setup/compatibility/envoy.md @@ -5,9 +5,9 @@ type: multi-code-lang code_lang_weight: 40 --- -The following table lists the support for application security capabilities in the Envoy integration according to the specified tracer version: +The following table lists the support for App and API Protection capabilities in the Envoy integration according to the specified tracer version: -| Application Security capability | Minimum Envoy image version | +| App and API Protection capability | Minimum Envoy image version | |----------------------------------------|------------------------------| | Threat Detection | 1.71.0 | | Threat Protection | 1.71.0 | diff --git a/content/en/security/application_security/setup/compatibility/gcp-service-extensions.md b/content/en/security/application_security/setup/compatibility/gcp-service-extensions.md index 9c5f3a13e936a..977cbbc031465 100644 --- a/content/en/security/application_security/setup/compatibility/gcp-service-extensions.md +++ b/content/en/security/application_security/setup/compatibility/gcp-service-extensions.md @@ -5,9 +5,9 @@ type: multi-code-lang code_lang_weight: 40 --- -The following table lists the support for application security capabilities in the AAP GCP Service Extensions according to the specified version: +The following table lists the support for App and API Protection capabilities in the AAP GCP Service Extensions according to the specified version: -| Application Security capability | Minimum AAP Service Extensions image version | +| App and API Protection capability | Minimum AAP Service Extensions image version | |----------------------------------------|----------------------------------------------| | Threat Detection | 1.71.0 | | Threat Protection | 1.71.0 | diff --git a/content/en/security/application_security/setup/compatibility/go.md b/content/en/security/application_security/setup/compatibility/go.md index ed0844a044a49..297aff4b80e46 100644 --- a/content/en/security/application_security/setup/compatibility/go.md +++ b/content/en/security/application_security/setup/compatibility/go.md @@ -5,11 +5,11 @@ type: multi-code-lang code_lang_weight: 20 --- -## Application Security capabilities +## App and API Protection capabilities -The following application security capabilities are supported in the Go library, for the specified tracer version: +The following App and API Protection capabilities are supported in the Go library, for the specified tracer version: -| Application Security capability | Minimum Go tracer version | +| App and API Protection capability | Minimum Go tracer version | | -------------------------------- | ----------------------------| | Threat Detection| 1.47.0 | | API Security | 1.59.0 | @@ -19,7 +19,7 @@ The following application security capabilities are supported in the Go library, | Code Security | not supported | | Automatic user activity event tracking | not supported | -The minimum tracer version to get all supported application security capabilities for Go is 1.59.0. +The minimum tracer version to get all supported App and API Protection capabilities for Go is 1.59.0. **Note**: Threat Protection requires enabling [Remote Configuration][1], which is included in the listed minimum tracer version. @@ -42,13 +42,13 @@ The Datadog Go Tracing Library has a [version support policy][3] defined for Go You must be running Datadog Agent v5.21.1+ -Starting from tracer version 1.53.0, application security capabilities do not require [CGO][15]. +Starting from tracer version 1.53.0, App and API Protection capabilities do not require [CGO][15]. ## Integrations The Go tracer includes support for the following frameworks, data stores and libraries. -The Go packages listed in this page are relevant for Application Security capabilities. You can also find more tracing integrations in [APM's tracing compatibility page][16]. +The Go packages listed in this page are relevant for App and API Protection capabilities. You can also find more tracing integrations in [APM's tracing compatibility page][16]. {{% tabs %}} {{% tab "v1" %}} diff --git a/content/en/security/application_security/setup/compatibility/java.md b/content/en/security/application_security/setup/compatibility/java.md index 1c77b0bfadc4b..1a06171e9cc42 100644 --- a/content/en/security/application_security/setup/compatibility/java.md +++ b/content/en/security/application_security/setup/compatibility/java.md @@ -5,11 +5,11 @@ type: multi-code-lang code_lang_weight: 0 --- -## Application Security capabilities +## App and API Protection capabilities -The following application security capabilities are supported in the Java library, for the specified tracer version: +The following App and API Protection capabilities are supported in the Java library, for the specified tracer version: -| Application Security capability | Minimum Java tracer version | +| App and API Protection capability | Minimum Java tracer version | | -------------------------------- | ----------------------------| | Threat Detection | 1.8.0 | | API Security | 1.31.0 | @@ -19,7 +19,7 @@ The following application security capabilities are supported in the Java librar | Code Security | 1.15.0| | Automatic user activity event tracking | 1.20.0 | -The minimum tracer version to get all supported application security capabilities for Java is 1.31.0. +The minimum tracer version to get all supported App and API Protection capabilities for Java is 1.31.0. **Note**: Threat Protection requires enabling [Remote Configuration][2], which is included in the listed minimum tracer version. @@ -33,7 +33,7 @@ The minimum tracer version to get all supported application security capabilitie | AWS Lambda | {{< X >}} | | | Azure App Service | {{< X >}} | {{< X >}} | -**Note**: Azure App Service is supported for **web applications only**. Application Security doesn't support Azure Functions. +**Note**: Azure App Service is supported for **web applications only**. App and API Protection doesn't support Azure Functions. ## Language and framework compatibility @@ -58,7 +58,7 @@ Datadog does not officially support any early-access versions of Java. - Tags for the HTTP request (status code, method, etc) - Distributed Tracing to see attack flows through your applications -##### Application Security Capability Notes +##### App and API Protection Capability Notes - **Software Composition Analysis** is supported on all frameworks - If **Code Security** does not support your framework, it will still detect Weak Cipher, Weak Hashing, Insecure Cookie, Cookie without HttpOnly Flag, and Cookie without SameSite Flag vulnerabilities. @@ -90,7 +90,7 @@ Datadog does not officially support any early-access versions of Java. - Distributed tracing through your applications - Request-based blocking -##### Application Security Capability Notes +##### App and API Protection Capability Notes - **Software Composition Analysis** is supported on all frameworks - If **Code Security** does not support your framework, it will still detect Weak Cipher, Weak Hashing, Insecure Cookie, Cookie without HttpOnly Flag, and Cookie without SameSite Flag vulnerabilities. @@ -118,7 +118,7 @@ Datadog does not officially support any early-access versions of Java. - Query info (for example, a sanitized query string) - Error and stacktrace capturing -##### Application Security Capability Notes +##### App and API Protection Capability Notes - **Software Composition Analysis** is supported on all frameworks - **Threat Protection** also works at the HTTP request (input) layer, and so works for all databases by default, even those not listed in the table below. - If your framework is not supported below, **Code Security** won’t detect SQL Injection vulnerabilities, but will still detect the rest of vulnerability types listed [here][3]. diff --git a/content/en/security/application_security/setup/compatibility/nginx.md b/content/en/security/application_security/setup/compatibility/nginx.md index 6e94a0e3ed2a7..86d897593f019 100644 --- a/content/en/security/application_security/setup/compatibility/nginx.md +++ b/content/en/security/application_security/setup/compatibility/nginx.md @@ -5,12 +5,12 @@ type: multi-code-lang code_lang_weight: 40 --- -## Application Security capabilities support +## App and API Protection capabilities support -The following application security capabilities are supported in the nginx integration, for the +The following App and API Protection capabilities are supported in the nginx integration, for the specified tracer version: -| Application Security capability | Minimum nginx module version | +| App and API Protection capability | Minimum nginx module version | |----------------------------------------|------------------------------| | Threat Detection | 1.2.0 | | Threat Protection | 1.3.0 | diff --git a/content/en/security/application_security/setup/compatibility/nodejs.md b/content/en/security/application_security/setup/compatibility/nodejs.md index 61d7330731c3b..d8fe2ea5fbf1f 100644 --- a/content/en/security/application_security/setup/compatibility/nodejs.md +++ b/content/en/security/application_security/setup/compatibility/nodejs.md @@ -5,11 +5,11 @@ type: multi-code-lang code_lang_weight: 50 --- -## Application Security capabilities +## App and API Protection capabilities -The following application security capabilities are supported in the Node.js library, for the specified tracer version: +The following App and API Protection capabilities are supported in the Node.js library, for the specified tracer version: -| Application Security capability | Minimum Node.js tracer version | +| App and API Protection capability | Minimum Node.js tracer version | |----------------------------------------|----------------------------------------------------| | Threat Detection | 4.0.0 | | Threat Protection | 4.0.0 | @@ -19,7 +19,7 @@ The following application security capabilities are supported in the Node.js lib | Automatic user activity event tracking | 4.4.0 for Node.js 16+ | | API Security | 4.30.0 for Node.js 16+, or 5.6.0 for Node.js 18+ | -The minimum tracer version to get all supported application security capabilities for Node.js is 4.30.0. +The minimum tracer version to get all supported App and API Protection capabilities for Node.js is 4.30.0. **Note**: @@ -52,7 +52,7 @@ For more information about Node.js release, see the [official Node.js documentat ### Operating system support -The following operating systems are officially supported by `dd-trace`. Any operating system not listed is still likely to work, but with some features missing, for example application security capabilities, profiling, and runtime metrics. Generally speaking, operating systems that are actively maintained at the time of initial release for a major version are supported. +The following operating systems are officially supported by `dd-trace`. Any operating system not listed is still likely to work, but with some features missing, for example App and API Protection capabilities, profiling, and runtime metrics. Generally speaking, operating systems that are actively maintained at the time of initial release for a major version are supported. | Operating System | Architectures | Minimum Versions | @@ -72,7 +72,7 @@ The following operating systems are officially supported by `dd-trace`. Any oper - Tags for the HTTP request (status code, method, etc) - Distributed Tracing to see attack flows through your applications -##### Application Security Capability Notes +##### App and API Protection Capability Notes - **Software Composition Analysis** is supported on all frameworks - If your framework is not listed below, **Code Security** will still detect Weak Cipher, Weak Hashing, Insecure Cookie, Cookie without HttpOnly Flag, and Cookie without SameSite Flag vulnerabilities. - Although Threat Protection is available for express >= 4 versions, the blocking of payloads on the body is only supported for applications using `body-parser` library. @@ -97,7 +97,7 @@ The following operating systems are officially supported by `dd-trace`. Any oper - Distributed tracing through your applications - Request-based blocking -##### Application Security Capability Notes +##### App and API Protection Capability Notes - **Software Composition Analysis** is supported on all frameworks @@ -119,7 +119,7 @@ The following operating systems are officially supported by `dd-trace`. Any oper - Query info (for example, a sanitized query string) - Error and stacktrace capturing -##### Application Security Capability Notes +##### App and API Protection Capability Notes - **Software Composition Analysis** is supported on all frameworks - **Threat Protection** also works at the HTTP request (input) layer, and so works for all databases by default, even those not listed in the table below. diff --git a/content/en/security/application_security/setup/compatibility/php.md b/content/en/security/application_security/setup/compatibility/php.md index a8b9f0e30d388..b1ae2d281f10a 100644 --- a/content/en/security/application_security/setup/compatibility/php.md +++ b/content/en/security/application_security/setup/compatibility/php.md @@ -5,11 +5,11 @@ type: multi-code-lang code_lang_weight: 40 --- -## Application Security capabilities support +## App and API Protection capabilities support -The following application security capabilities are supported in the PHP library, for the specified tracer version: +The following App and API Protection capabilities are supported in the PHP library, for the specified tracer version: -| Application Security capability | Minimum PHP tracer version | +| App and API Protection capability | Minimum PHP tracer version | | -------------------------------- |----------------------------| | Threat Detection | 0.84.0 | | Threat Protection | 0.86.0 | @@ -52,7 +52,7 @@ It's recommended to use officia | 7.1.x | General Availability | All | | 7.0.x | General Availability | All | -Application Security capabililties for PHP support the following SAPI's: +App and API Protection capabililties for PHP support the following SAPI's: | SAPI | Support type | |:---------------|:----------------| @@ -63,7 +63,7 @@ Application Security capabililties for PHP support the following SAPI's: ## Supported processor architectures -Application Security capabililties for PHP support the following architectures: +App and API Protection capabililties for PHP support the following architectures: | Processor architectures | Support level | Package version | | ------------------------------------------|-----------------------|----------------------------------------| @@ -87,10 +87,10 @@ The library supports the use of all PHP frameworks, and also the use of no frame - Tags for the HTTP request (status code, method, etc) - Distributed Tracing to see attack flows through your applications -##### Application Security Capability Notes +##### App and API Protection Capability Notes - **Code Security** is not supported -The following frameworks aren't directly instrumented by Application Security, but indirectly supported through runtime instrumentation. +The following frameworks aren't directly instrumented by App and API Protection, but indirectly supported through runtime instrumentation. | Framework | Versions | Threat Detection supported? | Threat Protection supported? | | ------------------------ | ----------- | --------------- | ---------------------------------------------- | @@ -118,7 +118,7 @@ The following frameworks aren't directly instrumented by Application Security, b - query info (for example, a sanitized query string) - error and stacktrace capturing -##### Application Security Capability Notes +##### App and API Protection Capability Notes - **Code Security** is not supported - **Threat Protection** also works at the HTTP request (input) layer, and so works for all databases by default, even those not listed in the table below. diff --git a/content/en/security/application_security/setup/compatibility/python.md b/content/en/security/application_security/setup/compatibility/python.md index 371aef57ba525..00c59b9646868 100644 --- a/content/en/security/application_security/setup/compatibility/python.md +++ b/content/en/security/application_security/setup/compatibility/python.md @@ -4,11 +4,11 @@ code_lang: python type: multi-code-lang code_lang_weight: 50 --- -## Application Security capabilities support +## App and API Protection capabilities support -The following application security capabilities are supported in the Python library, for the specified tracer version: +The following App and API Protection capabilities are supported in the Python library, for the specified tracer version: -| Application Security capability | Minimum Python tracer version | +| App and API Protection capability | Minimum Python tracer version | |----------------------------------------|-------------------------------| | Threat Detection | 1.9.0 | | Threat Protection | 1.10.0 | @@ -34,7 +34,7 @@ The following application security capabilities are supported in the Python libr ### Supported Python versions -The Python Application Security Client library follows a [versioning policy][3] that specifies the support level for the different versions of the library and Python runtime. +The Python App and API Protection Client library follows a [versioning policy][3] that specifies the support level for the different versions of the library and Python runtime. Two release branches are supported: @@ -58,7 +58,7 @@ And the library supports the following runtimes: - Tags for the HTTP request (status code, method, etc) - Distributed Tracing to see attack flows through your applications -##### Application Security Capability Notes +##### App and API Protection Capability Notes - **Software Composition Analysis** is supported on all frameworks ### Supported frameworks @@ -82,7 +82,7 @@ And the library supports the following runtimes: - query info (for example, a sanitized query string) - error and stacktrace capturing -##### Application Security Capability Notes +##### App and API Protection Capability Notes - **Software Composition Analysis** is supported on all frameworks. - **Threat Protection** also works at the HTTP request (input) layer, and so works for all databases by default, even those not listed in the table below. - diff --git a/content/en/security/application_security/setup/compatibility/ruby.md b/content/en/security/application_security/setup/compatibility/ruby.md index 4c25811ff2198..058b03fb251b0 100644 --- a/content/en/security/application_security/setup/compatibility/ruby.md +++ b/content/en/security/application_security/setup/compatibility/ruby.md @@ -5,11 +5,11 @@ type: multi-code-lang code_lang_weight: 30 --- -## Application Security capabilities support +## App and API Protection capabilities support -The following application security capabilities are supported in the Ruby library, for the specified tracer version: +The following App and API Protection capabilities are supported in the Ruby library, for the specified tracer version: -| Application Security capability | Minimum Ruby tracer version | +| App and API Protectionon capability | Minimum Ruby tracer version | | -------------------------------- | ----------------------------| | Threat Detection | 1.9.0 | | Threat Protection | 1.11.0 | @@ -19,7 +19,7 @@ The following application security capabilities are supported in the Ruby librar | Automatic user activity event tracking | 1.14.0 | | API Security | 2.4.0 | -The minimum tracer version to get all supported application security capabilities for Ruby is 1.15.0. +The minimum tracer version to get all supported App and API Protection capabilities for Ruby is 1.15.0.
    If you would like to see support added for any of the unsupported capabilities, or for your Ruby framework, let us know! Fill out this short form to send details.
    @@ -51,7 +51,7 @@ These are supported on the following architectures: - Tags for the HTTP request (status code, method, etc) - Distributed Tracing to see attack flows through your applications -##### Application Security Capability Notes +##### App and API Protection Capability Notes - **Code Security** is not supported | Framework | Threat Detection supported? | Threat Protection supported? | @@ -78,7 +78,7 @@ These are supported on the following architectures: - Distributed tracing through your applications - Request-based blocking -##### Application Security Capability Notes +##### App and API Protection Capability Notes - **Code Security** is not supported | Framework | Threat Detection supported? | Threat Protection supported? | @@ -96,7 +96,7 @@ These are supported on the following architectures: - query info (for example, a sanitized query string) - error and stacktrace capturing -##### Application Security Capability Notes +##### App and API Protection Capability Notes - **Code Security** is not supported - **Threat Protection** also works at the HTTP request (input) layer, and so works for all databases by default, even those not listed in the table below. diff --git a/content/en/security/application_security/setup/compatibility/serverless.md b/content/en/security/application_security/setup/compatibility/serverless.md index 1bae1aa80e3cf..59dd52428dd22 100644 --- a/content/en/security/application_security/setup/compatibility/serverless.md +++ b/content/en/security/application_security/setup/compatibility/serverless.md @@ -5,7 +5,7 @@ type: multi-code-lang code_lang_weight: 90 --- -Application Security provides serverless capability for the following platforms and libraries: +App and API Protection provides serverless capability for the following platforms and libraries: {{< partial name="security-platform/appsec-libraries-serverless.html" >}}
    @@ -53,7 +53,7 @@ Go ## Google Cloud Run -
    Google Cloud Run support for Application Security serverless is in Preview.
    +
    Google Cloud Run support for App and API Protection serverless is in Preview.
    **Note**: Threat Protection through Remote Configuration is not supported. Use [Workflows][5] to block IPs in your [WAF][6]. diff --git a/content/en/security/application_security/setup/standalone/_index.md b/content/en/security/application_security/setup/standalone/_index.md index 4477c23b1671a..796284cc8d07b 100644 --- a/content/en/security/application_security/setup/standalone/_index.md +++ b/content/en/security/application_security/setup/standalone/_index.md @@ -30,9 +30,9 @@ Before setting up Application & API Protection, ensure the following prerequisit If you want to use Application & API Protection without APM tracing functionality, you can deploy with tracing disabled: 1. Configure your tracing library with the `DD_APM_TRACING_ENABLED=false` environment variable in addition to the `DD_APPSEC_ENABLED=true` environment variable. -2. This configuration will reduce the amount of APM data sent to Datadog to the minimum required by Application Security products. +2. This configuration will reduce the amount of APM data sent to Datadog to the minimum required by App and API Protection products. -For more details, see [Standalone Application Security][3]. +For more details, see [Standalone App and API Protection][3]. ## Language-specific configuration diff --git a/content/en/security/application_security/setup/standalone/dotnet.md b/content/en/security/application_security/setup/standalone/dotnet.md index 23cd6c60aed8c..0aa3bcfd5a235 100644 --- a/content/en/security/application_security/setup/standalone/dotnet.md +++ b/content/en/security/application_security/setup/standalone/dotnet.md @@ -22,7 +22,7 @@ further_reading: text: "Troubleshooting App & API Protection" --- -You can monitor application security for .NET apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate. +You can monitor App and API Protection for .NET apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate. {{% appsec-getstarted-standalone %}} diff --git a/content/en/security/application_security/setup/standalone/envoy.md b/content/en/security/application_security/setup/standalone/envoy.md index 0073483d4a7e4..1d042699e2254 100644 --- a/content/en/security/application_security/setup/standalone/envoy.md +++ b/content/en/security/application_security/setup/standalone/envoy.md @@ -19,7 +19,7 @@ further_reading: To try the preview of Application & API Protection for Envoy, follow the setup instructions below. {{< /callout >}} -You can enable application security for the Envoy proxy. The Datadog Envoy integration has support for threat detection and blocking. +You can enable App and API Protection for the Envoy proxy. The Datadog Envoy integration has support for threat detection and blocking. ## Prerequisites diff --git a/content/en/security/application_security/setup/standalone/gcp-service-extensions.md b/content/en/security/application_security/setup/standalone/gcp-service-extensions.md index ae421113aa069..503d11212f079 100644 --- a/content/en/security/application_security/setup/standalone/gcp-service-extensions.md +++ b/content/en/security/application_security/setup/standalone/gcp-service-extensions.md @@ -22,7 +22,7 @@ further_reading: To try the preview of Application & API Protection Service Extensions for GCP, follow the setup instructions below. {{< /callout >}} -You can enable application security with GCP Service Extensions within GCP Cloud Load Balancing. The Datadog App & API Protection (AAP) Service Extensions integration has support for threat detection and blocking. +You can enable App and API Protection with GCP Service Extensions within GCP Cloud Load Balancing. The Datadog App & API Protection (AAP) Service Extensions integration has support for threat detection and blocking. ## Prerequisites diff --git a/content/en/security/application_security/setup/standalone/go.md b/content/en/security/application_security/setup/standalone/go.md index ee6b58546b950..459471d238f12 100644 --- a/content/en/security/application_security/setup/standalone/go.md +++ b/content/en/security/application_security/setup/standalone/go.md @@ -22,7 +22,7 @@ further_reading: text: "Troubleshooting App & API Protection" --- -You can monitor application security for Go apps running in Docker, Kubernetes, and Amazon ECS. +You can monitor App and API Protection for Go apps running in Docker, Kubernetes, and Amazon ECS. {{% appsec-getstarted-standalone %}} - Your service is [supported][2]. diff --git a/content/en/security/application_security/setup/standalone/java.md b/content/en/security/application_security/setup/standalone/java.md index 5cf0fcadfb51b..573f726040b55 100644 --- a/content/en/security/application_security/setup/standalone/java.md +++ b/content/en/security/application_security/setup/standalone/java.md @@ -22,7 +22,7 @@ further_reading: --- -You can monitor application security for Java apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate. +You can monitor App and API Protection for Java apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate. {{% appsec-getstarted-standalone %}} diff --git a/content/en/security/application_security/setup/standalone/nodejs.md b/content/en/security/application_security/setup/standalone/nodejs.md index d34fdf69b988f..37fe046457b91 100644 --- a/content/en/security/application_security/setup/standalone/nodejs.md +++ b/content/en/security/application_security/setup/standalone/nodejs.md @@ -22,7 +22,7 @@ further_reading: text: "Troubleshooting App & API Protection" --- -You can monitor application security for Node.js apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate. +You can monitor App and API Protection for Node.js apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate. {{% appsec-getstarted-standalone %}} diff --git a/content/en/security/application_security/setup/standalone/php.md b/content/en/security/application_security/setup/standalone/php.md index 3a5ed8c6e56a8..0598871e181e1 100644 --- a/content/en/security/application_security/setup/standalone/php.md +++ b/content/en/security/application_security/setup/standalone/php.md @@ -22,7 +22,7 @@ further_reading: text: "Troubleshooting App & API Protection" --- -You can monitor application security for PHP apps running in host-based or container-based environments such as Docker, Kubernetes, AWS ECS, and AWS EKS. +You can monitor App and API Protection for PHP apps running in host-based or container-based environments such as Docker, Kubernetes, AWS ECS, and AWS EKS. {{% appsec-getstarted-standalone %}} diff --git a/content/en/security/application_security/setup/standalone/ruby.md b/content/en/security/application_security/setup/standalone/ruby.md index 121a54546b314..81b0e597e8f3d 100644 --- a/content/en/security/application_security/setup/standalone/ruby.md +++ b/content/en/security/application_security/setup/standalone/ruby.md @@ -22,7 +22,7 @@ further_reading: text: "Troubleshooting App & API Protection" --- -You can monitor application security for Ruby apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate. +You can monitor App and API Protection for Ruby apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate. {{% appsec-getstarted-standalone %}} diff --git a/content/en/security/application_security/setup/threat_detection/_index.md b/content/en/security/application_security/setup/threat_detection/_index.md index 534ea48f6b1d1..e13f9fdf32df8 100644 --- a/content/en/security/application_security/setup/threat_detection/_index.md +++ b/content/en/security/application_security/setup/threat_detection/_index.md @@ -27,7 +27,7 @@ further_reading: Before setting up Threat Management, ensure the following prerequisites are met: - **Datadog Agent Installation:** The Datadog Agent is installed and configured for your application's operating system or container, cloud, or virtual environment. - **Datadog APM Configuration:** Datadog APM is configured for your application or service, and web traces (`type:web`) are being received by Datadog. -- **Supported Tracing Library:** The Datadog Tracing Library used by your application or service supports Threat Management capabilities for the language of your application or service. For more details, refer to the [Library Compatibility][1] page. +- **Supported Tracing Library:** The Datadog Tracing Library used by your application or service supports App and API Protection capabilities for the language of your application or service. For more details, refer to the [Library Compatibility][1] page. Select your application language for details on how to enable AAP Threat Detection for your language and infrastructure types. diff --git a/content/en/security/application_security/setup/threat_detection/dotnet.md b/content/en/security/application_security/setup/threat_detection/dotnet.md index 5ad4767192c47..e72aa98123f2b 100644 --- a/content/en/security/application_security/setup/threat_detection/dotnet.md +++ b/content/en/security/application_security/setup/threat_detection/dotnet.md @@ -22,7 +22,7 @@ further_reading: text: "Troubleshooting App and API Protection" --- -You can monitor application security for .NET apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate. +You can monitor App and API Protection for .NET apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate. {{% appsec-getstarted %}} diff --git a/content/en/security/application_security/setup/threat_detection/envoy.md b/content/en/security/application_security/setup/threat_detection/envoy.md index 28775ef0651d5..a525c1dd50165 100644 --- a/content/en/security/application_security/setup/threat_detection/envoy.md +++ b/content/en/security/application_security/setup/threat_detection/envoy.md @@ -19,7 +19,7 @@ further_reading: To try the preview of AAP for Envoy, follow the setup instructions below. {{< /callout >}} -You can enable application security for the Envoy proxy. The Datadog Envoy integration has support for threat detection and blocking. +You can enable App and API Protection for the Envoy proxy. The Datadog Envoy integration has support for threat detection and blocking. ## Prerequisites diff --git a/content/en/security/application_security/setup/threat_detection/gcp-service-extensions.md b/content/en/security/application_security/setup/threat_detection/gcp-service-extensions.md index 0badbc4bc55c1..f81dea4848010 100644 --- a/content/en/security/application_security/setup/threat_detection/gcp-service-extensions.md +++ b/content/en/security/application_security/setup/threat_detection/gcp-service-extensions.md @@ -22,7 +22,7 @@ further_reading: To try the preview of AAP Service Extensions for GCP, follow the setup instructions below. {{< /callout >}} -You can enable application security with GCP Service Extensions within GCP Cloud Load Balancing. The Datadog App and API Protection (AAP) Service Extensions integration provides threat detection and blocking capabilities directly in your GCP environment. +You can enable App and API Protection with GCP Service Extensions within GCP Cloud Load Balancing. The Datadog App and API Protection (AAP) Service Extensions integration provides threat detection and blocking capabilities directly in your GCP environment. ## Prerequisites diff --git a/content/en/security/application_security/setup/threat_detection/go.md b/content/en/security/application_security/setup/threat_detection/go.md index bc1a328c69c56..b8997daacd65a 100644 --- a/content/en/security/application_security/setup/threat_detection/go.md +++ b/content/en/security/application_security/setup/threat_detection/go.md @@ -22,7 +22,7 @@ further_reading: text: "Troubleshooting App and API Protection" --- -You can monitor application security for Go apps running in Docker, Kubernetes, and Amazon ECS. +You can monitor App and API Protection for Go apps running in Docker, Kubernetes, and Amazon ECS. {{% appsec-getstarted %}} - Your service is [supported][2]. diff --git a/content/en/security/application_security/setup/threat_detection/java.md b/content/en/security/application_security/setup/threat_detection/java.md index ba9b849792bb2..74822efada61e 100644 --- a/content/en/security/application_security/setup/threat_detection/java.md +++ b/content/en/security/application_security/setup/threat_detection/java.md @@ -22,7 +22,7 @@ further_reading: --- -You can monitor application security for Java apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate. +You can monitor App and API Protection for Java apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate. {{% appsec-getstarted %}} diff --git a/content/en/security/application_security/setup/threat_detection/nodejs.md b/content/en/security/application_security/setup/threat_detection/nodejs.md index 799043bca57e9..14df6dbca6568 100644 --- a/content/en/security/application_security/setup/threat_detection/nodejs.md +++ b/content/en/security/application_security/setup/threat_detection/nodejs.md @@ -22,7 +22,7 @@ further_reading: text: "Troubleshooting App and API Protection" --- -You can monitor application security for Node.js apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate. +You can monitor App and API Protection for Node.js apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate. {{% appsec-getstarted %}} diff --git a/content/en/security/application_security/setup/threat_detection/php.md b/content/en/security/application_security/setup/threat_detection/php.md index 8dffd75efe13c..36b39143b1a81 100644 --- a/content/en/security/application_security/setup/threat_detection/php.md +++ b/content/en/security/application_security/setup/threat_detection/php.md @@ -22,7 +22,7 @@ further_reading: text: "Troubleshooting App and API Protection" --- -You can monitor application security for PHP apps running in host-based or container-based environments such as Docker, Kubernetes, AWS ECS, and AWS EKS. +You can monitor App and API Protection for PHP apps running in host-based or container-based environments such as Docker, Kubernetes, AWS ECS, and AWS EKS. {{% appsec-getstarted %}} diff --git a/content/en/security/application_security/setup/threat_detection/ruby.md b/content/en/security/application_security/setup/threat_detection/ruby.md index d9470e308646a..ee597551c36da 100644 --- a/content/en/security/application_security/setup/threat_detection/ruby.md +++ b/content/en/security/application_security/setup/threat_detection/ruby.md @@ -22,7 +22,7 @@ further_reading: text: "Troubleshooting App and API Protection" --- -You can monitor application security for Ruby apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate. +You can monitor App and API Protection for Ruby apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate. {{% appsec-getstarted %}} diff --git a/content/en/security/application_security/terms.md b/content/en/security/application_security/terms.md index f599340167ba0..abcdf072ddd8f 100644 --- a/content/en/security/application_security/terms.md +++ b/content/en/security/application_security/terms.md @@ -4,10 +4,10 @@ disable_toc: false further_reading: - link: "/security/application_security/how-appsec-works" tag: "Documentation" - text: "How Application Security Works" + text: "How App and API Protection Works" - link: "/security/application_security/threats/" tag: "Documentation" - text: "Threat Management" + text: "App and API Protection" - link: "/security/code_security/software_composition_analysis/" tag: "Documentation" text: "Software Composition Analysis" @@ -17,26 +17,26 @@ further_reading: --- {{< site-region region="gov" >}} -
    Datadog Application Security is not supported for your selected Datadog site ({{< region-param key="dd_site_name" >}}).
    +
    Datadog App and API Protection is not supported for your selected Datadog site ({{< region-param key="dd_site_name" >}}).
    {{< /site-region >}} -Datadog Application Security monitors threats and provides protection against application-level attacks that aim to exploit code-level vulnerabilities. It leverages runtime code execution context, trace and error data, and user attribution. +Datadog App and API Protection monitors threats and provides protection against application-level attacks that aim to exploit code-level vulnerabilities. It leverages runtime code execution context, trace and error data, and user attribution. -## General application security terms +## General App and API Protection terms attack attempt : Which security rule was triggered by the trace. Datadog library : _also_ tracer, tracing library -: A programming language-specific library embedded in web applications. Datadog Application Security uses the library to monitor and protect. APM uses the same library to instrument code for tracing telemetry. +: A programming language-specific library embedded in web applications. Datadog App and API Protection uses the library to monitor and protect. APM uses the same library to instrument code for tracing telemetry. detection rule : A conditional logic definition that is applied to ingested data and cloud configurations. When at least one case defined in a rule is matched over a given period of time, Datadog generates a _security signal_. : See [Detection rules][10]. passlist (formerly exclusion filter) -: A mechanism for discarding security traces flagged through the Datadog Application Security library and the In-App WAF rules. Passlist is applied as requests are ingested into Datadog (intake). Passlist helps manage false positives and intake costs. +: A mechanism for discarding security traces flagged through the Datadog App and API Protection library and the In-App WAF rules. Passlist is applied as requests are ingested into Datadog (intake). Passlist helps manage false positives and intake costs. : See [Exclusion filters][11] in the app. In-App WAF rules (formerly event rules) @@ -47,7 +47,7 @@ interactive application security testing (IAST) : An application security testing method that proactively detects vulnerabilities while the app is run by an automated test, human tester, or any activity interacting with the application functionality. Remote Configuration -: A Datadog platform mechanism that enables the Agent configuration to be updated remotely. Used by Datadog Application Security to update In-App WAF rules, activate the product, and block attackers. +: A Datadog platform mechanism that enables the Agent configuration to be updated remotely. Used by Datadog App and API Protection to update In-App WAF rules, activate the product, and block attackers. : See [How Remote Configuration Works][8]. service @@ -103,7 +103,7 @@ attacker cluster ## Attacks and known vulnerabilities terms -Open Web Application Security Project (OWASP) +Open Web App and API Protection Project (OWASP) : A nonprofit foundation with several projects to enhance web application security. OWASP is best known for the [OWASP Top 10][2], a broad consensus about the most critical security risks to web applications. Cross-Site Scripting (XSS) diff --git a/content/en/security/application_security/threats/_index.md b/content/en/security/application_security/threats/_index.md index 10c2dfdec9d2e..0cec2309e9496 100644 --- a/content/en/security/application_security/threats/_index.md +++ b/content/en/security/application_security/threats/_index.md @@ -1,5 +1,5 @@ --- -title: Application Threat Management +title: App and API Protection further_reading: - link: "/security/application_security/threats/add-user-info/" tag: "Documentation" @@ -19,25 +19,25 @@ further_reading:
    App and API Protection is not supported for your selected Datadog site ({{< region-param key="dd_site_name" >}}).
    {{< /site-region >}} -Datadog's App and API Protection (AAP) Threat Management protects web applications and APIs from a wide range of security threats, including: +Datadog's App and API Protection (AAP) App and API Protection protects web applications and APIs from a wide range of security threats, including: - Exploit attempts - Application abuse and fraud - API abuse -Integrated into the Datadog platform, AAP Threat Management leverages Datadog’s extensive observability data (logs and traces) to provide full-stack visibility and security in a unified platform. +Integrated into the Datadog platform, App and API Protection leverages Datadog’s extensive observability data (logs and traces) to provide full-stack visibility and security in a unified platform. -AAP Threat Management enables teams to identify and remediate threats quickly. Its key differentiator is bridging the gap between security and DevOps, promoting collaboration between development, security, and operations teams. +App and API Protection enables teams to identify and remediate threats quickly. Its key differentiator is bridging the gap between security and DevOps, promoting collaboration between development, security, and operations teams. ## Use cases -Discover the ways Datadog AAP Threat Management helps common use cases: +Discover the ways Datadog App and API Protection helps common use cases: | You want to... | How Datadog AAP can help | | ----------- | ----------- | -| **Web Application Protection:** Prevent vulnerability exploits such as SQL Injection, Server-side Request Forgery, and Local File Inclusion. | Enable [Exploit Prevention][9] on your services. AAP Threat Management blocks exploits in real-time and generates signals for further investigation.| +| **Web Application Protection:** Prevent vulnerability exploits such as SQL Injection, Server-side Request Forgery, and Local File Inclusion. | Enable [Exploit Prevention][9] on your services. App and API Protection blocks exploits in real-time and generates signals for further investigation.| | **Application and API abuse:** Protect applications against application and API abuse such as credential stuffing and Account Takeover attacks.| Leverage [OOTB detection rules][10] for notifications such as unusual account creations or password resets from an IP, or distributed credential stuffing campaigns. Review the benefits of [OOTB Account TakeOver Protection][11].| -| **API Security:** Learn about your organization’s APIs, understand the posture and actions needed to reduce risk using a prioritized list of API endpoints.| AAP Threat Management:
    - Inventories all your API endpoints.
    - Gives you visibility into your API traffic, including API abuse.
    - Highlights risk across your API endpoints. For example, vulnerable or unauthenticated endpoints processing sensitive data.| +| **API Security:** Learn about your organization’s APIs, understand the posture and actions needed to reduce risk using a prioritized list of API endpoints.| App and API Protection:
    - Inventories all your API endpoints.
    - Gives you visibility into your API traffic, including API abuse.
    - Highlights risk across your API endpoints. For example, vulnerable or unauthenticated endpoints processing sensitive data.| ## Security signals @@ -45,7 +45,7 @@ Security signals raised by Threat Monitoring are summarized and surfaced in view {{< img src="security/application_security/threats/threats-on-svc-cat_3.png" alt="Software Catalog with services showing threat signals" style="width:100%;" >}} -For additional information about how Threat Management works, read [How AAP Works][4]. +For additional information about how App and API Protection works, read [How AAP Works][4]. ## Explore threat signals diff --git a/content/en/security/application_security/threats/exploit-prevention.md b/content/en/security/application_security/threats/exploit-prevention.md index 7bec2b7a061ca..4fc9323d7e18b 100644 --- a/content/en/security/application_security/threats/exploit-prevention.md +++ b/content/en/security/application_security/threats/exploit-prevention.md @@ -55,7 +55,7 @@ AAP Exploit Prevention intercepts all SQL queries to determine if a user paramet ## Prerequisites - Ensure that your applications are instrumented with the Datadog tracer. -- AAP Threat Management must be enabled. See [Threat Management Setup][1]. +- App and API Protection must be enabled. See [App and API Protection Setup][1]. - Ensure Remote Configuration is enabled to push rule updates and In-App WAF policies. See [Enabling Remote Configuration][2]. ### Library Compatibility @@ -71,7 +71,7 @@ AAP Exploit Prevention intercepts all SQL queries to determine if a user paramet ## Enabling Exploit Prevention -1. Navigate to [In-App WAF][4] (**Security > Application Security > Protection > In-App WAF**). +1. Navigate to [In-App WAF][4] (**Security > App and API Protection > Protection > In-App WAF**). 2. If you have applied a Datadog managed policy to your services, then follow these steps: a. Clone the policy. For example, you can use the **Managed - Block attack tools** policy. diff --git a/content/en/security/application_security/threats/inapp_waf_rules.md b/content/en/security/application_security/threats/inapp_waf_rules.md index 2ee792b8d2eed..ff6e39f604eba 100644 --- a/content/en/security/application_security/threats/inapp_waf_rules.md +++ b/content/en/security/application_security/threats/inapp_waf_rules.md @@ -55,7 +55,7 @@ An input represents which part of the request the operator is applied to. The fo ## Custom In-App WAF rules -Custom In-App WAF rules enable users to log or block specific types of requests to their applications. For example, you can use custom rules to monitor login success or failure. To get started, navigate to **Security** -> **Application Security** -> **Protection** -> **In-App WAF** -> [**Custom Rules**][4]. +Custom In-App WAF rules enable users to log or block specific types of requests to their applications. For example, you can use custom rules to monitor login success or failure. To get started, navigate to **Security** -> **App and API Protection** -> **Protection** -> **In-App WAF** -> [**Custom Rules**][4]. **Note:** Default rules in In-App WAF are read-only. To refine your In-App WAF behavior, modify the In-App WAF rules. Default rules cannot be modified, however, you can create a custom rule based on one of the default rules, and modify the match conditions to your needs. Be sure to disable the default rule so that you don't have two similar rules evaluating the same requests. @@ -65,7 +65,7 @@ Blocking on a service is defined through the policy rules. Three Datadog default Services using a policy are visible directly in the policy management page. -1. In Datadog, navigate to [Security > Application Security > Protection > In-App WAF][2]. +1. In Datadog, navigate to [Security > App and API Protection > Protection > In-App WAF][2]. {{< img src="security/application_security/threats/waf/in-app-waf.png" alt="In-App WAF configuration page, showing two default policies." style="width:100%;" >}} diff --git a/content/en/security/application_security/threats/protection.md b/content/en/security/application_security/threats/protection.md index 8f1034df86529..c03b62d6bfc95 100644 --- a/content/en/security/application_security/threats/protection.md +++ b/content/en/security/application_security/threats/protection.md @@ -33,7 +33,7 @@ From there, all AAP-protected services block incoming requests performed by the In addition to manually blocking attackers, you can configure automation rules to have AAP automatically block attackers that are flagged in Security Signals. -To get started, navigate to **Security > Application Security > Protection > [Detection Rules][14]**. You can create a new rule or edit an existing rule with type _Application security_. For example, you can create a rule to trigger `Critical` severity signals when Credential Stuffing attacks are detected, and automatically block the associated attackers' IP addresses for 30 minutes. +To get started, navigate to **Security > App and API Protection > Protection > [Detection Rules][14]**. You can create a new rule or edit an existing rule with type _App and API Protection_. For example, you can create a rule to trigger `Critical` severity signals when Credential Stuffing attacks are detected, and automatically block the associated attackers' IP addresses for 30 minutes. **Note**: You must instrument your services to be able to block authenticated attackers. See [User Monitoring and Protection][15] for more details. @@ -66,7 +66,7 @@ For fine-grained control, you can clone a Datadog managed policy or create a cus As In-App WAF rules are toggled between modes, the changes are reflected in near real-time for services with [Remote Configuration enabled][2]. For other services, you can update the policy on the [In-App WAF page][9] and then [define In-App WAF rules][10] for the change in behavior to be applied. -Manage In-App WAF by navigating to Security --> Application Security --> Configuration --> [In-App WAF][9]. +Manage In-App WAF by navigating to Security --> App and API Protection --> Configuration --> [In-App WAF][9]. View blocked security traces in the [Trace Explorer][11] by filtering on the facet `Blocked:true`. @@ -76,7 +76,7 @@ View blocked security traces in the [Trace Explorer][11] by filtering on the fac 1. [**Enable Remote Configuration**][2] so that your AAP-enabled services show up under In-App WAF. This is required to securely push In-App WAF configuration from your Datadog backend to the tracing library in your infrastructure. -2. **Associate your AAP/Remote Configuration-enabled services with a policy**. After Remote Configuration is enabled on a service, navigate to **Security > Application Security > Protection > [In-App WAF][9]**. The service appears under the _Datadog Monitoring-only_ policy by default. Datadog Monitoring-only is a managed policy and is read-only, meaning you cannot modify the status (monitoring, blocking, or disabled) for individual rules. +2. **Associate your AAP/Remote Configuration-enabled services with a policy**. After Remote Configuration is enabled on a service, navigate to **Security > App and API Protection > Protection > [In-App WAF][9]**. The service appears under the _Datadog Monitoring-only_ policy by default. Datadog Monitoring-only is a managed policy and is read-only, meaning you cannot modify the status (monitoring, blocking, or disabled) for individual rules. If you need granular control, clone one of the available policies to create a custom policy where rule statuses can be modified. Associate one or more of your services with this custom policy. @@ -90,7 +90,7 @@ View blocked security traces in the [Trace Explorer][11] by filtering on the fac {{< img src="/security/application_security/asm-blocking-page-html.png" alt="The page displayed as AAP blocks requests originating from blocked IPs" width="75%" >}} -The default HTTP response status code while serving the deny page to attackers is `403 FORBIDDEN`. To customize the response, navigate to **Security > Application Security > Protection > In-App Waf > [Custom Responses][16]**. +The default HTTP response status code while serving the deny page to attackers is `403 FORBIDDEN`. To customize the response, navigate to **Security > App and API Protection > Protection > In-App Waf > [Custom Responses][16]**. You can optionally mask the fact that the attacker has been detected and blocked by overriding the response code to be `200 OK` or `404 NOT FOUND` when the deny page is served. @@ -100,7 +100,7 @@ You can also optionally redirect attackers to a custom deny page and away from y Protection mode is **on** by default and is a toggle available to quickly disable blocking across **all** your services. Requests can be blocked from two sections in Datadog: all attacker requests from Security Signals, and security traces from In-App WAF. -As important as it is for you to be able to apply protection granularly and reduce the likelihood of legitimate users getting blocked, you sometimes need a simple off switch to quickly stop **all** blocking across **all** services. To turn off protection, navigate to **Security > Application Security > Protection > [In-App WAF][9]** and toggle **Allow Request Blocking** to off. +As important as it is for you to be able to apply protection granularly and reduce the likelihood of legitimate users getting blocked, you sometimes need a simple off switch to quickly stop **all** blocking across **all** services. To turn off protection, navigate to **Security > App and API Protection > Protection > [In-App WAF][9]** and toggle **Allow Request Blocking** to off. ## Further reading diff --git a/content/en/security/application_security/threats/setup/_index.md b/content/en/security/application_security/threats/setup/_index.md index 9c8968b6da440..275b0bd8c4cfd 100644 --- a/content/en/security/application_security/threats/setup/_index.md +++ b/content/en/security/application_security/threats/setup/_index.md @@ -1,20 +1,20 @@ --- -title: Threat Management Setup +title: App and API Protection Setup disable_toc: false --- ## Prerequisites -Before setting up Threat Management, ensure the following prerequisites are met: +Before setting up App and API Protection, ensure the following prerequisites are met: - **Datadog Agent:** [Install the Datadog Agent][4] and configure it for your application's operating system or container, cloud, or virtual environment. - **Datadog APM Configuration:** Datadog APM is configured for your application or service, and web traces (`type:web`) are being received by Datadog. -- **Supported Tracing Library:** The Datadog Tracing Library used by your application or service supports Threat Management capabilities for the language of your application or service. For more details, refer to the [Library Compatibility][1] page. +- **Supported Tracing Library:** The Datadog Tracing Library used by your application or service supports App and API Protection capabilities for the language of your application or service. For more details, refer to the [Library Compatibility][1] page. ## Datadog Tracing Libraries Add an environment variable or a new argument to your [Datadog Tracing Library configuration][3]. -By following these steps, you'll successfully set up Threat Management for your application or service, monitoring services that are under attack and protecting them against attacks. +By following these steps, you'll successfully set up App and API Protection for your application or service, monitoring services that are under attack and protecting them against attacks. [1]: /security/application_security/threats/setup/compatibility [3]: /security/application_security/threats/setup/threat_detection diff --git a/content/en/security/application_security/threats/setup/compatibility/dotnet.md b/content/en/security/application_security/threats/setup/compatibility/dotnet.md index c56c36a493274..507b215ac4686 100644 --- a/content/en/security/application_security/threats/setup/compatibility/dotnet.md +++ b/content/en/security/application_security/threats/setup/compatibility/dotnet.md @@ -5,11 +5,11 @@ type: multi-code-lang code_lang_weight: 10 --- -## Application Security capabilities support +## App and API Protection capabilities support -The following application security capabilities are supported in the .NET library, for the specified tracer version: +The following App and API Protection capabilities are supported in the .NET library, for the specified tracer version: -| Application Security capability | Minimum .NET tracer version | +| App and API Protection capability | Minimum .NET tracer version | | -------------------------------- | ----------------------------| | Threat Detection | 2.23.0| | Threat Protection | 2.26.0| @@ -19,7 +19,7 @@ The following application security capabilities are supported in the .NET librar | Automatic user activity event tracking | 2.32.0 | | API Security | 2.42.0 | -The minimum tracer version to get all supported application security capabilities for .NET is 2.42.0. +The minimum tracer version to get all supported App and API Protection capabilities for .NET is 2.42.0. **Note**: Threat Protection requires enabling [Remote Configuration][3], which is included in the listed minimum tracer version. @@ -33,7 +33,7 @@ The minimum tracer version to get all supported application security capabilitie | AWS Lambda | {{< X >}} | | | Azure App Service | {{< X >}} | {{< X >}} | -**Note**: Azure App Service is supported for **web applications only**. Application Security capabilities are not supported for Azure Functions. +**Note**: Azure App Service is supported for **web applications only**. App and API Protection capabilities are not supported for Azure Functions. ## Language and framework compatibility @@ -62,7 +62,7 @@ These are supported on the following architectures: - Tags for the HTTP request (status code, method, etc) - Distributed Tracing to see attack flows through your applications -##### Application Security Capability Notes +##### App and API Protection Capability Notes - **Software Composition Analysis** is supported on all frameworks. - If your framework is not listed below, **Code Security** will still detect Insecure Cookie vulnerabilities. @@ -82,7 +82,7 @@ These are supported on the following architectures: - query info (for example, a sanitized query string) - error and stacktrace capturing -##### Application Security Capability Notes +##### App and API Protection Capability Notes - **Threat Protection** also works at the HTTP request (input) layer, and so works for all databases by default, even those not listed in the table below. | Framework | Threat Detection supported? | Threat Protection supported? | Code Security? | diff --git a/content/en/security/application_security/threats/setup/compatibility/envoy.md b/content/en/security/application_security/threats/setup/compatibility/envoy.md index 9655f95945dce..2a18870400f73 100644 --- a/content/en/security/application_security/threats/setup/compatibility/envoy.md +++ b/content/en/security/application_security/threats/setup/compatibility/envoy.md @@ -5,9 +5,9 @@ type: multi-code-lang code_lang_weight: 40 --- -The following table lists the support for application security capabilities in the Envoy integration according to the specified tracer version: +The following table lists the support for App and API Protection capabilities in the Envoy integration according to the specified tracer version: -| Application Security capability | Minimum Envoy image version | +| App and API Protection capability | Minimum Envoy image version | |----------------------------------------|------------------------------| | Threat Detection | 1.71.0 | | Threat Protection | 1.71.0 | diff --git a/content/en/security/application_security/threats/setup/compatibility/gcp-service-extensions.md b/content/en/security/application_security/threats/setup/compatibility/gcp-service-extensions.md index 9c5f3a13e936a..977cbbc031465 100644 --- a/content/en/security/application_security/threats/setup/compatibility/gcp-service-extensions.md +++ b/content/en/security/application_security/threats/setup/compatibility/gcp-service-extensions.md @@ -5,9 +5,9 @@ type: multi-code-lang code_lang_weight: 40 --- -The following table lists the support for application security capabilities in the AAP GCP Service Extensions according to the specified version: +The following table lists the support for App and API Protection capabilities in the AAP GCP Service Extensions according to the specified version: -| Application Security capability | Minimum AAP Service Extensions image version | +| App and API Protection capability | Minimum AAP Service Extensions image version | |----------------------------------------|----------------------------------------------| | Threat Detection | 1.71.0 | | Threat Protection | 1.71.0 | diff --git a/content/en/security/application_security/threats/setup/compatibility/go.md b/content/en/security/application_security/threats/setup/compatibility/go.md index ed0844a044a49..297aff4b80e46 100644 --- a/content/en/security/application_security/threats/setup/compatibility/go.md +++ b/content/en/security/application_security/threats/setup/compatibility/go.md @@ -5,11 +5,11 @@ type: multi-code-lang code_lang_weight: 20 --- -## Application Security capabilities +## App and API Protection capabilities -The following application security capabilities are supported in the Go library, for the specified tracer version: +The following App and API Protection capabilities are supported in the Go library, for the specified tracer version: -| Application Security capability | Minimum Go tracer version | +| App and API Protection capability | Minimum Go tracer version | | -------------------------------- | ----------------------------| | Threat Detection| 1.47.0 | | API Security | 1.59.0 | @@ -19,7 +19,7 @@ The following application security capabilities are supported in the Go library, | Code Security | not supported | | Automatic user activity event tracking | not supported | -The minimum tracer version to get all supported application security capabilities for Go is 1.59.0. +The minimum tracer version to get all supported App and API Protection capabilities for Go is 1.59.0. **Note**: Threat Protection requires enabling [Remote Configuration][1], which is included in the listed minimum tracer version. @@ -42,13 +42,13 @@ The Datadog Go Tracing Library has a [version support policy][3] defined for Go You must be running Datadog Agent v5.21.1+ -Starting from tracer version 1.53.0, application security capabilities do not require [CGO][15]. +Starting from tracer version 1.53.0, App and API Protection capabilities do not require [CGO][15]. ## Integrations The Go tracer includes support for the following frameworks, data stores and libraries. -The Go packages listed in this page are relevant for Application Security capabilities. You can also find more tracing integrations in [APM's tracing compatibility page][16]. +The Go packages listed in this page are relevant for App and API Protection capabilities. You can also find more tracing integrations in [APM's tracing compatibility page][16]. {{% tabs %}} {{% tab "v1" %}} diff --git a/content/en/security/application_security/threats/setup/compatibility/java.md b/content/en/security/application_security/threats/setup/compatibility/java.md index 1c77b0bfadc4b..1a06171e9cc42 100644 --- a/content/en/security/application_security/threats/setup/compatibility/java.md +++ b/content/en/security/application_security/threats/setup/compatibility/java.md @@ -5,11 +5,11 @@ type: multi-code-lang code_lang_weight: 0 --- -## Application Security capabilities +## App and API Protection capabilities -The following application security capabilities are supported in the Java library, for the specified tracer version: +The following App and API Protection capabilities are supported in the Java library, for the specified tracer version: -| Application Security capability | Minimum Java tracer version | +| App and API Protection capability | Minimum Java tracer version | | -------------------------------- | ----------------------------| | Threat Detection | 1.8.0 | | API Security | 1.31.0 | @@ -19,7 +19,7 @@ The following application security capabilities are supported in the Java librar | Code Security | 1.15.0| | Automatic user activity event tracking | 1.20.0 | -The minimum tracer version to get all supported application security capabilities for Java is 1.31.0. +The minimum tracer version to get all supported App and API Protection capabilities for Java is 1.31.0. **Note**: Threat Protection requires enabling [Remote Configuration][2], which is included in the listed minimum tracer version. @@ -33,7 +33,7 @@ The minimum tracer version to get all supported application security capabilitie | AWS Lambda | {{< X >}} | | | Azure App Service | {{< X >}} | {{< X >}} | -**Note**: Azure App Service is supported for **web applications only**. Application Security doesn't support Azure Functions. +**Note**: Azure App Service is supported for **web applications only**. App and API Protection doesn't support Azure Functions. ## Language and framework compatibility @@ -58,7 +58,7 @@ Datadog does not officially support any early-access versions of Java. - Tags for the HTTP request (status code, method, etc) - Distributed Tracing to see attack flows through your applications -##### Application Security Capability Notes +##### App and API Protection Capability Notes - **Software Composition Analysis** is supported on all frameworks - If **Code Security** does not support your framework, it will still detect Weak Cipher, Weak Hashing, Insecure Cookie, Cookie without HttpOnly Flag, and Cookie without SameSite Flag vulnerabilities. @@ -90,7 +90,7 @@ Datadog does not officially support any early-access versions of Java. - Distributed tracing through your applications - Request-based blocking -##### Application Security Capability Notes +##### App and API Protection Capability Notes - **Software Composition Analysis** is supported on all frameworks - If **Code Security** does not support your framework, it will still detect Weak Cipher, Weak Hashing, Insecure Cookie, Cookie without HttpOnly Flag, and Cookie without SameSite Flag vulnerabilities. @@ -118,7 +118,7 @@ Datadog does not officially support any early-access versions of Java. - Query info (for example, a sanitized query string) - Error and stacktrace capturing -##### Application Security Capability Notes +##### App and API Protection Capability Notes - **Software Composition Analysis** is supported on all frameworks - **Threat Protection** also works at the HTTP request (input) layer, and so works for all databases by default, even those not listed in the table below. - If your framework is not supported below, **Code Security** won’t detect SQL Injection vulnerabilities, but will still detect the rest of vulnerability types listed [here][3]. diff --git a/content/en/security/application_security/threats/setup/compatibility/nginx.md b/content/en/security/application_security/threats/setup/compatibility/nginx.md index 6e94a0e3ed2a7..86d897593f019 100644 --- a/content/en/security/application_security/threats/setup/compatibility/nginx.md +++ b/content/en/security/application_security/threats/setup/compatibility/nginx.md @@ -5,12 +5,12 @@ type: multi-code-lang code_lang_weight: 40 --- -## Application Security capabilities support +## App and API Protection capabilities support -The following application security capabilities are supported in the nginx integration, for the +The following App and API Protection capabilities are supported in the nginx integration, for the specified tracer version: -| Application Security capability | Minimum nginx module version | +| App and API Protection capability | Minimum nginx module version | |----------------------------------------|------------------------------| | Threat Detection | 1.2.0 | | Threat Protection | 1.3.0 | diff --git a/content/en/security/application_security/threats/setup/compatibility/nodejs.md b/content/en/security/application_security/threats/setup/compatibility/nodejs.md index 61d7330731c3b..aeaff3f262b9b 100644 --- a/content/en/security/application_security/threats/setup/compatibility/nodejs.md +++ b/content/en/security/application_security/threats/setup/compatibility/nodejs.md @@ -5,11 +5,11 @@ type: multi-code-lang code_lang_weight: 50 --- -## Application Security capabilities +## App and API Protectionon capabilities -The following application security capabilities are supported in the Node.js library, for the specified tracer version: +The following App and API Protection capabilities are supported in the Node.js library, for the specified tracer version: -| Application Security capability | Minimum Node.js tracer version | +| App and API Protection capability | Minimum Node.js tracer version | |----------------------------------------|----------------------------------------------------| | Threat Detection | 4.0.0 | | Threat Protection | 4.0.0 | @@ -19,7 +19,7 @@ The following application security capabilities are supported in the Node.js lib | Automatic user activity event tracking | 4.4.0 for Node.js 16+ | | API Security | 4.30.0 for Node.js 16+, or 5.6.0 for Node.js 18+ | -The minimum tracer version to get all supported application security capabilities for Node.js is 4.30.0. +The minimum tracer version to get all supported App and API Protection capabilities for Node.js is 4.30.0. **Note**: @@ -52,7 +52,7 @@ For more information about Node.js release, see the [official Node.js documentat ### Operating system support -The following operating systems are officially supported by `dd-trace`. Any operating system not listed is still likely to work, but with some features missing, for example application security capabilities, profiling, and runtime metrics. Generally speaking, operating systems that are actively maintained at the time of initial release for a major version are supported. +The following operating systems are officially supported by `dd-trace`. Any operating system not listed is still likely to work, but with some features missing, for example App and API Protection capabilities, profiling, and runtime metrics. Generally speaking, operating systems that are actively maintained at the time of initial release for a major version are supported. | Operating System | Architectures | Minimum Versions | @@ -72,7 +72,7 @@ The following operating systems are officially supported by `dd-trace`. Any oper - Tags for the HTTP request (status code, method, etc) - Distributed Tracing to see attack flows through your applications -##### Application Security Capability Notes +##### App and API Protection Capability Notes - **Software Composition Analysis** is supported on all frameworks - If your framework is not listed below, **Code Security** will still detect Weak Cipher, Weak Hashing, Insecure Cookie, Cookie without HttpOnly Flag, and Cookie without SameSite Flag vulnerabilities. - Although Threat Protection is available for express >= 4 versions, the blocking of payloads on the body is only supported for applications using `body-parser` library. @@ -97,7 +97,7 @@ The following operating systems are officially supported by `dd-trace`. Any oper - Distributed tracing through your applications - Request-based blocking -##### Application Security Capability Notes +##### App and API Protection Capability Notes - **Software Composition Analysis** is supported on all frameworks @@ -119,7 +119,7 @@ The following operating systems are officially supported by `dd-trace`. Any oper - Query info (for example, a sanitized query string) - Error and stacktrace capturing -##### Application Security Capability Notes +##### App and API Protection Capability Notes - **Software Composition Analysis** is supported on all frameworks - **Threat Protection** also works at the HTTP request (input) layer, and so works for all databases by default, even those not listed in the table below. diff --git a/content/en/security/application_security/threats/setup/compatibility/php.md b/content/en/security/application_security/threats/setup/compatibility/php.md index a8b9f0e30d388..b1ae2d281f10a 100644 --- a/content/en/security/application_security/threats/setup/compatibility/php.md +++ b/content/en/security/application_security/threats/setup/compatibility/php.md @@ -5,11 +5,11 @@ type: multi-code-lang code_lang_weight: 40 --- -## Application Security capabilities support +## App and API Protection capabilities support -The following application security capabilities are supported in the PHP library, for the specified tracer version: +The following App and API Protection capabilities are supported in the PHP library, for the specified tracer version: -| Application Security capability | Minimum PHP tracer version | +| App and API Protection capability | Minimum PHP tracer version | | -------------------------------- |----------------------------| | Threat Detection | 0.84.0 | | Threat Protection | 0.86.0 | @@ -52,7 +52,7 @@ It's recommended to use officia | 7.1.x | General Availability | All | | 7.0.x | General Availability | All | -Application Security capabililties for PHP support the following SAPI's: +App and API Protection capabililties for PHP support the following SAPI's: | SAPI | Support type | |:---------------|:----------------| @@ -63,7 +63,7 @@ Application Security capabililties for PHP support the following SAPI's: ## Supported processor architectures -Application Security capabililties for PHP support the following architectures: +App and API Protection capabililties for PHP support the following architectures: | Processor architectures | Support level | Package version | | ------------------------------------------|-----------------------|----------------------------------------| @@ -87,10 +87,10 @@ The library supports the use of all PHP frameworks, and also the use of no frame - Tags for the HTTP request (status code, method, etc) - Distributed Tracing to see attack flows through your applications -##### Application Security Capability Notes +##### App and API Protection Capability Notes - **Code Security** is not supported -The following frameworks aren't directly instrumented by Application Security, but indirectly supported through runtime instrumentation. +The following frameworks aren't directly instrumented by App and API Protection, but indirectly supported through runtime instrumentation. | Framework | Versions | Threat Detection supported? | Threat Protection supported? | | ------------------------ | ----------- | --------------- | ---------------------------------------------- | @@ -118,7 +118,7 @@ The following frameworks aren't directly instrumented by Application Security, b - query info (for example, a sanitized query string) - error and stacktrace capturing -##### Application Security Capability Notes +##### App and API Protection Capability Notes - **Code Security** is not supported - **Threat Protection** also works at the HTTP request (input) layer, and so works for all databases by default, even those not listed in the table below. diff --git a/content/en/security/application_security/threats/setup/compatibility/python.md b/content/en/security/application_security/threats/setup/compatibility/python.md index 371aef57ba525..ef7b4b168488a 100644 --- a/content/en/security/application_security/threats/setup/compatibility/python.md +++ b/content/en/security/application_security/threats/setup/compatibility/python.md @@ -4,11 +4,11 @@ code_lang: python type: multi-code-lang code_lang_weight: 50 --- -## Application Security capabilities support +## App and API Protection capabilities support The following application security capabilities are supported in the Python library, for the specified tracer version: -| Application Security capability | Minimum Python tracer version | +| App and API Protection capability | Minimum Python tracer version | |----------------------------------------|-------------------------------| | Threat Detection | 1.9.0 | | Threat Protection | 1.10.0 | @@ -34,7 +34,7 @@ The following application security capabilities are supported in the Python libr ### Supported Python versions -The Python Application Security Client library follows a [versioning policy][3] that specifies the support level for the different versions of the library and Python runtime. +The Python App and API Protection Client library follows a [versioning policy][3] that specifies the support level for the different versions of the library and Python runtime. Two release branches are supported: @@ -58,7 +58,7 @@ And the library supports the following runtimes: - Tags for the HTTP request (status code, method, etc) - Distributed Tracing to see attack flows through your applications -##### Application Security Capability Notes +##### App and API Protection Capability Notes - **Software Composition Analysis** is supported on all frameworks ### Supported frameworks @@ -82,7 +82,7 @@ And the library supports the following runtimes: - query info (for example, a sanitized query string) - error and stacktrace capturing -##### Application Security Capability Notes +##### App and API Protection Capability Notes - **Software Composition Analysis** is supported on all frameworks. - **Threat Protection** also works at the HTTP request (input) layer, and so works for all databases by default, even those not listed in the table below. - diff --git a/content/en/security/application_security/threats/setup/compatibility/ruby.md b/content/en/security/application_security/threats/setup/compatibility/ruby.md index 4c25811ff2198..be0f5f4b8e42c 100644 --- a/content/en/security/application_security/threats/setup/compatibility/ruby.md +++ b/content/en/security/application_security/threats/setup/compatibility/ruby.md @@ -5,11 +5,11 @@ type: multi-code-lang code_lang_weight: 30 --- -## Application Security capabilities support +## App and API Protection capabilities support The following application security capabilities are supported in the Ruby library, for the specified tracer version: -| Application Security capability | Minimum Ruby tracer version | +| App and API Protection capability | Minimum Ruby tracer version | | -------------------------------- | ----------------------------| | Threat Detection | 1.9.0 | | Threat Protection | 1.11.0 | @@ -51,7 +51,7 @@ These are supported on the following architectures: - Tags for the HTTP request (status code, method, etc) - Distributed Tracing to see attack flows through your applications -##### Application Security Capability Notes +##### App and API Protection Capability Notes - **Code Security** is not supported | Framework | Threat Detection supported? | Threat Protection supported? | @@ -78,7 +78,7 @@ These are supported on the following architectures: - Distributed tracing through your applications - Request-based blocking -##### Application Security Capability Notes +##### App and API Protection Capability Notes - **Code Security** is not supported | Framework | Threat Detection supported? | Threat Protection supported? | @@ -96,7 +96,7 @@ These are supported on the following architectures: - query info (for example, a sanitized query string) - error and stacktrace capturing -##### Application Security Capability Notes +##### App and API Protection Capability Notes - **Code Security** is not supported - **Threat Protection** also works at the HTTP request (input) layer, and so works for all databases by default, even those not listed in the table below. diff --git a/content/en/security/application_security/threats/setup/compatibility/serverless.md b/content/en/security/application_security/threats/setup/compatibility/serverless.md index 1bae1aa80e3cf..59dd52428dd22 100644 --- a/content/en/security/application_security/threats/setup/compatibility/serverless.md +++ b/content/en/security/application_security/threats/setup/compatibility/serverless.md @@ -5,7 +5,7 @@ type: multi-code-lang code_lang_weight: 90 --- -Application Security provides serverless capability for the following platforms and libraries: +App and API Protection provides serverless capability for the following platforms and libraries: {{< partial name="security-platform/appsec-libraries-serverless.html" >}}
    @@ -53,7 +53,7 @@ Go ## Google Cloud Run -
    Google Cloud Run support for Application Security serverless is in Preview.
    +
    Google Cloud Run support for App and API Protection serverless is in Preview.
    **Note**: Threat Protection through Remote Configuration is not supported. Use [Workflows][5] to block IPs in your [WAF][6]. diff --git a/content/en/security/application_security/threats/setup/standalone/_index.md b/content/en/security/application_security/threats/setup/standalone/_index.md index 4477c23b1671a..796284cc8d07b 100644 --- a/content/en/security/application_security/threats/setup/standalone/_index.md +++ b/content/en/security/application_security/threats/setup/standalone/_index.md @@ -30,9 +30,9 @@ Before setting up Application & API Protection, ensure the following prerequisit If you want to use Application & API Protection without APM tracing functionality, you can deploy with tracing disabled: 1. Configure your tracing library with the `DD_APM_TRACING_ENABLED=false` environment variable in addition to the `DD_APPSEC_ENABLED=true` environment variable. -2. This configuration will reduce the amount of APM data sent to Datadog to the minimum required by Application Security products. +2. This configuration will reduce the amount of APM data sent to Datadog to the minimum required by App and API Protection products. -For more details, see [Standalone Application Security][3]. +For more details, see [Standalone App and API Protection][3]. ## Language-specific configuration diff --git a/content/en/security/application_security/threats/setup/threat_detection/_index.md b/content/en/security/application_security/threats/setup/threat_detection/_index.md index 534ea48f6b1d1..95e758e4c9f24 100644 --- a/content/en/security/application_security/threats/setup/threat_detection/_index.md +++ b/content/en/security/application_security/threats/setup/threat_detection/_index.md @@ -24,10 +24,10 @@ further_reading: ## Prerequisites -Before setting up Threat Management, ensure the following prerequisites are met: +Before setting up App and API Protection, ensure the following prerequisites are met: - **Datadog Agent Installation:** The Datadog Agent is installed and configured for your application's operating system or container, cloud, or virtual environment. - **Datadog APM Configuration:** Datadog APM is configured for your application or service, and web traces (`type:web`) are being received by Datadog. -- **Supported Tracing Library:** The Datadog Tracing Library used by your application or service supports Threat Management capabilities for the language of your application or service. For more details, refer to the [Library Compatibility][1] page. +- **Supported Tracing Library:** The Datadog Tracing Library used by your application or service supports App and API Protection capabilities for the language of your application or service. For more details, refer to the [Library Compatibility][1] page. Select your application language for details on how to enable AAP Threat Detection for your language and infrastructure types. diff --git a/content/en/security/application_security/threats/threat_management_setup.md b/content/en/security/application_security/threats/threat_management_setup.md index b0278be42d941..28be4bde532e9 100644 --- a/content/en/security/application_security/threats/threat_management_setup.md +++ b/content/en/security/application_security/threats/threat_management_setup.md @@ -1,23 +1,23 @@ --- -title: Threat Management Setup +title: App and API Protection Setup disable_toc: false --- ## Prerequisites -Before setting up Threat Management, ensure the following prerequisites are met: +Before setting up App and API Protection, ensure the following prerequisites are met: - **Datadog Agent Installation:** The Datadog Agent is installed and configured for your application's operating system or container, cloud, or virtual environment. - Datadog APM Configuration: Datadog APM is configured for your application or service, and web traces (`type:web`) are being received by Datadog. -- Supported Tracing Library: The Datadog Tracing Library used by your application or service supports Threat Management capabilities for the language of your application or service. For more details, refer to the Library Compatibility page. +- Supported Tracing Library: The Datadog Tracing Library used by your application or service supports App and API Protection capabilities for the language of your application or service. For more details, refer to the Library Compatibility page. -## Threat Management enablement types overview +## App and API Protection enablement types overview -There are two main approaches to enable Threat Management on your tracing libraries: Single-Step Instrumentation and Datadog Tracing Libraries. +There are two main approaches to enable App and API Protection on your tracing libraries: Single-Step Instrumentation and Datadog Tracing Libraries. ## Single-Step Instrumentation -Run a one-line install command to install the Datadog Agent, and enable Threat Management with Single-Step Instrumentation. +Run a one-line install command to install the Datadog Agent, and enable App and API Protection with Single-Step Instrumentation. ## Datadog Tracing Libraries diff --git a/content/en/security/application_security/threats/waf-integration.md b/content/en/security/application_security/threats/waf-integration.md index 6ce0f426926fb..b1ce76e7af57c 100644 --- a/content/en/security/application_security/threats/waf-integration.md +++ b/content/en/security/application_security/threats/waf-integration.md @@ -7,11 +7,11 @@ further_reading: text: "Monitor AWS WAF activity with Datadog" --- -Protecting web applications and APIs requires a multi-layered approach that combines in-app monitoring and perimeter defenses. These complementary strategies enable you to have a defense-in-depth application security approach leveraging AWS Web Application Firewall (WAF) as the first line of defense, followed by AAP Threat Management to block attacks that slip by the WAF. +Protecting web applications and APIs requires a multi-layered approach that combines in-app monitoring and perimeter defenses. These complementary strategies enable you to have a defense-in-depth App and API Protection approach leveraging AWS Web Application Firewall (WAF) as the first line of defense, followed by App and API Protection to block attacks that slip by the WAF. ### In-app monitoring: deep visibility with distributed tracing -At the application level, Datadog AAP Threat Management leverages distributed tracing to monitor microservices in real time. The AAP approach provides detailed, context-rich insights into the behavior of requests as they traverse various services. These insights detect sophisticated threats such as: +At the application level, Datadog App and API Protection leverages distributed tracing to monitor microservices in real time. The AAP approach provides detailed, context-rich insights into the behavior of requests as they traverse various services. These insights detect sophisticated threats such as: - SQL Injection (SQLi) and Local File Inclusion (LFI) attempts. - Application logic abuse, such as bypassing business rules or exploiting edge cases. diff --git a/content/en/security/application_security/troubleshooting.md b/content/en/security/application_security/troubleshooting.md index 434a2d944fc7c..36fbd5be3078d 100644 --- a/content/en/security/application_security/troubleshooting.md +++ b/content/en/security/application_security/troubleshooting.md @@ -553,7 +553,7 @@ AAP data is sent with APM traces. See [APM troubleshooting][4] to [confirm APM s ### Confirm tracer versions are updated -See the Application Security product set up documentation to validate you you are using the right version of the tracer. These minimum versions are required to start sending telemetry data that includes library information. +See the App and API Protection product set up documentation to validate you you are using the right version of the tracer. These minimum versions are required to start sending telemetry data that includes library information. ### Ensure the communication of telemetry data diff --git a/content/en/security/application_security/waf-integration.md b/content/en/security/application_security/waf-integration.md index 6ce0f426926fb..f47dd22f009c8 100644 --- a/content/en/security/application_security/waf-integration.md +++ b/content/en/security/application_security/waf-integration.md @@ -7,11 +7,11 @@ further_reading: text: "Monitor AWS WAF activity with Datadog" --- -Protecting web applications and APIs requires a multi-layered approach that combines in-app monitoring and perimeter defenses. These complementary strategies enable you to have a defense-in-depth application security approach leveraging AWS Web Application Firewall (WAF) as the first line of defense, followed by AAP Threat Management to block attacks that slip by the WAF. +Protecting web applications and APIs requires a multi-layered approach that combines in-app monitoring and perimeter defenses. These complementary strategies enable you to have a defense-in-depth App and API Protection approach leveraging AWS Web Application Firewall (WAF) as the first line of defense, followed by App and API Protection to block attacks that slip by the WAF. ### In-app monitoring: deep visibility with distributed tracing -At the application level, Datadog AAP Threat Management leverages distributed tracing to monitor microservices in real time. The AAP approach provides detailed, context-rich insights into the behavior of requests as they traverse various services. These insights detect sophisticated threats such as: +At the application level, Datadog AAP leverages distributed tracing to monitor microservices in real time. The AAP approach provides detailed, context-rich insights into the behavior of requests as they traverse various services. These insights detect sophisticated threats such as: - SQL Injection (SQLi) and Local File Inclusion (LFI) attempts. - Application logic abuse, such as bypassing business rules or exploiting edge cases. diff --git a/content/en/security/cloud_security_management/_index.md b/content/en/security/cloud_security_management/_index.md index 46a6a9a266585..d6f3dfbe8580b 100644 --- a/content/en/security/cloud_security_management/_index.md +++ b/content/en/security/cloud_security_management/_index.md @@ -78,7 +78,7 @@ Improve your organization's score by remediating misconfigurations, either by re ## Explore and remediate issues -For an overview of your Cloud Security and Application Security findings, sorted by importance, use the [Security Inbox][14]. +For an overview of your Cloud Security and App and API Protection findings, sorted by importance, use the [Security Inbox][14]. To get more detail, use [Findings][7] to review and remediate your organization's security findings concerning misconfigurations, vulnerabilities, and identity risks. View detailed information about a finding, including guidelines and remediation steps. [Send real-time notifications][6] when a threat is detected in your environment, and use tags to identify the owner of an impacted resource. diff --git a/content/en/security/detection_rules/_index.md b/content/en/security/detection_rules/_index.md index c72005c85c7f8..6a545c1601162 100644 --- a/content/en/security/detection_rules/_index.md +++ b/content/en/security/detection_rules/_index.md @@ -59,7 +59,7 @@ To [create custom rules](#create-detection-rules), you can clone the default rul ## Search and filter detection rules -To view out-of-the-box and custom detection rules in Datadog, navigate to the [**Security Settings**][10] page. Rules are listed on separate pages for each product (Application Security, Cloud Security, and Cloud SIEM). +To view out-of-the-box and custom detection rules in Datadog, navigate to the [**Security Settings**][10] page. Rules are listed on separate pages for each product (App and API Protection, Cloud Security, and Cloud SIEM). To search and filter the rules, use the search box and facets to query by value. For example, to only show rules for a given rule type, hover over the rule type and select `only`. You can also filter by facets such as `source` and `severity` when investigating and triaging incoming issues. @@ -119,7 +119,7 @@ Use Rule Version History to: To see the version history of a rule: 1. Navigate to the [Security Settings][15] page. In the left navigation panel: - - For AAP: Click **Application Security** and then click **Detection Rules**. + - For AAP: Click **App and API Protection** and then click **Detection Rules**. - For Cloud Security: Click **Cloud Security** and then click **Threat Detection Rules**. - For Cloud SIEM: Click **Cloud SIEM** and then click **Detection Rules**. 1. Click on the rule you are interested in. diff --git a/content/en/serverless/aws_lambda/securing_functions.md b/content/en/serverless/aws_lambda/securing_functions.md index 19489e8c2ea25..6608c6010488f 100644 --- a/content/en/serverless/aws_lambda/securing_functions.md +++ b/content/en/serverless/aws_lambda/securing_functions.md @@ -6,7 +6,7 @@ further_reading: text: "App and API Protection" - link: "/security/application_security/how-appsec-works" tag: "Documentation" - text: "How Application Security Works" + text: "How App and API Protection Works" --- [Datadog App and API Protection (AAP)][2] provides observability into application-level attacks that aim to exploit code-level vulnerabilities, and into bad actors targeting your systems. diff --git a/content/en/serverless/azure_app_services/azure_app_services_windows.md b/content/en/serverless/azure_app_services/azure_app_services_windows.md index fbb18b32caabe..9650ecc0f74af 100644 --- a/content/en/serverless/azure_app_services/azure_app_services_windows.md +++ b/content/en/serverless/azure_app_services/azure_app_services_windows.md @@ -92,7 +92,7 @@ For example: - Set `DD_SERVICE` to specify a service name (defaults to your app name). - Set `DD_LOGS_INJECTION:true` for correlation with application logs from your app. - Set `DD_PROFILING_ENABLED:true` to enable .NET [Continuous Profiler][5]. - - Set `DD_APPSEC_ENABLED:true` to enable [Application Security][15]. + - Set `DD_APPSEC_ENABLED:true` to enable [App and API Protection][15]. - See a full list of [optional configuration variables][6]. 6. Click **Save** (this restarts your application). 7.
    [REQUIRED] Stop your application by clicking Stop.
    diff --git a/content/en/software_catalog/endpoints/monitor_endpoints.md b/content/en/software_catalog/endpoints/monitor_endpoints.md index 19359c509dfee..f85979f8a3d89 100644 --- a/content/en/software_catalog/endpoints/monitor_endpoints.md +++ b/content/en/software_catalog/endpoints/monitor_endpoints.md @@ -12,7 +12,7 @@ further_reading: text: "Synthetic API Tests" - link: "/security/application_security/" tag: "Documentation" - text: "Application Security Monitoring" + text: "App and API Protection Monitoring" aliases: - /tracing/api_catalog/monitor_apis/ - /api_catalog/monitor_apis/ diff --git a/content/en/software_catalog/use_cases/appsec_management.md b/content/en/software_catalog/use_cases/appsec_management.md index eb1ad9cb0ee64..ff7eb9299903a 100644 --- a/content/en/software_catalog/use_cases/appsec_management.md +++ b/content/en/software_catalog/use_cases/appsec_management.md @@ -1,5 +1,5 @@ --- -title: Manage Application Security Posture Across Development Teams +title: Manage App and API Protection Posture Across Development Teams aliases: - /tracing/software_catalog/guides/appsec_management - /software_catalog/guides/appsec_management diff --git a/content/en/tracing/services/service_page.md b/content/en/tracing/services/service_page.md index 6e5c431d66830..93440e383919d 100644 --- a/content/en/tracing/services/service_page.md +++ b/content/en/tracing/services/service_page.md @@ -197,7 +197,7 @@ This tab has overview graphs that show which resources have the most issues and {{< img src="tracing/visualization/service/error_tracking_side_panel_1.jpg" alt="Error Tracking tab" style="width:90%;">}} ### Security -Understand the security posture of the service, including known vulnerabilities exposed in the service's libraries and security signals on your service, which are automatically created when Datadog detects application attacks impacting your services. The signals identify meaningful threats for you to review instead of assessing each individual attack attempt. Read more about [Application Security][18]. +Understand the security posture of the service, including known vulnerabilities exposed in the service's libraries and security signals on your service, which are automatically created when Datadog detects application attacks impacting your services. The signals identify meaningful threats for you to review instead of assessing each individual attack attempt. Read more about [App and API Protection][18]. The top section of the security tab has overview graphs that show the number and severity of vulnerabilities, a timeline of attacks, the types of attacks, and attacker information (client IP or authenticated user). diff --git a/content/en/tracing/trace_collection/library_config/java.md b/content/en/tracing/trace_collection/library_config/java.md index c911ab6d6da59..2d038841e286e 100644 --- a/content/en/tracing/trace_collection/library_config/java.md +++ b/content/en/tracing/trace_collection/library_config/java.md @@ -314,7 +314,7 @@ When set to `true` db spans get assigned the remote database hostname as the ser `dd.appsec.enabled` : **Environment Variable**: `DD_APPSEC_ENABLED`
    **Default**: `false`
    -When `true`, enables Datadog Application Security Monitoring. Additionally, this automatically enables client IP collection (`dd.trace.client-ip.enabled`).
    +When `true`, enables Datadog App and API Protection Monitoring. Additionally, this automatically enables client IP collection (`dd.trace.client-ip.enabled`).
    For more information, see [Enabling AAP for Java][19]. ### Errors diff --git a/content/en/tracing/trace_pipeline/trace_retention.md b/content/en/tracing/trace_pipeline/trace_retention.md index 65fe0432d4cb2..fc50ba6283700 100644 --- a/content/en/tracing/trace_pipeline/trace_retention.md +++ b/content/en/tracing/trace_pipeline/trace_retention.md @@ -77,7 +77,7 @@ There are two types of retention filters: The following retention filters are enabled by default: - The `Error Default` retention filter indexes error spans with `status:error`. The retention rate and the query are configurable. For example, to capture production errors, set the query to `status:error, env:production`. Disable the retention filter if you do not want to capture the errors by default. -- The `Application Security Monitoring Default` retention filter is enabled if you are using [App and API Protection][16]. It ensures the retention of all spans in traces that have been identified as having an application security impact (an attack attempt). +- The `App and API Protection Monitoring Default` retention filter is enabled if you are using [App and API Protection][16]. It ensures the retention of all spans in traces that have been identified as having an application security impact (an attack attempt). - The `Synthetics Default` retention filter is enabled if you are using Synthetic Monitoring. It ensures that traces generated from synthetic API and browser tests remain available by default. See [Synthetic APM][15] for more information, including how to correlate traces with synthetic tests. - The `Dynamic Instrumentation Default` retention filter is enabled if you are using [Dynamic Instrumentation][17]. It ensures spans created dynamically with Dynamic instrumentation remain available in the long term by default. From eafcb5cf408d18f5d53ec56cbdb12c80f1998f36 Mon Sep 17 00:00:00 2001 From: Michael Cretzman Date: Fri, 9 May 2025 13:55:06 -0700 Subject: [PATCH 4/6] redirects and commented images Added redirects: | Old topic URL | New topic URL | | :---- | :---- | | ~~/security/application\_security/how-appsec-works/~~ | ~~content/en/security/application\_security/how-it-works/~~ | | ~~security/application\_security/threats/threat-intelligence/~~ | ~~security/application\_security/how-it-works/threat-intelligence~~ | | ~~security/application\_security/threats/trace\_qualification/~~ | ~~security/application\_security/how-it-works/trace\_qualification/~~ | | ~~security/application\_security/threats/add-user-info/?tab=set\_user~~ | ~~security/application\_security/how-it-works/add-user-info/?tab=set\_user~~ | | ~~security/application\_security/threats/protection/~~ | ~~security/application\_security/policies/~~ | | ~~security/application\_security/threats/setup/~~ | ~~security/application\_security/setup/~~ | | security/application\_security/threats/setup/compatibility/ NONE FOUND | security/application\_security/setup/compatibility/ | | security/application\_security/threats/setup/threat\_detection/ NONE FOUND | security/application\_security/setup/threat\_detection/ | | ~~security/application\_security/threats/attacker-explorer/~~ | ~~security/application\_security/security\_signals/attacker-explorer/~~ | | ~~security/application\_security/threats/attacker\_fingerprint/~~ | ~~security/application\_security/security\_signals/attacker\_fingerprint/~~ | | ~~security/application\_security/threats/attacker\_clustering/~~ | ~~security/application\_security/security\_signals/attacker\_clustering/~~ | | ~~security/application\_security/threats/exploit-prevention/~~ | ~~security/application\_security/exploit-prevention/~~ | | security/application\_security/threats/waf-integration/ NONE FOUND | security/application\_security/policies/ | | ~~security/application\_security/threats/custom\_rules/~~ | ~~security/application\_security/policies/custom\_rules/~~ | | security/application\_security/threats/waf-integration/ NONE FOUND | security/application\_security/waf-integration/ | | | | Commented out images with "Application Security" UI --- content/en/agent/remote_config/_index.md | 4 ++-- .../security/application_security.md | 6 +++--- content/en/security/account_takeover_protection.md | 4 ++-- content/en/security/application_security/_index.md | 4 ++-- .../application_security/api-inventory/_index.md | 2 +- .../application_security/exploit-prevention.md | 14 +++++++------- .../guide/manage_account_theft_appsec.md | 10 +++++----- .../guide/standalone_application_security.md | 2 +- .../application_security/how-it-works/_index.md | 2 +- .../how-it-works/add-user-info.md | 4 ++-- .../how-it-works/threat-intelligence.md | 10 +++++----- .../how-it-works/trace_qualification.md | 5 +---- .../application_security/overview/_index.md | 2 +- .../application_security/policies/_index.md | 10 +++++----- .../application_security/policies/custom_rules.md | 4 ++-- .../security_signals/_index.md | 10 +++++----- .../security_signals/attacker-explorer.md | 8 ++++---- .../security_signals/attacker_clustering.md | 8 ++++---- .../security_signals/attacker_fingerprint.md | 6 +++--- .../application_security/serverless/_index.md | 2 +- .../security/application_security/setup/_index.md | 4 ++-- .../setup/compatibility/_index.md | 2 +- .../setup/compatibility/envoy.md | 2 +- .../setup/compatibility/gcp-service-extensions.md | 2 +- .../setup/compatibility/nginx.md | 2 +- .../setup/standalone/_index.md | 4 ++-- .../setup/standalone/dotnet.md | 4 ++-- .../application_security/setup/standalone/go.md | 4 ++-- .../application_security/setup/standalone/java.md | 4 ++-- .../setup/standalone/nodejs.md | 4 ++-- .../application_security/setup/standalone/php.md | 2 +- .../setup/standalone/python.md | 2 +- .../application_security/setup/standalone/ruby.md | 2 +- .../setup/threat_detection/_index.md | 4 ++-- .../setup/threat_detection/dotnet.md | 4 ++-- .../setup/threat_detection/go.md | 4 ++-- .../setup/threat_detection/java.md | 4 ++-- .../setup/threat_detection/nodejs.md | 4 ++-- .../setup/threat_detection/php.md | 2 +- .../setup/threat_detection/python.md | 2 +- .../setup/threat_detection/ruby.md | 2 +- content/en/security/application_security/terms.md | 14 +++++++------- .../application_security/threats/_index.md | 10 +++++----- .../application_security/threats/add-user-info.md | 2 +- .../threats/attacker-explorer.md | 2 +- .../threats/attacker_clustering.md | 8 ++++---- .../threats/attacker_fingerprint.md | 4 ++-- .../application_security/threats/custom_rules.md | 4 ++-- .../threats/exploit-prevention.md | 2 +- .../threats/inapp_waf_rules.md | 2 +- .../threats/library_configuration.md | 8 ++++---- .../application_security/threats/protection.md | 8 ++++---- .../threats/security_signals.md | 8 ++++---- .../application_security/threats/setup/_index.md | 4 ++-- .../threats/setup/compatibility/_index.md | 2 +- .../threats/setup/compatibility/envoy.md | 2 +- .../setup/compatibility/gcp-service-extensions.md | 2 +- .../threats/setup/compatibility/nginx.md | 2 +- .../threats/setup/standalone/_index.md | 4 ++-- .../threats/setup/standalone/dotnet.md | 4 ++-- .../threats/setup/standalone/go.md | 4 ++-- .../threats/setup/standalone/java.md | 4 ++-- .../threats/setup/standalone/nodejs.md | 4 ++-- .../threats/setup/standalone/php.md | 2 +- .../threats/setup/standalone/python.md | 2 +- .../threats/setup/standalone/ruby.md | 2 +- .../threats/setup/threat_detection/_index.md | 4 ++-- .../threats/setup/threat_detection/dotnet.md | 4 ++-- .../threats/setup/threat_detection/go.md | 4 ++-- .../threats/setup/threat_detection/java.md | 4 ++-- .../threats/setup/threat_detection/nodejs.md | 4 ++-- .../threats/setup/threat_detection/php.md | 2 +- .../threats/setup/threat_detection/python.md | 2 +- .../threats/setup/threat_detection/ruby.md | 2 +- .../threats/trace_qualification.md | 8 ++++---- .../application_security/troubleshooting.md | 2 +- .../application_security/waf-integration.md | 4 ++-- .../iast/setup/compatibility/_index.md | 2 +- .../setup_runtime/compatibility/nginx.md | 2 +- content/en/security/detection_rules/_index.md | 2 +- .../en/security/guide/aws_fargate_config_guide.md | 12 ++++++------ content/en/security/threat_intelligence.md | 2 +- .../en/serverless/aws_lambda/securing_functions.md | 2 +- content/en/software_catalog/endpoints/_index.md | 2 +- content/en/software_catalog/navigating.md | 2 +- .../en/tracing/configure_data_security/_index.md | 2 +- content/en/tracing/services/service_page.md | 2 +- .../automatic_instrumentation/dd_libraries/go.md | 4 ++-- .../trace_collection/library_config/java.md | 2 +- content/en/tracing/trace_explorer/trace_view.md | 2 +- 90 files changed, 183 insertions(+), 186 deletions(-) diff --git a/content/en/agent/remote_config/_index.md b/content/en/agent/remote_config/_index.md index a73944713adfc..20d660f5eb6be 100644 --- a/content/en/agent/remote_config/_index.md +++ b/content/en/agent/remote_config/_index.md @@ -293,13 +293,13 @@ datadog: [3]: /security/threats/setup [4]: /observability_pipelines/#observability-pipelines-worker [5]: /account_management/rbac/permissions#api-and-application-keys -[6]: /security/application_security/threats/setup/compatibility/ +[6]: /security/application_security/setup/compatibility/ [7]: /account_management/rbac/permissions#access-management [8]: https://app.datadoghq.com/organization-settings/remote-config [9]: /security/default_rules/#cat-workload-security [10]: /tracing/trace_pipeline/ingestion_controls/#managing-ingestion-for-all-services-at-the-agent-level [11]: /dynamic_instrumentation/?tab=configurationyaml#enable-remote-configuration -[12]: /security/application_security/how-appsec-works/#built-in-protection +[12]: /security/application_security/how-it-works/#built-in-protection [13]: /account_management/audit_trail [14]: /monitors/ [15]: /help/ diff --git a/content/en/getting_started/security/application_security.md b/content/en/getting_started/security/application_security.md index f228730a79205..849e41be4db30 100644 --- a/content/en/getting_started/security/application_security.md +++ b/content/en/getting_started/security/application_security.md @@ -7,7 +7,7 @@ further_reading: - link: "/security/application_security/terms" tag: "Documentation" text: "App and API Protection terms and concepts" -- link: "/security/application_security/how-appsec-works" +- link: "/security/application_security/how-it-works" tag: "Documentation" text: "How App and API Protection works" - link: "https://dtdg.co/fe" @@ -110,8 +110,8 @@ For information on disabling AAP or its related capabilities, see the following: [1]: https://app.datadoghq.com/services?&lens=Security [2]: https://app.datadoghq.com/services?hostGroup=%2A&lens=Security [3]: /security/application_security/threats/library_configuration/#configuring-a-client-ip-header -[4]: /security/application_security/how-appsec-works/ -[5]: /security/application_security/threats/add-user-info/ +[4]: /security/application_security/how-it-works/ +[5]: /security/application_security/how-it-works/add-user-info/ [6]: https://app.datadoghq.com/security?query=%40workflow.rule.type%3A%22Application%20Security%22&column=time&order=desc&product=appsec&view=signal&viz=stream&start=1674824351640&end=1675429151640&paused=false [7]: https://app.datadoghq.com/security/appsec [8]: https://app.datadoghq.com/security/appsec/traces diff --git a/content/en/security/account_takeover_protection.md b/content/en/security/account_takeover_protection.md index de764501b0ff6..292980f2f7767 100644 --- a/content/en/security/account_takeover_protection.md +++ b/content/en/security/account_takeover_protection.md @@ -5,7 +5,7 @@ further_reading: - link: "security/application_security/terms/" tag: "Documentation" text: "AAP Terms and Concepts" -- link: "security/application_security/threats/add-user-info/?tab=set_user" +- link: "security/application_security/how-it-works/add-user-info/?tab=set_user" tag: "Documentation" text: "User Monitoring and Protection" - link: "security/application_security/guide/" @@ -266,7 +266,7 @@ To receive targeted and compromised user IDs with a webhook, set up a webhook us {{< partial name="whats-next/whats-next.html" >}} -[1]: https://docs.datadoghq.com/security/application_security/threats/add-user-info/ +[1]: https://docs.datadoghq.com/security/application_security/how-it-works/add-user-info/ [2]: https://app.datadoghq.com/security/configuration/asm/rules?query=type%3Aapplication_security%20defaultRule%3Atrue%20dependency%3A%28business_logic.users.%2A%29%20&deprecated=hide&groupBy=none&sort=rule_name [3]: https://app.datadoghq.com/security/configuration/asm/rules?query=type%3Aapplication_security%20defaultRule%3Atrue%20dependency%3A%28business_logic.users.%2A%29%20&deprecated=hide&groupBy=none&sort=rule_name [4]: https://docs.datadoghq.com/agent/remote_config/?tab=configurationyamlfile#enabling-remote-configuration diff --git a/content/en/security/application_security/_index.md b/content/en/security/application_security/_index.md index aa441a0e3abe2..c6e47ea005364 100644 --- a/content/en/security/application_security/_index.md +++ b/content/en/security/application_security/_index.md @@ -8,7 +8,7 @@ aliases: - /security/application_security/enabling - /security/application_security/getting_started further_reading: -- link: "/security/application_security/how-appsec-works/" +- link: "/security/application_security/how-it-works/" tag: "Documentation" text: "How App and API Protection Works" - link: "/security/application_security/threats/" @@ -82,7 +82,7 @@ For information on disabling AAP or its features, see the following: [1]: /tracing/ [2]: /agent/ -[3]: /security/application_security/how-appsec-works/ +[3]: /security/application_security/how-it-works/ [4]: /security/default_rules/?category=cat-application-security [6]: https://app.datadoghq.com/security [7]: https://dashcon.io/appsec diff --git a/content/en/security/application_security/api-inventory/_index.md b/content/en/security/application_security/api-inventory/_index.md index 24c74b593488e..197b7d354f6b7 100644 --- a/content/en/security/application_security/api-inventory/_index.md +++ b/content/en/security/application_security/api-inventory/_index.md @@ -26,7 +26,7 @@ Using the API Security Inventory you can: - See which endpoints are at risk, and pivot directly into the [Threat Monitoring and Protection][2] service for further investigation or response. - See which endpoints are associated to your business's logic, and find business logic suggestions based on your endpoint's traffic history. -{{< img src="security/application_security/api/api_endpoints_revamp.png" alt="API Security Inventory main page">}} + ## Configuration diff --git a/content/en/security/application_security/exploit-prevention.md b/content/en/security/application_security/exploit-prevention.md index 2d4dfab1ee92f..72975597e6deb 100644 --- a/content/en/security/application_security/exploit-prevention.md +++ b/content/en/security/application_security/exploit-prevention.md @@ -75,16 +75,16 @@ AAP Exploit Prevention intercepts all SQL queries to determine if a user paramet 2. If you have applied a Datadog managed policy to your services, then follow these steps: a. Clone the policy. For example, you can use the **Managed - Block attack tools** policy. - {{< img src="security/application_security/threats/clone-policy.png" alt="Clone the policy" width="100%" >}} + b. Add a policy name and description. - {{< img src="security/application_security/threats/clone-policy-modal.png" alt="Clone the policy" width="100%" >}} + c. Click on the policy you created and select the **Local File Inclusion** ruleset. Enable blocking for the **Local File Inclusion exploit** rule. - {{< img src="security/application_security/threats/local-file-inclusion.png" alt="Local File Inclusion" width="100%" >}} + d. Similarly, select the **Server-side Request Forgery** ruleset and enable blocking for the **Server-side request forgery** exploit rule. - {{< img src="security/application_security/threats/server-side-request-forgery.png" alt="Server-side Request Forgery exploit" width="100%" >}} + 3. If you have applied a custom policy for your services, you can skip Steps 2.a and 2.b for cloning a policy and directly set the Exploit Prevention rules in **blocking** mode (Steps 2.c and 2.d). @@ -92,17 +92,17 @@ AAP Exploit Prevention intercepts all SQL queries to determine if a user paramet After you have enabled Exploit Prevention, if AAP detects an exploit attempt, it proceeds to block that request. Exploit Prevention detections are always accompanied by stack traces, which provide full visibility of where the vulnerability lies in your code, ensuring a clear path to remediation. -{{< img src="security/application_security/threats/exploit-prevention-detection.png" alt="Exploit Prevention detection" width="100%" >}} + In addition, AAP also generates a signal correlating all the blocked traces and isolating the attacker IP addresses that are targeting your service(s). You can take action by blocking all attacking IPs. -{{< img src="security/application_security/threats/signal-correlating-blocked-traces.png" alt="Your image description" width="100%" >}} + ## Further Reading {{< partial name="whats-next/whats-next.html" >}} -[1]: /security/application_security/threats/setup +[1]: /security/application_security/setup [2]: /agent/remote_config/?tab=configurationyamlfile#enabling-remote-configuration [3]: /tracing/trace_collection/automatic_instrumentation/dd_libraries/go/#overview [4]: https://app.datadoghq.com/security/appsec/in-app-waf diff --git a/content/en/security/application_security/guide/manage_account_theft_appsec.md b/content/en/security/application_security/guide/manage_account_theft_appsec.md index 3628bbf40a746..fe7bfe7e97e12 100644 --- a/content/en/security/application_security/guide/manage_account_theft_appsec.md +++ b/content/en/security/application_security/guide/manage_account_theft_appsec.md @@ -707,17 +707,17 @@ This is general guidance. Depending on your applications and environments, there [1]: /security/account_takeover_protection/ [2]: https://app.datadoghq.com/services?query=service%3Auser-auth&env=%2A&fromUser=false&hostGroup=%2A&lens=Security&sort=-fave%2C-team&start=1735636008863&end=1735639608863 -[3]: /security/application_security/threats/setup/compatibility/ +[3]: /security/application_security/setup/compatibility/ [4]: /agent/remote_config/?tab=configurationyamlfile [5]: https://app.datadoghq.com/security/appsec/onboarding [6]: https://app.datadoghq.com/security/appsec/traces?query=&agg_m=count&agg_m_source=base&agg_t=count&fromUser=false&track=appsecspan&start=1735036043639&end=1735640843639&paused=false -[7]: /security/application_security/threats/setup/threat_detection/ +[7]: /security/application_security/setup/threat_detection/ [8]: https://app.datadoghq.com/security/appsec/traces?query=%40appsec.security_activity%3Abusiness_logic.users.login.%2A&agg_m=count&agg_m_source=base&agg_t=count&fromUser=false&track=appsecspan&start=1735036164646&end=1735640964646&paused=false -[9]: /security/application_security/threats/add-user-info/?tab=set_user#disabling-user-activity-event-tracking -[10]: /security/application_security/threats/add-user-info/?tab=set_user#adding-business-logic-information-login-success-login-failure-any-business-logic-to-traces +[9]: /security/application_security/how-it-works/add-user-info/?tab=set_user#disabling-user-activity-event-tracking +[10]: /security/application_security/how-it-works/add-user-info/?tab=set_user#adding-business-logic-information-login-success-login-failure-any-business-logic-to-traces [11]: /agent/remote_config/?tab=configurationyamlfile [12]: https://app.datadoghq.com/organization-settings/remote-config?resource_type=agents -[13]: /security/application_security/threats/add-user-info/?tab=set_user#tracking-business-logic-information-without-modifying-the-code +[13]: /security/application_security/how-it-works/add-user-info/?tab=set_user#tracking-business-logic-information-without-modifying-the-code [14]: https://app.datadoghq.com/security/appsec/threat [15]: /security/account_takeover_protection/#attacker-strategies [16]: https://app.datadoghq.com/security/appsec/detection-rules?query=type%3Aapplication_security%20tag%3A%22category%3Aaccount_takeover%22&deprecated=hide&groupBy=none&sort=date&viz=rules diff --git a/content/en/security/application_security/guide/standalone_application_security.md b/content/en/security/application_security/guide/standalone_application_security.md index 5eb063994a59f..370e2eb7347be 100644 --- a/content/en/security/application_security/guide/standalone_application_security.md +++ b/content/en/security/application_security/guide/standalone_application_security.md @@ -41,6 +41,6 @@ For Code Security, add the `DD_APM_TRACING_ENABLED=false DD_IAST_ENABLED=true` e [1]: /security/workload_protection/ [2]: /security/application_security/code_security/ [3]: /tracing/ -[4]: /security/application_security/threats/setup/ +[4]: /security/application_security/setup/ [5]: /security/application_security/code_security/setup/ [6]: /agent/ diff --git a/content/en/security/application_security/how-it-works/_index.md b/content/en/security/application_security/how-it-works/_index.md index 00ba94337840d..e39e1a6d5bfb4 100644 --- a/content/en/security/application_security/how-it-works/_index.md +++ b/content/en/security/application_security/how-it-works/_index.md @@ -136,7 +136,7 @@ Datadog App and API Protection identifies Log4j Log4Shell attack payloads and pr [15]: https://app.datadoghq.com/security/appsec/vm/library [16]: /security/cloud_siem/ [17]: /security/application_security/threats/library_configuration/#data-security-considerations -[25]: /security/application_security/threats/add-user-info#adding-business-logic-information-login-success-login-failure-any-business-logic-to-traces +[25]: /security/application_security/how-it-works/add-user-info#adding-business-logic-information-login-success-login-failure-any-business-logic-to-traces [26]: /agent/remote_config/#enabling-remote-configuration [27]: /software_catalog/endpoints/ [28]: /security/code_security/iast/ diff --git a/content/en/security/application_security/how-it-works/add-user-info.md b/content/en/security/application_security/how-it-works/add-user-info.md index ecd68df0d1d5e..0cd453d8aeb66 100644 --- a/content/en/security/application_security/how-it-works/add-user-info.md +++ b/content/en/security/application_security/how-it-works/add-user-info.md @@ -35,7 +35,7 @@ The custom user activity for which out-of-the-box detection rules are available ## Adding authenticated user information to traces and enabling user blocking capability
    -Automated Detection of User Activity: Datadog Tracing Libraries attempt to detect and report user activity events automatically. For more information, see Disabling automatic user activity event tracking. +Automated Detection of User Activity: Datadog Tracing Libraries attempt to detect and report user activity events automatically. For more information, see Disabling automatic user activity event tracking.
    You can [add custom tags to your root span][3], or use the instrumentation functions described below. @@ -730,7 +730,7 @@ If your service has AAP enabled and [Remote Configuration][1] enabled, you can c To get started, navigate to the [Custom WAF Rule page][2] and click on "Create New Rule". -{{< img src="security/application_security/threats/custom-waf-rule-menu.png" alt="Access the Custom WAF Rule Menu from the AAP homepage by clicking on Protection, then In-App WAF and Custom Rules" style="width:100%;" >}} + This will open a menu in which you may define your custom WAF rule. By selecting the "Business Logic" category, you will be able to configure an event type (for instance, `users.password_reset`). You can then select the service you want to track, and a specific endpoint. You may also use the rule condition to target a specific parameter to identify the codeflow you want to _instrument_. When the condition matches, the library tags the trace and flags it to be forwarded to AAP. If you don't need the condition, you may set a broad condition to match everything. diff --git a/content/en/security/application_security/how-it-works/threat-intelligence.md b/content/en/security/application_security/how-it-works/threat-intelligence.md index 012bf45315850..c6a3575394708 100644 --- a/content/en/security/application_security/how-it-works/threat-intelligence.md +++ b/content/en/security/application_security/how-it-works/threat-intelligence.md @@ -89,7 +89,7 @@ On a new [references table][4] page: 4. Save the table. 5. In [Threat Intel][5], locate the new table, and then select the toggle to enable it. - {{< img src="/security/application_security/threats/threat_intel/threat_intel_ref_table_enabled.png" alt="Enabled reference table" style="width:100%;" >}} + #### Using cloud storage @@ -139,7 +139,7 @@ To join a trace with a Reference Table: 4. In **where field**, select the Datadog traces field to use for the join. 5. In **column**, select the Reference Table field to use for the join. -{{< img src="security/application_security/threats/threat_intel/threat_intel_ref_join.png" alt="Your image description" style="width:100%;" >}} + ### Enriching traces for detection rules @@ -151,11 +151,11 @@ Enriching traces includes the threat intelligence attributes in AAP traces when When viewing the traces in the AAP Traces Explorer, you can see threat intelligence data under the `@appsec` attribute. The `category` and `security_activity` attributes are both set. -{{< img src="security/application_security/threats/threat_intel/threat_intel_appsec.png" alt="Example of the appsec attribute containing threat intelligence data">}} + -Under `@threat_intel.results` you can always see the full details of what was matched from which source: +Under `@threat_intel.results` you can always see the full details of what was matched from which source. - {{< img src="security/application_security/threats/threat_intel/threat_intel_generic.png" alt="Example of the threat_intel attribute containing threat intelligence data">}} + ## Further Reading diff --git a/content/en/security/application_security/how-it-works/trace_qualification.md b/content/en/security/application_security/how-it-works/trace_qualification.md index b9942a3260d11..25f829333053e 100644 --- a/content/en/security/application_security/how-it-works/trace_qualification.md +++ b/content/en/security/application_security/how-it-works/trace_qualification.md @@ -5,7 +5,7 @@ further_reading: - link: "/security/application_security/" tag: "Documentation" text: "Protect against threats with Datadog App and API Protection" -- link: "/security/application_security/how-appsec-works//" +- link: "/security/application_security/how-it-works//" tag: "Documentation" text: "How App and API Protection Works" --- @@ -16,7 +16,6 @@ App and API Protection (AAP) provides observability into application-level attac Filter by the **Qualification** facet in the AAP [Traces Explorer][1] to view the possible qualification results: -{{< img src="security/application_security/threats/trace_qualification/trace-qualification-traces_2.png" alt="AAP trace list with the qualification facet showing the possible qualification results">}} ## Qualification outcomes @@ -34,11 +33,9 @@ AAP runs qualification rules (closed-source) on every trace. There are four poss The qualification result can also be seen when viewing the details of an individual trace.
    Example of a trace that AAP has qualified as safe: -{{< img src="security/application_security/threats/trace_qualification/trace-none-successful_3.png" alt="AAP trace qualified as safe">}} Example of a trace that AAP has qualified as harmful: -{{< img src="security/application_security/threats/trace_qualification/trace-harmful_2.png" alt="AAP trace qualified as harmful">}} [1]: https://app.datadoghq.com/security/appsec/traces ## Further Reading diff --git a/content/en/security/application_security/overview/_index.md b/content/en/security/application_security/overview/_index.md index 635038bd05513..12964eb7b9771 100644 --- a/content/en/security/application_security/overview/_index.md +++ b/content/en/security/application_security/overview/_index.md @@ -4,7 +4,7 @@ aliases: - /security/application_security/threats/threat-overview --- -{{< img src="security/application_security/threats/appsec-threat-overview-page-top.png" alt="Screenshot of the AAP Attack Summary page" >}} + The AAP **Attack Summary** provides a quick view of your application and API posture. It highlights trends, service exposure, attack traffic, and the impact on business logic. You can pivot from widgets to their related traces. diff --git a/content/en/security/application_security/policies/_index.md b/content/en/security/application_security/policies/_index.md index 0fdd65115a8de..098a8d2c3c1a8 100644 --- a/content/en/security/application_security/policies/_index.md +++ b/content/en/security/application_security/policies/_index.md @@ -64,7 +64,7 @@ Manage In-App WAF by navigating to Security --> App and API Protection --> Confi View blocked security traces in the [Trace Explorer][11] by filtering on the facet `Blocked:true`. -{{< img src="security/application_security/app_sec_blocked.png" alt="AAP Trace Explorer filtered using facet Blocked set to true." style="width:100%;" >}} + ### Configure In-App WAF @@ -100,10 +100,10 @@ As important as it is for you to be able to apply protection granularly and redu {{< partial name="whats-next/whats-next.html" >}} -[1]: /security/application_security/threats/setup/ +[1]: /security/application_security/setup/ [2]: /agent/remote_config/#enabling-remote-configuration [3]: /agent/versions/upgrade_between_agent_minor_versions -[4]: /security/application_security/threats/add-user-info/#adding-authenticated-user-information-to-traces-and-enabling-user-blocking-capability +[4]: /security/application_security/how-it-works/add-user-info/#adding-authenticated-user-information-to-traces-and-enabling-user-blocking-capability [5]: https://app.datadoghq.com/security?query=%40workflow.rule.type%3A%22Application%20Security%22&column=time&order=desc&product=appsec&view=signal [6]: https://app.datadoghq.com/security/appsec/traces?query=%40appsec.blocked%3Atrue [7]: https://app.datadoghq.com/security/appsec/denylist @@ -111,9 +111,9 @@ As important as it is for you to be able to apply protection granularly and redu [9]: https://app.datadoghq.com/security/appsec/in-app-waf [10]: /security/application_security/threats/inapp_waf_rules/ [11]: https://app.datadoghq.com/security/appsec/traces -[12]: /security/application_security/threats/setup/compatibility/ +[12]: /security/application_security/setup/compatibility/ [14]: https://app.datadoghq.com/security/appsec/detection-rules -[15]: /security/application_security/threats/add-user-info/?tab=set_user#adding-authenticated-user-information-to-traces-and-enabling-user-blocking-capability +[15]: /security/application_security/how-it-works/add-user-info/?tab=set_user#adding-authenticated-user-information-to-traces-and-enabling-user-blocking-capability [16]: https://app.datadoghq.com/security/appsec/in-app-waf?config_by=custom-responses [17]: https://docs.datadoghq.com/service_management/workflows/ [18]: https://app.datadoghq.com/workflow/blueprints?selected_category=SECURITY diff --git a/content/en/security/application_security/policies/custom_rules.md b/content/en/security/application_security/policies/custom_rules.md index 55d3bf197dff3..8a6b08570e887 100644 --- a/content/en/security/application_security/policies/custom_rules.md +++ b/content/en/security/application_security/policies/custom_rules.md @@ -115,6 +115,6 @@ Use the **Tag resulting signals** dropdown menu to add tags to your signals. For [4]: /monitors/notify/?tab=is_alert#integrations [5]: /security/notifications/variables/ [6]: /security/notifications/variables/#template-variables -[7]: /security/application_security/threats/add-user-info/?tab=set_user#adding-business-logic-information-login-success-login-failure-any-business-logic-to-traces -[8]: /security/application_security/threats/add-user-info/?tab=set_user#disabling-automatic-user-activity-event-tracking +[7]: /security/application_security/how-it-works/add-user-info/?tab=set_user#adding-business-logic-information-login-success-login-failure-any-business-logic-to-traces +[8]: /security/application_security/how-it-works/add-user-info/?tab=set_user#disabling-automatic-user-activity-event-tracking diff --git a/content/en/security/application_security/security_signals/_index.md b/content/en/security/application_security/security_signals/_index.md index 0648523c639d3..0379b60188b98 100644 --- a/content/en/security/application_security/security_signals/_index.md +++ b/content/en/security/application_security/security_signals/_index.md @@ -4,10 +4,10 @@ further_reading: - link: "/security/default_rules/?category=cat-application-security#cat-application-security" tag: "Documentation" text: "Explore AAP threat detection OOTB rules" - - link: "/security/application_security/threats/custom_rules/" + - link: "/security/application_security/policies/custom_rules/" tag: "Documentation" text: "Configure custom AAP threat detection rules" - - link: "/security/application_security/threats/threat-intelligence/" + - link: "/security/application_security/how-it-works/threat-intelligence/" tag: "Documentation" text: "AAP threat intelligence" --- @@ -16,7 +16,7 @@ further_reading: AAP security signals are created when Datadog detects a threat based on a detection rule. View, search, filter, and investigate security signals in the [Signals Explorer][2], or configure [Notification Rules][8] to send signals to third-party tools. -{{< img src="security/application_security/threats/security_signals/appsec-threat-signals.png" alt="Overview of investigating threats in signals explorer with details side panel">}} + ## Signals Explorer columns @@ -155,5 +155,5 @@ To see all of the saved views, click **Views** next to the **Signals Explorer** [7]: https://app.datadoghq.com/security/appsec? [8]: /security/notifications/rules/ [9]: /account_management/rbac/permissions/#cloud-security-platform -[10]: /security/application_security/threats/protection/#respond-to-threats-in-real-time-by-automating-attacker-blocking -[11]: /security/application_security/threats/protection/#blocking-attack-attempts-with-in-app-waf \ No newline at end of file +[10]: /security/application_security/policies/#respond-to-threats-in-real-time-by-automating-attacker-blocking +[11]: /security/application_security/policies/#blocking-attack-attempts-with-in-app-waf \ No newline at end of file diff --git a/content/en/security/application_security/security_signals/attacker-explorer.md b/content/en/security/application_security/security_signals/attacker-explorer.md index 423d4603cd23a..a4daf05355dac 100644 --- a/content/en/security/application_security/security_signals/attacker-explorer.md +++ b/content/en/security/application_security/security_signals/attacker-explorer.md @@ -2,7 +2,7 @@ title: Attacker Explorer disable_toc: false further_reading: -- link: "/security/application_security/threats/protection" +- link: "/security/application_security/policies" tag: "Documentation" text: "Protection" --- @@ -29,7 +29,7 @@ To understand the difference between the different explorers, review these appro - **Protect:** Automated blocking using AAP Protection configuration. Customers should block attack tools as their first automated blocking action. Blocking attack tools reduces common vulnerability discovery for OWASP threats such as SQLi, command injection, and SSRF. - **Reactive:** Blocking using Signals or Attackers explorer in response to observed threats. -{{< img src="security/application_security/threats/attacker-explorer/attacker_explorer_nav.png" alt="Screenshot of the AAP Attacker Explorer navigation" >}} + Each explorer focuses on a specific use case: @@ -46,7 +46,7 @@ Each explorer focuses on a specific use case: To start reviewing attackers, go to [Attacker Explorer][1]. -{{< img src="security/application_security/threats/attacker-explorer/attacker_explorer_default_view2.png" alt="AAP Attacker Explorer" >}} + There are two sections to the Attacker Explorer: @@ -58,7 +58,7 @@ There are two sections to the Attacker Explorer: Click on any row to view the history and attributes of the IP. -{{< img src="security/application_security/threats/attacker-explorer/ip_drawer.png" alt="Investigate and IP address with AAP Attacker Explorer" >}} + IPs can be blocked or added to the Passlist from the IP drawer. diff --git a/content/en/security/application_security/security_signals/attacker_clustering.md b/content/en/security/application_security/security_signals/attacker_clustering.md index aad20824db674..d25bbf3118ef5 100644 --- a/content/en/security/application_security/security_signals/attacker_clustering.md +++ b/content/en/security/application_security/security_signals/attacker_clustering.md @@ -2,10 +2,10 @@ title: Attacker Clustering disable_toc: false further_reading: -- link: "/security/application_security/threats/attacker_fingerprint" +- link: "/security/application_security/security_signals/attacker_fingerprint" tag: "Documentation" text: "Attacker Fingerprint" -- link: "/security/application_security/threats/threat-intelligence/" +- link: "/security/application_security/how-it-works/threat-intelligence/" tag: "Documentation" text: "Threat Intelligence" - link: "/security/application_security/threats/event_rules" @@ -71,8 +71,8 @@ The attacker clustering attributes selected are then shown as regular expression {{< partial name="whats-next/whats-next.html" >}} -[1]: /security/application_security/threats/threat-intelligence/ -[2]: /security/application_security/threats/attacker_fingerprint +[1]: /security/application_security/how-it-works/threat-intelligence/ +[2]: /security/application_security/security_signals/attacker_fingerprint [3]: /security/application_security/threats/event_rules [4]: /security/workload_protection/security_signals/ [5]: /tracing/trace_collection/library_config/ diff --git a/content/en/security/application_security/security_signals/attacker_fingerprint.md b/content/en/security/application_security/security_signals/attacker_fingerprint.md index cf8463cf8aa70..72a6b05b196d3 100644 --- a/content/en/security/application_security/security_signals/attacker_fingerprint.md +++ b/content/en/security/application_security/security_signals/attacker_fingerprint.md @@ -2,7 +2,7 @@ title: Attacker Fingerprint disable_toc: false further_reading: -- link: "/security/application_security/threats/attacker_clustering" +- link: "/security/application_security/security_signals/attacker_clustering" tag: "Documentation" text: "Attacker Clustering" --- @@ -61,7 +61,7 @@ The network identifier fragment provides information about the network part of t Fragments can be used as filters in the AAP Traces explorer by filtering on the desired fingerprint field. For example: `@appsec.fingerprint.header.ua_hash:e462fa45` will filter on all requests that have the same user agent hash. -{{< img src="security/application_security/threats/attacker-fingerprint-trace.png" alt="Screenshot of an AAP trace with attacker fingerprint in the trace side panel" >}} + Attacker fingerprints are used in the [Attacker Clustering][1] feature. If a significant portion of your traffic presents the same fingerprint attributes, attacker clustering will show it has a common attack attribute. @@ -70,4 +70,4 @@ Attacker fingerprints are used in the [Attacker Clustering][1] feature. If a sig {{< partial name="whats-next/whats-next.html" >}} -[1]: /security/application_security/threats/attacker_clustering +[1]: /security/application_security/security_signals/attacker_clustering diff --git a/content/en/security/application_security/serverless/_index.md b/content/en/security/application_security/serverless/_index.md index ff00637782e74..a31c3c516ba12 100644 --- a/content/en/security/application_security/serverless/_index.md +++ b/content/en/security/application_security/serverless/_index.md @@ -4,7 +4,7 @@ aliases: - /security/application_security/getting_started/serverless - /security/application_security/enabling/serverless further_reading: - - link: "/security/application_security/how-appsec-works/" + - link: "/security/application_security/how-it-works/" tag: "Documentation" text: "How App and API Protection Works" - link: "/security/default_rules/?category=cat-application-security" diff --git a/content/en/security/application_security/setup/_index.md b/content/en/security/application_security/setup/_index.md index 9c8968b6da440..d1aebc9d64a9e 100644 --- a/content/en/security/application_security/setup/_index.md +++ b/content/en/security/application_security/setup/_index.md @@ -16,6 +16,6 @@ Add an environment variable or a new argument to your [Datadog Tracing Library c By following these steps, you'll successfully set up Threat Management for your application or service, monitoring services that are under attack and protecting them against attacks. -[1]: /security/application_security/threats/setup/compatibility -[3]: /security/application_security/threats/setup/threat_detection +[1]: /security/application_security/setup/compatibility +[3]: /security/application_security/setup/threat_detection [4]: /agent/ \ No newline at end of file diff --git a/content/en/security/application_security/setup/compatibility/_index.md b/content/en/security/application_security/setup/compatibility/_index.md index 2280b6c7840aa..6ecb5d02fe499 100644 --- a/content/en/security/application_security/setup/compatibility/_index.md +++ b/content/en/security/application_security/setup/compatibility/_index.md @@ -5,7 +5,7 @@ further_reading: - link: "/security/application_security/troubleshooting" tag: "Documentation" text: "Troubleshooting App and API Protection" -- link: "/security/application_security/how-appsec-works/" +- link: "/security/application_security/how-it-works/" tag: "Documentation" text: "How App and API Protection Works in Datadog" --- diff --git a/content/en/security/application_security/setup/compatibility/envoy.md b/content/en/security/application_security/setup/compatibility/envoy.md index 2a18870400f73..de18e946686f7 100644 --- a/content/en/security/application_security/setup/compatibility/envoy.md +++ b/content/en/security/application_security/setup/compatibility/envoy.md @@ -30,4 +30,4 @@ the unsupported capabilities, let us know! Fill out this short form to send details. -[1]: /security/application_security/threats/setup/threat_detection/envoy +[1]: /security/application_security/setup/threat_detection/envoy diff --git a/content/en/security/application_security/setup/compatibility/gcp-service-extensions.md b/content/en/security/application_security/setup/compatibility/gcp-service-extensions.md index 977cbbc031465..edcfc77e81956 100644 --- a/content/en/security/application_security/setup/compatibility/gcp-service-extensions.md +++ b/content/en/security/application_security/setup/compatibility/gcp-service-extensions.md @@ -28,4 +28,4 @@ the unsupported capabilities, let us know! Fill out this short form to send details. -[1]: /security/application_security/threats/setup/threat_detection/gcp-service-extensions +[1]: /security/application_security/setup/threat_detection/gcp-service-extensions diff --git a/content/en/security/application_security/setup/compatibility/nginx.md b/content/en/security/application_security/setup/compatibility/nginx.md index 86d897593f019..f952961dd26cc 100644 --- a/content/en/security/application_security/setup/compatibility/nginx.md +++ b/content/en/security/application_security/setup/compatibility/nginx.md @@ -32,4 +32,4 @@ the unsupported capabilities, let us know! Fill out this short form to send details. -[1]: /security/application_security/threats/setup/threat_detection/nginx/ +[1]: /security/application_security/setup/threat_detection/nginx/ diff --git a/content/en/security/application_security/setup/standalone/_index.md b/content/en/security/application_security/setup/standalone/_index.md index 796284cc8d07b..ff42cc1adfd67 100644 --- a/content/en/security/application_security/setup/standalone/_index.md +++ b/content/en/security/application_security/setup/standalone/_index.md @@ -14,7 +14,7 @@ further_reading: - link: "/security/application_security/troubleshooting" tag: "Documentation" text: "Troubleshooting Application & API Protection" -- link: "/security/application_security/how-appsec-works/" +- link: "/security/application_security/how-it-works/" tag: "Documentation" text: "How Application & API Protection Works in Datadog" --- @@ -44,6 +44,6 @@ Select your application language for details on how to enable Application & API {{< partial name="whats-next/whats-next.html" >}} -[1]: /security/application_security/threats/setup/compatibility +[1]: /security/application_security/setup/compatibility [2]: /agent/ [3]: /security/application_security/guide/standalone_application_security/ diff --git a/content/en/security/application_security/setup/standalone/dotnet.md b/content/en/security/application_security/setup/standalone/dotnet.md index 0aa3bcfd5a235..f230543098dda 100644 --- a/content/en/security/application_security/setup/standalone/dotnet.md +++ b/content/en/security/application_security/setup/standalone/dotnet.md @@ -210,6 +210,6 @@ ENV DD_APM_TRACING_ENABLED=false {{< partial name="whats-next/whats-next.html" >}} [1]: https://github.com/DataDog/dd-trace-dotnet/releases/latest -[2]: /security/application_security/threats/setup/compatibility/dotnet/ +[2]: /security/application_security/setup/compatibility/dotnet/ [3]: /agent/versions/upgrade_between_agent_minor_versions/ -[4]: /security/application_security/threats/setup/compatibility/ +[4]: /security/application_security/setup/compatibility/ diff --git a/content/en/security/application_security/setup/standalone/go.md b/content/en/security/application_security/setup/standalone/go.md index 459471d238f12..17af54f6a86a4 100644 --- a/content/en/security/application_security/setup/standalone/go.md +++ b/content/en/security/application_security/setup/standalone/go.md @@ -127,5 +127,5 @@ Update your application's ECS task definition JSON file, by adding these in the {{< partial name="whats-next/whats-next.html" >}} -[1]: /security/application_security/threats/setup/compatibility/go/#web-framework-compatibility -[2]: /security/application_security/threats/setup/compatibility/go/ +[1]: /security/application_security/setup/compatibility/go/#web-framework-compatibility +[2]: /security/application_security/setup/compatibility/go/ diff --git a/content/en/security/application_security/setup/standalone/java.md b/content/en/security/application_security/setup/standalone/java.md index 573f726040b55..05652505d3607 100644 --- a/content/en/security/application_security/setup/standalone/java.md +++ b/content/en/security/application_security/setup/standalone/java.md @@ -147,8 +147,8 @@ If you need additional assistance, contact [Datadog support][5]. {{< partial name="whats-next/whats-next.html" >}} [1]: https://github.com/DataDog/dd-trace-java/releases -[2]: /security/application_security/threats/setup/compatibility/java/ -[3]: /security/application_security/threats/setup/compatibility/java/ +[2]: /security/application_security/setup/compatibility/java/ +[3]: /security/application_security/setup/compatibility/java/ [4]: https://app.datadoghq.com/security/appsec/vm [5]: /help [6]: /agent/versions/upgrade_between_agent_minor_versions/ diff --git a/content/en/security/application_security/setup/standalone/nodejs.md b/content/en/security/application_security/setup/standalone/nodejs.md index 37fe046457b91..5506fdc11c7b6 100644 --- a/content/en/security/application_security/setup/standalone/nodejs.md +++ b/content/en/security/application_security/setup/standalone/nodejs.md @@ -164,8 +164,8 @@ If you need additional assistance, contact [Datadog support][6]. {{< partial name="whats-next/whats-next.html" >}} [1]: https://github.com/DataDog/dd-trace-js/blob/master/MIGRATING.md -[2]: /security/application_security/threats/setup/threat_detection/nodejs -[3]: /security/application_security/threats/setup/threat_detection/nodejs +[2]: /security/application_security/setup/threat_detection/nodejs +[3]: /security/application_security/setup/threat_detection/nodejs [4]: /agent/versions/upgrade_between_agent_minor_versions/ [5]: https://app.datadoghq.com/security/appsec/vm [6]: /help diff --git a/content/en/security/application_security/setup/standalone/php.md b/content/en/security/application_security/setup/standalone/php.md index 0598871e181e1..d0a8c45a47488 100644 --- a/content/en/security/application_security/setup/standalone/php.md +++ b/content/en/security/application_security/setup/standalone/php.md @@ -106,4 +106,4 @@ Update your ECS task definition JSON file, by adding these in the environment se {{< partial name="whats-next/whats-next.html" >}} -[1]: /security/application_security/threats/setup/compatibility/php/ +[1]: /security/application_security/setup/compatibility/php/ diff --git a/content/en/security/application_security/setup/standalone/python.md b/content/en/security/application_security/setup/standalone/python.md index 93746cc7d9282..480bf17d301ea 100644 --- a/content/en/security/application_security/setup/standalone/python.md +++ b/content/en/security/application_security/setup/standalone/python.md @@ -119,4 +119,4 @@ You can monitor the security of your Python apps running in Docker, Kubernetes, {{< partial name="whats-next/whats-next.html" >}} -[1]: /security/application_security/threats/setup/compatibility/php/ +[1]: /security/application_security/setup/compatibility/php/ diff --git a/content/en/security/application_security/setup/standalone/ruby.md b/content/en/security/application_security/setup/standalone/ruby.md index 81b0e597e8f3d..6237a68ee18d2 100644 --- a/content/en/security/application_security/setup/standalone/ruby.md +++ b/content/en/security/application_security/setup/standalone/ruby.md @@ -228,6 +228,6 @@ env DD_APPSEC_ENABLED=true DD_APM_TRACING_ENABLED=false rails server {{< partial name="whats-next/whats-next.html" >}} -[1]: /security/application_security/threats/setup/compatibility/ruby/ +[1]: /security/application_security/setup/compatibility/ruby/ [2]: https://github.com/DataDog/dd-trace-rb/blob/master/docs/UpgradeGuide2.md [3]: /tracing/trace_collection/dd_libraries/ruby/ diff --git a/content/en/security/application_security/setup/threat_detection/_index.md b/content/en/security/application_security/setup/threat_detection/_index.md index e13f9fdf32df8..e12a6fe23db7b 100644 --- a/content/en/security/application_security/setup/threat_detection/_index.md +++ b/content/en/security/application_security/setup/threat_detection/_index.md @@ -17,7 +17,7 @@ further_reading: - link: "/security/application_security/troubleshooting" tag: "Documentation" text: "Troubleshooting App and API Protection" -- link: "/security/application_security/how-appsec-works/" +- link: "/security/application_security/how-it-works/" tag: "Documentation" text: "How App and API Protection Works in Datadog" --- @@ -37,4 +37,4 @@ Select your application language for details on how to enable AAP Threat Detecti {{< partial name="whats-next/whats-next.html" >}} -[1]: /security/application_security/threats/setup/compatibility +[1]: /security/application_security/setup/compatibility diff --git a/content/en/security/application_security/setup/threat_detection/dotnet.md b/content/en/security/application_security/setup/threat_detection/dotnet.md index e72aa98123f2b..79501e024cc82 100644 --- a/content/en/security/application_security/setup/threat_detection/dotnet.md +++ b/content/en/security/application_security/setup/threat_detection/dotnet.md @@ -196,6 +196,6 @@ ENV DD_APPSEC_ENABLED=true {{< partial name="whats-next/whats-next.html" >}} [1]: https://github.com/DataDog/dd-trace-dotnet/releases/latest -[2]: /security/application_security/threats/setup/compatibility/dotnet/ +[2]: /security/application_security/setup/compatibility/dotnet/ [3]: /agent/versions/upgrade_between_agent_minor_versions/ -[4]: /security/application_security/threats/setup/compatibility/ +[4]: /security/application_security/setup/compatibility/ diff --git a/content/en/security/application_security/setup/threat_detection/go.md b/content/en/security/application_security/setup/threat_detection/go.md index b8997daacd65a..aff852ccbcc59 100644 --- a/content/en/security/application_security/setup/threat_detection/go.md +++ b/content/en/security/application_security/setup/threat_detection/go.md @@ -120,5 +120,5 @@ Update your application's ECS task definition JSON file, by adding this in the e {{< partial name="whats-next/whats-next.html" >}} -[1]: /security/application_security/threats/setup/compatibility/go/#web-framework-compatibility -[2]: /security/application_security/threats/setup/compatibility/go/ +[1]: /security/application_security/setup/compatibility/go/#web-framework-compatibility +[2]: /security/application_security/setup/compatibility/go/ diff --git a/content/en/security/application_security/setup/threat_detection/java.md b/content/en/security/application_security/setup/threat_detection/java.md index 74822efada61e..dfd270d95d1ce 100644 --- a/content/en/security/application_security/setup/threat_detection/java.md +++ b/content/en/security/application_security/setup/threat_detection/java.md @@ -139,8 +139,8 @@ If you need additional assistance, contact [Datadog support][5]. {{< partial name="whats-next/whats-next.html" >}} [1]: https://github.com/DataDog/dd-trace-java/releases -[2]: /security/application_security/threats/setup/compatibility/java/ -[3]: /security/application_security/threats/setup/compatibility/java/ +[2]: /security/application_security/setup/compatibility/java/ +[3]: /security/application_security/setup/compatibility/java/ [4]: https://app.datadoghq.com/security/appsec/vm [5]: /help [6]: /agent/versions/upgrade_between_agent_minor_versions/ diff --git a/content/en/security/application_security/setup/threat_detection/nodejs.md b/content/en/security/application_security/setup/threat_detection/nodejs.md index 14df6dbca6568..4339388118f97 100644 --- a/content/en/security/application_security/setup/threat_detection/nodejs.md +++ b/content/en/security/application_security/setup/threat_detection/nodejs.md @@ -155,8 +155,8 @@ If you need additional assistance, contact [Datadog support][6]. {{< partial name="whats-next/whats-next.html" >}} [1]: https://github.com/DataDog/dd-trace-js/blob/master/MIGRATING.md -[2]: /security/application_security/threats/setup/threat_detection/nodejs -[3]: /security/application_security/threats/setup/threat_detection/nodejs +[2]: /security/application_security/setup/threat_detection/nodejs +[3]: /security/application_security/setup/threat_detection/nodejs [4]: /agent/versions/upgrade_between_agent_minor_versions/ [5]: https://app.datadoghq.com/security/appsec/vm [6]: /help diff --git a/content/en/security/application_security/setup/threat_detection/php.md b/content/en/security/application_security/setup/threat_detection/php.md index 36b39143b1a81..166c5526e4eb2 100644 --- a/content/en/security/application_security/setup/threat_detection/php.md +++ b/content/en/security/application_security/setup/threat_detection/php.md @@ -99,4 +99,4 @@ Update your ECS task definition JSON file, by adding this in the environment sec {{< partial name="whats-next/whats-next.html" >}} -[1]: /security/application_security/threats/setup/compatibility/php/ +[1]: /security/application_security/setup/compatibility/php/ diff --git a/content/en/security/application_security/setup/threat_detection/python.md b/content/en/security/application_security/setup/threat_detection/python.md index 60819553ba2f7..1f7b6e816b383 100644 --- a/content/en/security/application_security/setup/threat_detection/python.md +++ b/content/en/security/application_security/setup/threat_detection/python.md @@ -112,4 +112,4 @@ You can monitor the security of your Python apps running in Docker, Kubernetes, {{< partial name="whats-next/whats-next.html" >}} -[1]: /security/application_security/threats/setup/compatibility/php/ +[1]: /security/application_security/setup/compatibility/php/ diff --git a/content/en/security/application_security/setup/threat_detection/ruby.md b/content/en/security/application_security/setup/threat_detection/ruby.md index ee597551c36da..200aa9ca875dc 100644 --- a/content/en/security/application_security/setup/threat_detection/ruby.md +++ b/content/en/security/application_security/setup/threat_detection/ruby.md @@ -216,6 +216,6 @@ env DD_APPSEC_ENABLED=true rails server {{< partial name="whats-next/whats-next.html" >}} -[1]: /security/application_security/threats/setup/compatibility/ruby/ +[1]: /security/application_security/setup/compatibility/ruby/ [2]: https://github.com/DataDog/dd-trace-rb/blob/master/docs/UpgradeGuide2.md [3]: /tracing/trace_collection/dd_libraries/ruby/ diff --git a/content/en/security/application_security/terms.md b/content/en/security/application_security/terms.md index abcdf072ddd8f..0c593a830971e 100644 --- a/content/en/security/application_security/terms.md +++ b/content/en/security/application_security/terms.md @@ -2,7 +2,7 @@ title: Terms and Concepts disable_toc: false further_reading: -- link: "/security/application_security/how-appsec-works" +- link: "/security/application_security/how-it-works" tag: "Documentation" text: "How App and API Protection Works" - link: "/security/application_security/threats/" @@ -151,9 +151,9 @@ Object-Graph Navigation Language Injection (OGNLi) [11]: https://app.datadoghq.com/security/appsec/exclusions [12]: /security/application_security/threats/inapp_waf_rules [13]: https://app.datadoghq.com/security?query=%40workflow.rule.type%3A%22Application%20Security%22&product=appsec&view=signal -[14]: /security/application_security/threats/add-user-info/ -[15]: /security/application_security/threats/trace_qualification/ -[16]: /security/application_security/threats/threat-intelligence/ -[17]: /security/application_security/threats/attacker-explorer/ -[18]: /security/application_security/threats/attacker_fingerprint/ -[19]: /security/application_security/threats/attacker_clustering/ +[14]: /security/application_security/how-it-works/add-user-info/ +[15]: /security/application_security/how-it-works/trace_qualification/ +[16]: /security/application_security/how-it-works/threat-intelligence/ +[17]: /security/application_security/security_signals/attacker-explorer/ +[18]: /security/application_security/security_signals/attacker_fingerprint/ +[19]: /security/application_security/security_signals/attacker_clustering/ diff --git a/content/en/security/application_security/threats/_index.md b/content/en/security/application_security/threats/_index.md index 0cec2309e9496..a03e70e5f0b6d 100644 --- a/content/en/security/application_security/threats/_index.md +++ b/content/en/security/application_security/threats/_index.md @@ -1,7 +1,7 @@ --- title: App and API Protection further_reading: -- link: "/security/application_security/threats/add-user-info/" +- link: "/security/application_security/how-it-works/add-user-info/" tag: "Documentation" text: "Tracking User Activity" - link: "/security/application_security/threats/library_configuration/" @@ -10,7 +10,7 @@ further_reading: - link: "/security/code_security/software_composition_analysis/" tag: "Documentation" text: "Software Composition Analysis" -- link: "/security/application_security/how-appsec-works/" +- link: "/security/application_security/how-it-works/" tag: "Documentation" text: "How AAP Works" --- @@ -75,12 +75,12 @@ For information on disabling threat management and protection, see [Disabling th [1]: https://app.datadoghq.com/services?lens=Security [2]: https://app.datadoghq.com/security?query=%40workflow.rule.type%3A%22Application%20Security%22&column=time&order=desc&product=appsec&viz=stream&start=1694726477747&end=1695331277747&paused=false -[4]: /security/application_security/how-appsec-works/ +[4]: /security/application_security/how-it-works/ [5]: /security/application_security/threats/inapp_waf_rules/ -[6]: /security/application_security/threats/custom_rules/ +[6]: /security/application_security/policies/custom_rules/ [7]: https://app.datadoghq.com/security/appsec? [8]: /security/workload_protection/security_signals/ -[9]: /security/application_security/threats/exploit-prevention/ +[9]: /security/application_security/exploit-prevention/ [10]: /security/default_rules/?category=cat-application-security [11]: /security/account_takeover_protection/ [12]: /security/application_security/troubleshooting/#disabling-threat-management-and-protection diff --git a/content/en/security/application_security/threats/add-user-info.md b/content/en/security/application_security/threats/add-user-info.md index ecd68df0d1d5e..74a369af191e3 100644 --- a/content/en/security/application_security/threats/add-user-info.md +++ b/content/en/security/application_security/threats/add-user-info.md @@ -35,7 +35,7 @@ The custom user activity for which out-of-the-box detection rules are available ## Adding authenticated user information to traces and enabling user blocking capability
    -Automated Detection of User Activity: Datadog Tracing Libraries attempt to detect and report user activity events automatically. For more information, see Disabling automatic user activity event tracking. +Automated Detection of User Activity: Datadog Tracing Libraries attempt to detect and report user activity events automatically. For more information, see Disabling automatic user activity event tracking.
    You can [add custom tags to your root span][3], or use the instrumentation functions described below. diff --git a/content/en/security/application_security/threats/attacker-explorer.md b/content/en/security/application_security/threats/attacker-explorer.md index 423d4603cd23a..b92315d288e00 100644 --- a/content/en/security/application_security/threats/attacker-explorer.md +++ b/content/en/security/application_security/threats/attacker-explorer.md @@ -2,7 +2,7 @@ title: Attacker Explorer disable_toc: false further_reading: -- link: "/security/application_security/threats/protection" +- link: "/security/application_security/policies" tag: "Documentation" text: "Protection" --- diff --git a/content/en/security/application_security/threats/attacker_clustering.md b/content/en/security/application_security/threats/attacker_clustering.md index aad20824db674..d25bbf3118ef5 100644 --- a/content/en/security/application_security/threats/attacker_clustering.md +++ b/content/en/security/application_security/threats/attacker_clustering.md @@ -2,10 +2,10 @@ title: Attacker Clustering disable_toc: false further_reading: -- link: "/security/application_security/threats/attacker_fingerprint" +- link: "/security/application_security/security_signals/attacker_fingerprint" tag: "Documentation" text: "Attacker Fingerprint" -- link: "/security/application_security/threats/threat-intelligence/" +- link: "/security/application_security/how-it-works/threat-intelligence/" tag: "Documentation" text: "Threat Intelligence" - link: "/security/application_security/threats/event_rules" @@ -71,8 +71,8 @@ The attacker clustering attributes selected are then shown as regular expression {{< partial name="whats-next/whats-next.html" >}} -[1]: /security/application_security/threats/threat-intelligence/ -[2]: /security/application_security/threats/attacker_fingerprint +[1]: /security/application_security/how-it-works/threat-intelligence/ +[2]: /security/application_security/security_signals/attacker_fingerprint [3]: /security/application_security/threats/event_rules [4]: /security/workload_protection/security_signals/ [5]: /tracing/trace_collection/library_config/ diff --git a/content/en/security/application_security/threats/attacker_fingerprint.md b/content/en/security/application_security/threats/attacker_fingerprint.md index cf8463cf8aa70..66d1d318e5a16 100644 --- a/content/en/security/application_security/threats/attacker_fingerprint.md +++ b/content/en/security/application_security/threats/attacker_fingerprint.md @@ -2,7 +2,7 @@ title: Attacker Fingerprint disable_toc: false further_reading: -- link: "/security/application_security/threats/attacker_clustering" +- link: "/security/application_security/security_signals/attacker_clustering" tag: "Documentation" text: "Attacker Clustering" --- @@ -70,4 +70,4 @@ Attacker fingerprints are used in the [Attacker Clustering][1] feature. If a sig {{< partial name="whats-next/whats-next.html" >}} -[1]: /security/application_security/threats/attacker_clustering +[1]: /security/application_security/security_signals/attacker_clustering diff --git a/content/en/security/application_security/threats/custom_rules.md b/content/en/security/application_security/threats/custom_rules.md index 55d3bf197dff3..8a6b08570e887 100644 --- a/content/en/security/application_security/threats/custom_rules.md +++ b/content/en/security/application_security/threats/custom_rules.md @@ -115,6 +115,6 @@ Use the **Tag resulting signals** dropdown menu to add tags to your signals. For [4]: /monitors/notify/?tab=is_alert#integrations [5]: /security/notifications/variables/ [6]: /security/notifications/variables/#template-variables -[7]: /security/application_security/threats/add-user-info/?tab=set_user#adding-business-logic-information-login-success-login-failure-any-business-logic-to-traces -[8]: /security/application_security/threats/add-user-info/?tab=set_user#disabling-automatic-user-activity-event-tracking +[7]: /security/application_security/how-it-works/add-user-info/?tab=set_user#adding-business-logic-information-login-success-login-failure-any-business-logic-to-traces +[8]: /security/application_security/how-it-works/add-user-info/?tab=set_user#disabling-automatic-user-activity-event-tracking diff --git a/content/en/security/application_security/threats/exploit-prevention.md b/content/en/security/application_security/threats/exploit-prevention.md index 4fc9323d7e18b..e09de8d2510e9 100644 --- a/content/en/security/application_security/threats/exploit-prevention.md +++ b/content/en/security/application_security/threats/exploit-prevention.md @@ -102,7 +102,7 @@ In addition, AAP also generates a signal correlating all the blocked traces and {{< partial name="whats-next/whats-next.html" >}} -[1]: /security/application_security/threats/setup +[1]: /security/application_security/setup [2]: /agent/remote_config/?tab=configurationyamlfile#enabling-remote-configuration [3]: /tracing/trace_collection/automatic_instrumentation/dd_libraries/go/#overview [4]: https://app.datadoghq.com/security/appsec/in-app-waf diff --git a/content/en/security/application_security/threats/inapp_waf_rules.md b/content/en/security/application_security/threats/inapp_waf_rules.md index ff6e39f604eba..5ffd89de6bf1b 100644 --- a/content/en/security/application_security/threats/inapp_waf_rules.md +++ b/content/en/security/application_security/threats/inapp_waf_rules.md @@ -125,5 +125,5 @@ Next, [configure detection rules to create security signals][1] based on those s [1]: /security/application_security/custom_rules/ [2]: https://app.datadoghq.com/security/appsec/in-app-waf -[3]: /security/application_security/threats/setup/ +[3]: /security/application_security/setup/ [4]: https://app.datadoghq.com/security/appsec/in-app-waf?config_by=custom-rules diff --git a/content/en/security/application_security/threats/library_configuration.md b/content/en/security/application_security/threats/library_configuration.md index 0f553f257055b..91c2db4715603 100644 --- a/content/en/security/application_security/threats/library_configuration.md +++ b/content/en/security/application_security/threats/library_configuration.md @@ -3,7 +3,7 @@ title: Library Configuration aliases: - /security_platform/application_security/setup_and_configure - /security/application_security/setup_and_configure - - /security/application_security/threats/setup_and_configure + - /security/application_security/setup_and_configure further_reading: - link: "/security/application_security/" tag: "Documentation" @@ -17,7 +17,7 @@ further_reading: - link: "/security/application_security/troubleshooting" tag: "Documentation" text: "Troubleshooting AAP" -- link: "/security/application_security/how-appsec-works/" +- link: "/security/application_security/how-it-works/" tag: "Documentation" text: "How App and API Protection Works in Datadog" --- @@ -113,8 +113,8 @@ See [Automatic user activity event tracking modes][10] for information on automa [4]: https://app.datadoghq.com/security/appsec/signals [5]: https://app.datadoghq.com/security/configuration/asm/passlist [6]: /help/ -[7]: /security/application_security/threats/add-user-info/?tab=set_user#disabling-automatic-user-activity-event-tracking +[7]: /security/application_security/how-it-works/add-user-info/?tab=set_user#disabling-automatic-user-activity-event-tracking [8]: https://app.datadoghq.com/security/configuration/asm/services-config [9]: https://github.com/google/re2/wiki/Syntax -[10]: /security/application_security/threats/add-user-info/?tab=set_user#automatic-user-activity-event-tracking-modes +[10]: /security/application_security/how-it-works/add-user-info/?tab=set_user#automatic-user-activity-event-tracking-modes diff --git a/content/en/security/application_security/threats/protection.md b/content/en/security/application_security/threats/protection.md index c03b62d6bfc95..be5d172f735d9 100644 --- a/content/en/security/application_security/threats/protection.md +++ b/content/en/security/application_security/threats/protection.md @@ -106,10 +106,10 @@ As important as it is for you to be able to apply protection granularly and redu {{< partial name="whats-next/whats-next.html" >}} -[1]: /security/application_security/threats/setup/ +[1]: /security/application_security/setup/ [2]: /agent/remote_config/#enabling-remote-configuration [3]: /agent/versions/upgrade_between_agent_minor_versions -[4]: /security/application_security/threats/add-user-info/#adding-authenticated-user-information-to-traces-and-enabling-user-blocking-capability +[4]: /security/application_security/how-it-works/add-user-info/#adding-authenticated-user-information-to-traces-and-enabling-user-blocking-capability [5]: https://app.datadoghq.com/security?query=%40workflow.rule.type%3A%22Application%20Security%22&column=time&order=desc&product=appsec&view=signal [6]: https://app.datadoghq.com/security/appsec/traces?query=%40appsec.blocked%3Atrue [7]: https://app.datadoghq.com/security/appsec/denylist @@ -117,9 +117,9 @@ As important as it is for you to be able to apply protection granularly and redu [9]: https://app.datadoghq.com/security/appsec/in-app-waf [10]: /security/application_security/threats/inapp_waf_rules/ [11]: https://app.datadoghq.com/security/appsec/traces -[12]: /security/application_security/threats/setup/compatibility/ +[12]: /security/application_security/setup/compatibility/ [14]: https://app.datadoghq.com/security/appsec/detection-rules -[15]: /security/application_security/threats/add-user-info/?tab=set_user#adding-authenticated-user-information-to-traces-and-enabling-user-blocking-capability +[15]: /security/application_security/how-it-works/add-user-info/?tab=set_user#adding-authenticated-user-information-to-traces-and-enabling-user-blocking-capability [16]: https://app.datadoghq.com/security/appsec/in-app-waf?config_by=custom-responses [17]: https://docs.datadoghq.com/service_management/workflows/ [18]: https://app.datadoghq.com/workflow/blueprints?selected_category=SECURITY diff --git a/content/en/security/application_security/threats/security_signals.md b/content/en/security/application_security/threats/security_signals.md index 0648523c639d3..98fddf16b43ad 100644 --- a/content/en/security/application_security/threats/security_signals.md +++ b/content/en/security/application_security/threats/security_signals.md @@ -4,10 +4,10 @@ further_reading: - link: "/security/default_rules/?category=cat-application-security#cat-application-security" tag: "Documentation" text: "Explore AAP threat detection OOTB rules" - - link: "/security/application_security/threats/custom_rules/" + - link: "/security/application_security/policies/custom_rules/" tag: "Documentation" text: "Configure custom AAP threat detection rules" - - link: "/security/application_security/threats/threat-intelligence/" + - link: "/security/application_security/how-it-works/threat-intelligence/" tag: "Documentation" text: "AAP threat intelligence" --- @@ -155,5 +155,5 @@ To see all of the saved views, click **Views** next to the **Signals Explorer** [7]: https://app.datadoghq.com/security/appsec? [8]: /security/notifications/rules/ [9]: /account_management/rbac/permissions/#cloud-security-platform -[10]: /security/application_security/threats/protection/#respond-to-threats-in-real-time-by-automating-attacker-blocking -[11]: /security/application_security/threats/protection/#blocking-attack-attempts-with-in-app-waf \ No newline at end of file +[10]: /security/application_security/policies/#respond-to-threats-in-real-time-by-automating-attacker-blocking +[11]: /security/application_security/policies/#blocking-attack-attempts-with-in-app-waf \ No newline at end of file diff --git a/content/en/security/application_security/threats/setup/_index.md b/content/en/security/application_security/threats/setup/_index.md index 275b0bd8c4cfd..7d1153b805753 100644 --- a/content/en/security/application_security/threats/setup/_index.md +++ b/content/en/security/application_security/threats/setup/_index.md @@ -16,6 +16,6 @@ Add an environment variable or a new argument to your [Datadog Tracing Library c By following these steps, you'll successfully set up App and API Protection for your application or service, monitoring services that are under attack and protecting them against attacks. -[1]: /security/application_security/threats/setup/compatibility -[3]: /security/application_security/threats/setup/threat_detection +[1]: /security/application_security/setup/compatibility +[3]: /security/application_security/setup/threat_detection [4]: /agent/ \ No newline at end of file diff --git a/content/en/security/application_security/threats/setup/compatibility/_index.md b/content/en/security/application_security/threats/setup/compatibility/_index.md index 2280b6c7840aa..6ecb5d02fe499 100644 --- a/content/en/security/application_security/threats/setup/compatibility/_index.md +++ b/content/en/security/application_security/threats/setup/compatibility/_index.md @@ -5,7 +5,7 @@ further_reading: - link: "/security/application_security/troubleshooting" tag: "Documentation" text: "Troubleshooting App and API Protection" -- link: "/security/application_security/how-appsec-works/" +- link: "/security/application_security/how-it-works/" tag: "Documentation" text: "How App and API Protection Works in Datadog" --- diff --git a/content/en/security/application_security/threats/setup/compatibility/envoy.md b/content/en/security/application_security/threats/setup/compatibility/envoy.md index 2a18870400f73..de18e946686f7 100644 --- a/content/en/security/application_security/threats/setup/compatibility/envoy.md +++ b/content/en/security/application_security/threats/setup/compatibility/envoy.md @@ -30,4 +30,4 @@ the unsupported capabilities, let us know! Fill out this short form to send details. -[1]: /security/application_security/threats/setup/threat_detection/envoy +[1]: /security/application_security/setup/threat_detection/envoy diff --git a/content/en/security/application_security/threats/setup/compatibility/gcp-service-extensions.md b/content/en/security/application_security/threats/setup/compatibility/gcp-service-extensions.md index 977cbbc031465..edcfc77e81956 100644 --- a/content/en/security/application_security/threats/setup/compatibility/gcp-service-extensions.md +++ b/content/en/security/application_security/threats/setup/compatibility/gcp-service-extensions.md @@ -28,4 +28,4 @@ the unsupported capabilities, let us know! Fill out this short form to send details. -[1]: /security/application_security/threats/setup/threat_detection/gcp-service-extensions +[1]: /security/application_security/setup/threat_detection/gcp-service-extensions diff --git a/content/en/security/application_security/threats/setup/compatibility/nginx.md b/content/en/security/application_security/threats/setup/compatibility/nginx.md index 86d897593f019..f952961dd26cc 100644 --- a/content/en/security/application_security/threats/setup/compatibility/nginx.md +++ b/content/en/security/application_security/threats/setup/compatibility/nginx.md @@ -32,4 +32,4 @@ the unsupported capabilities, let us know! Fill out this short form to send details. -[1]: /security/application_security/threats/setup/threat_detection/nginx/ +[1]: /security/application_security/setup/threat_detection/nginx/ diff --git a/content/en/security/application_security/threats/setup/standalone/_index.md b/content/en/security/application_security/threats/setup/standalone/_index.md index 796284cc8d07b..ff42cc1adfd67 100644 --- a/content/en/security/application_security/threats/setup/standalone/_index.md +++ b/content/en/security/application_security/threats/setup/standalone/_index.md @@ -14,7 +14,7 @@ further_reading: - link: "/security/application_security/troubleshooting" tag: "Documentation" text: "Troubleshooting Application & API Protection" -- link: "/security/application_security/how-appsec-works/" +- link: "/security/application_security/how-it-works/" tag: "Documentation" text: "How Application & API Protection Works in Datadog" --- @@ -44,6 +44,6 @@ Select your application language for details on how to enable Application & API {{< partial name="whats-next/whats-next.html" >}} -[1]: /security/application_security/threats/setup/compatibility +[1]: /security/application_security/setup/compatibility [2]: /agent/ [3]: /security/application_security/guide/standalone_application_security/ diff --git a/content/en/security/application_security/threats/setup/standalone/dotnet.md b/content/en/security/application_security/threats/setup/standalone/dotnet.md index 23cd6c60aed8c..b59386dfe9410 100644 --- a/content/en/security/application_security/threats/setup/standalone/dotnet.md +++ b/content/en/security/application_security/threats/setup/standalone/dotnet.md @@ -210,6 +210,6 @@ ENV DD_APM_TRACING_ENABLED=false {{< partial name="whats-next/whats-next.html" >}} [1]: https://github.com/DataDog/dd-trace-dotnet/releases/latest -[2]: /security/application_security/threats/setup/compatibility/dotnet/ +[2]: /security/application_security/setup/compatibility/dotnet/ [3]: /agent/versions/upgrade_between_agent_minor_versions/ -[4]: /security/application_security/threats/setup/compatibility/ +[4]: /security/application_security/setup/compatibility/ diff --git a/content/en/security/application_security/threats/setup/standalone/go.md b/content/en/security/application_security/threats/setup/standalone/go.md index ee6b58546b950..c2fe10eba5415 100644 --- a/content/en/security/application_security/threats/setup/standalone/go.md +++ b/content/en/security/application_security/threats/setup/standalone/go.md @@ -127,5 +127,5 @@ Update your application's ECS task definition JSON file, by adding these in the {{< partial name="whats-next/whats-next.html" >}} -[1]: /security/application_security/threats/setup/compatibility/go/#web-framework-compatibility -[2]: /security/application_security/threats/setup/compatibility/go/ +[1]: /security/application_security/setup/compatibility/go/#web-framework-compatibility +[2]: /security/application_security/setup/compatibility/go/ diff --git a/content/en/security/application_security/threats/setup/standalone/java.md b/content/en/security/application_security/threats/setup/standalone/java.md index 5cf0fcadfb51b..d5ef76e09eba3 100644 --- a/content/en/security/application_security/threats/setup/standalone/java.md +++ b/content/en/security/application_security/threats/setup/standalone/java.md @@ -147,8 +147,8 @@ If you need additional assistance, contact [Datadog support][5]. {{< partial name="whats-next/whats-next.html" >}} [1]: https://github.com/DataDog/dd-trace-java/releases -[2]: /security/application_security/threats/setup/compatibility/java/ -[3]: /security/application_security/threats/setup/compatibility/java/ +[2]: /security/application_security/setup/compatibility/java/ +[3]: /security/application_security/setup/compatibility/java/ [4]: https://app.datadoghq.com/security/appsec/vm [5]: /help [6]: /agent/versions/upgrade_between_agent_minor_versions/ diff --git a/content/en/security/application_security/threats/setup/standalone/nodejs.md b/content/en/security/application_security/threats/setup/standalone/nodejs.md index d34fdf69b988f..590352633265b 100644 --- a/content/en/security/application_security/threats/setup/standalone/nodejs.md +++ b/content/en/security/application_security/threats/setup/standalone/nodejs.md @@ -164,8 +164,8 @@ If you need additional assistance, contact [Datadog support][6]. {{< partial name="whats-next/whats-next.html" >}} [1]: https://github.com/DataDog/dd-trace-js/blob/master/MIGRATING.md -[2]: /security/application_security/threats/setup/threat_detection/nodejs -[3]: /security/application_security/threats/setup/threat_detection/nodejs +[2]: /security/application_security/setup/threat_detection/nodejs +[3]: /security/application_security/setup/threat_detection/nodejs [4]: /agent/versions/upgrade_between_agent_minor_versions/ [5]: https://app.datadoghq.com/security/appsec/vm [6]: /help diff --git a/content/en/security/application_security/threats/setup/standalone/php.md b/content/en/security/application_security/threats/setup/standalone/php.md index 3a5ed8c6e56a8..7c42a56642948 100644 --- a/content/en/security/application_security/threats/setup/standalone/php.md +++ b/content/en/security/application_security/threats/setup/standalone/php.md @@ -106,4 +106,4 @@ Update your ECS task definition JSON file, by adding these in the environment se {{< partial name="whats-next/whats-next.html" >}} -[1]: /security/application_security/threats/setup/compatibility/php/ +[1]: /security/application_security/setup/compatibility/php/ diff --git a/content/en/security/application_security/threats/setup/standalone/python.md b/content/en/security/application_security/threats/setup/standalone/python.md index 93746cc7d9282..480bf17d301ea 100644 --- a/content/en/security/application_security/threats/setup/standalone/python.md +++ b/content/en/security/application_security/threats/setup/standalone/python.md @@ -119,4 +119,4 @@ You can monitor the security of your Python apps running in Docker, Kubernetes, {{< partial name="whats-next/whats-next.html" >}} -[1]: /security/application_security/threats/setup/compatibility/php/ +[1]: /security/application_security/setup/compatibility/php/ diff --git a/content/en/security/application_security/threats/setup/standalone/ruby.md b/content/en/security/application_security/threats/setup/standalone/ruby.md index 121a54546b314..b9cb312d0320c 100644 --- a/content/en/security/application_security/threats/setup/standalone/ruby.md +++ b/content/en/security/application_security/threats/setup/standalone/ruby.md @@ -228,6 +228,6 @@ env DD_APPSEC_ENABLED=true DD_APM_TRACING_ENABLED=false rails server {{< partial name="whats-next/whats-next.html" >}} -[1]: /security/application_security/threats/setup/compatibility/ruby/ +[1]: /security/application_security/setup/compatibility/ruby/ [2]: https://github.com/DataDog/dd-trace-rb/blob/master/docs/UpgradeGuide2.md [3]: /tracing/trace_collection/dd_libraries/ruby/ diff --git a/content/en/security/application_security/threats/setup/threat_detection/_index.md b/content/en/security/application_security/threats/setup/threat_detection/_index.md index 95e758e4c9f24..b9b94c59c76bf 100644 --- a/content/en/security/application_security/threats/setup/threat_detection/_index.md +++ b/content/en/security/application_security/threats/setup/threat_detection/_index.md @@ -17,7 +17,7 @@ further_reading: - link: "/security/application_security/troubleshooting" tag: "Documentation" text: "Troubleshooting App and API Protection" -- link: "/security/application_security/how-appsec-works/" +- link: "/security/application_security/how-it-works/" tag: "Documentation" text: "How App and API Protection Works in Datadog" --- @@ -37,4 +37,4 @@ Select your application language for details on how to enable AAP Threat Detecti {{< partial name="whats-next/whats-next.html" >}} -[1]: /security/application_security/threats/setup/compatibility +[1]: /security/application_security/setup/compatibility diff --git a/content/en/security/application_security/threats/setup/threat_detection/dotnet.md b/content/en/security/application_security/threats/setup/threat_detection/dotnet.md index 5ad4767192c47..7cb7b729fda0e 100644 --- a/content/en/security/application_security/threats/setup/threat_detection/dotnet.md +++ b/content/en/security/application_security/threats/setup/threat_detection/dotnet.md @@ -196,6 +196,6 @@ ENV DD_APPSEC_ENABLED=true {{< partial name="whats-next/whats-next.html" >}} [1]: https://github.com/DataDog/dd-trace-dotnet/releases/latest -[2]: /security/application_security/threats/setup/compatibility/dotnet/ +[2]: /security/application_security/setup/compatibility/dotnet/ [3]: /agent/versions/upgrade_between_agent_minor_versions/ -[4]: /security/application_security/threats/setup/compatibility/ +[4]: /security/application_security/setup/compatibility/ diff --git a/content/en/security/application_security/threats/setup/threat_detection/go.md b/content/en/security/application_security/threats/setup/threat_detection/go.md index bc1a328c69c56..5126287f00543 100644 --- a/content/en/security/application_security/threats/setup/threat_detection/go.md +++ b/content/en/security/application_security/threats/setup/threat_detection/go.md @@ -120,5 +120,5 @@ Update your application's ECS task definition JSON file, by adding this in the e {{< partial name="whats-next/whats-next.html" >}} -[1]: /security/application_security/threats/setup/compatibility/go/#web-framework-compatibility -[2]: /security/application_security/threats/setup/compatibility/go/ +[1]: /security/application_security/setup/compatibility/go/#web-framework-compatibility +[2]: /security/application_security/setup/compatibility/go/ diff --git a/content/en/security/application_security/threats/setup/threat_detection/java.md b/content/en/security/application_security/threats/setup/threat_detection/java.md index ba9b849792bb2..5b8c287e4ac96 100644 --- a/content/en/security/application_security/threats/setup/threat_detection/java.md +++ b/content/en/security/application_security/threats/setup/threat_detection/java.md @@ -139,8 +139,8 @@ If you need additional assistance, contact [Datadog support][5]. {{< partial name="whats-next/whats-next.html" >}} [1]: https://github.com/DataDog/dd-trace-java/releases -[2]: /security/application_security/threats/setup/compatibility/java/ -[3]: /security/application_security/threats/setup/compatibility/java/ +[2]: /security/application_security/setup/compatibility/java/ +[3]: /security/application_security/setup/compatibility/java/ [4]: https://app.datadoghq.com/security/appsec/vm [5]: /help [6]: /agent/versions/upgrade_between_agent_minor_versions/ diff --git a/content/en/security/application_security/threats/setup/threat_detection/nodejs.md b/content/en/security/application_security/threats/setup/threat_detection/nodejs.md index 799043bca57e9..4a4920b786962 100644 --- a/content/en/security/application_security/threats/setup/threat_detection/nodejs.md +++ b/content/en/security/application_security/threats/setup/threat_detection/nodejs.md @@ -155,8 +155,8 @@ If you need additional assistance, contact [Datadog support][6]. {{< partial name="whats-next/whats-next.html" >}} [1]: https://github.com/DataDog/dd-trace-js/blob/master/MIGRATING.md -[2]: /security/application_security/threats/setup/threat_detection/nodejs -[3]: /security/application_security/threats/setup/threat_detection/nodejs +[2]: /security/application_security/setup/threat_detection/nodejs +[3]: /security/application_security/setup/threat_detection/nodejs [4]: /agent/versions/upgrade_between_agent_minor_versions/ [5]: https://app.datadoghq.com/security/appsec/vm [6]: /help diff --git a/content/en/security/application_security/threats/setup/threat_detection/php.md b/content/en/security/application_security/threats/setup/threat_detection/php.md index 8dffd75efe13c..18f51e4645b2c 100644 --- a/content/en/security/application_security/threats/setup/threat_detection/php.md +++ b/content/en/security/application_security/threats/setup/threat_detection/php.md @@ -99,4 +99,4 @@ Update your ECS task definition JSON file, by adding this in the environment sec {{< partial name="whats-next/whats-next.html" >}} -[1]: /security/application_security/threats/setup/compatibility/php/ +[1]: /security/application_security/setup/compatibility/php/ diff --git a/content/en/security/application_security/threats/setup/threat_detection/python.md b/content/en/security/application_security/threats/setup/threat_detection/python.md index 60819553ba2f7..1f7b6e816b383 100644 --- a/content/en/security/application_security/threats/setup/threat_detection/python.md +++ b/content/en/security/application_security/threats/setup/threat_detection/python.md @@ -112,4 +112,4 @@ You can monitor the security of your Python apps running in Docker, Kubernetes, {{< partial name="whats-next/whats-next.html" >}} -[1]: /security/application_security/threats/setup/compatibility/php/ +[1]: /security/application_security/setup/compatibility/php/ diff --git a/content/en/security/application_security/threats/setup/threat_detection/ruby.md b/content/en/security/application_security/threats/setup/threat_detection/ruby.md index d9470e308646a..f9f8c1befef9e 100644 --- a/content/en/security/application_security/threats/setup/threat_detection/ruby.md +++ b/content/en/security/application_security/threats/setup/threat_detection/ruby.md @@ -216,6 +216,6 @@ env DD_APPSEC_ENABLED=true rails server {{< partial name="whats-next/whats-next.html" >}} -[1]: /security/application_security/threats/setup/compatibility/ruby/ +[1]: /security/application_security/setup/compatibility/ruby/ [2]: https://github.com/DataDog/dd-trace-rb/blob/master/docs/UpgradeGuide2.md [3]: /tracing/trace_collection/dd_libraries/ruby/ diff --git a/content/en/security/application_security/threats/trace_qualification.md b/content/en/security/application_security/threats/trace_qualification.md index b9942a3260d11..e2a89b8d83655 100644 --- a/content/en/security/application_security/threats/trace_qualification.md +++ b/content/en/security/application_security/threats/trace_qualification.md @@ -5,7 +5,7 @@ further_reading: - link: "/security/application_security/" tag: "Documentation" text: "Protect against threats with Datadog App and API Protection" -- link: "/security/application_security/how-appsec-works//" +- link: "/security/application_security/how-it-works//" tag: "Documentation" text: "How App and API Protection Works" --- @@ -16,7 +16,7 @@ App and API Protection (AAP) provides observability into application-level attac Filter by the **Qualification** facet in the AAP [Traces Explorer][1] to view the possible qualification results: -{{< img src="security/application_security/threats/trace_qualification/trace-qualification-traces_2.png" alt="AAP trace list with the qualification facet showing the possible qualification results">}} +{{< img src="security/application_security/how-it-works/trace_qualification/trace-qualification-traces_2.png" alt="AAP trace list with the qualification facet showing the possible qualification results">}} ## Qualification outcomes @@ -34,11 +34,11 @@ AAP runs qualification rules (closed-source) on every trace. There are four poss The qualification result can also be seen when viewing the details of an individual trace.
    Example of a trace that AAP has qualified as safe: -{{< img src="security/application_security/threats/trace_qualification/trace-none-successful_3.png" alt="AAP trace qualified as safe">}} +{{< img src="security/application_security/how-it-works/trace_qualification/trace-none-successful_3.png" alt="AAP trace qualified as safe">}} Example of a trace that AAP has qualified as harmful: -{{< img src="security/application_security/threats/trace_qualification/trace-harmful_2.png" alt="AAP trace qualified as harmful">}} +{{< img src="security/application_security/how-it-works/trace_qualification/trace-harmful_2.png" alt="AAP trace qualified as harmful">}} [1]: https://app.datadoghq.com/security/appsec/traces ## Further Reading diff --git a/content/en/security/application_security/troubleshooting.md b/content/en/security/application_security/troubleshooting.md index 36fbd5be3078d..c9970d84688dd 100644 --- a/content/en/security/application_security/troubleshooting.md +++ b/content/en/security/application_security/troubleshooting.md @@ -6,7 +6,7 @@ further_reading: - link: "/security/application_security/" tag: "Documentation" text: "Monitoring Threats with Datadog App and API Protection" -- link: "/security/application_security/how-appsec-works/" +- link: "/security/application_security/how-it-works/" tag: "Documentation" text: "How App and API Protection Works in Datadog" --- diff --git a/content/en/security/application_security/waf-integration.md b/content/en/security/application_security/waf-integration.md index f47dd22f009c8..af077ee9359e7 100644 --- a/content/en/security/application_security/waf-integration.md +++ b/content/en/security/application_security/waf-integration.md @@ -45,12 +45,12 @@ There are two main use cases supported with this [integration][1]:
    Note that AAP converts AWS WAF logs into AAP Traces, enabling you to view application activity (traces) and AWS WAF activity (logs converted to AAP traces) in the AAP Trace Explorer.
    - {{< img src="security/application_security/threats/aws-waf-int-asm.png" alt="AWS WAF integration details in Datadog UI" style="width:100%;" >}} + 2. Leverage AWS WAF to block attackers: 1. Connect your AWS WAF IP set(s) with Datadog AAP. You can use an existing set or create a new one. Datadog will add blocked IP addresses to this IP set. You can block attackers from AAP [Signals][3] or [Traces][4] explorers. - {{< img src="/security/application_security/threats/aws-waf-blocked-ips.png" alt="AAP denylist blocked IPs" style="width:100%;" >}} + ## Further reading diff --git a/content/en/security/code_security/iast/setup/compatibility/_index.md b/content/en/security/code_security/iast/setup/compatibility/_index.md index 2a3f36b781a67..0c485e2a7ada2 100644 --- a/content/en/security/code_security/iast/setup/compatibility/_index.md +++ b/content/en/security/code_security/iast/setup/compatibility/_index.md @@ -5,7 +5,7 @@ further_reading: - link: "/security/application_security/troubleshooting" tag: "Documentation" text: "Troubleshooting App and API Protection" -- link: "/security/application_security/how-appsec-works/" +- link: "/security/application_security/how-it-works/" tag: "Documentation" text: "How App and API Protection Works in Datadog" --- diff --git a/content/en/security/code_security/software_composition_analysis/setup_runtime/compatibility/nginx.md b/content/en/security/code_security/software_composition_analysis/setup_runtime/compatibility/nginx.md index d63024163817c..b7e434f7c2919 100644 --- a/content/en/security/code_security/software_composition_analysis/setup_runtime/compatibility/nginx.md +++ b/content/en/security/code_security/software_composition_analysis/setup_runtime/compatibility/nginx.md @@ -27,4 +27,4 @@ the unsupported capabilities, let us know! Fill out this short form to send details. -[1]: /security/application_security/threats/setup/threat_detection/nginx +[1]: /security/application_security/setup/threat_detection/nginx diff --git a/content/en/security/detection_rules/_index.md b/content/en/security/detection_rules/_index.md index 6a545c1601162..4190d3e92682a 100644 --- a/content/en/security/detection_rules/_index.md +++ b/content/en/security/detection_rules/_index.md @@ -171,7 +171,7 @@ The rule deprecation process is as follows: [9]: /agent/ [10]: https://app.datadoghq.com/security/configuration/ [11]: /security/cloud_siem/detection_rules/ -[12]: /security/application_security/threats/custom_rules/ +[12]: /security/application_security/policies/custom_rules/ [13]: /security/cloud_security_management/misconfigurations/custom_rules [14]: /security/workload_protection/workload_security_rules?tab=host#create-custom-rules [15]: https://app.datadoghq.com/security/configuration/ diff --git a/content/en/security/guide/aws_fargate_config_guide.md b/content/en/security/guide/aws_fargate_config_guide.md index 8a14136ff9112..8696b0bd96557 100644 --- a/content/en/security/guide/aws_fargate_config_guide.md +++ b/content/en/security/guide/aws_fargate_config_guide.md @@ -419,12 +419,12 @@ For step-by-step instructions, see [AWS Configuration Guide for Cloud SIEM][17]. [7]: /resources/json/datadog-agent-cws-ecs-fargate.json [8]: /integrations/faq/integration-setup-ecs-fargate/?tab=rediswebui [9]: https://app.datadoghq.com/security/agent-events -[10]: /security/application_security/threats/setup/threat_detection/java/?tab=awsfargate -[11]: /security/application_security/threats/setup/threat_detection/java/?tab=amazonecs -[12]: /security/application_security/threats/setup/threat_detection/dotnet?tab=awsfargate -[13]: /security/application_security/threats/setup/threat_detection/ruby?tab=awsfargate -[14]: /security/application_security/threats/setup/threat_detection/nodejs?tab=awsfargate -[15]: /security/application_security/threats/setup/threat_detection/python?tab=awsfargate +[10]: /security/application_security/setup/threat_detection/java/?tab=awsfargate +[11]: /security/application_security/setup/threat_detection/java/?tab=amazonecs +[12]: /security/application_security/setup/threat_detection/dotnet?tab=awsfargate +[13]: /security/application_security/setup/threat_detection/ruby?tab=awsfargate +[14]: /security/application_security/setup/threat_detection/nodejs?tab=awsfargate +[15]: /security/application_security/setup/threat_detection/python?tab=awsfargate [16]: /security/application_security/ [17]: /security/cloud_siem/guide/aws-config-guide-for-cloud-siem/ [18]: /security/code_security/iast/setup/java/ diff --git a/content/en/security/threat_intelligence.md b/content/en/security/threat_intelligence.md index f9fb5b43304d8..76ab073987eec 100644 --- a/content/en/security/threat_intelligence.md +++ b/content/en/security/threat_intelligence.md @@ -4,7 +4,7 @@ aliases: - /security/threat_intel description: "Threat Intelligence at Datadog" further_reading: - - link: "/security/application_security/threats/threat-intelligence/" + - link: "/security/application_security/how-it-works/threat-intelligence/" tag: "documentation" text: "AAP Threat Intelligence" - link: "/security/cloud_siem/threat_intelligence/" diff --git a/content/en/serverless/aws_lambda/securing_functions.md b/content/en/serverless/aws_lambda/securing_functions.md index 6608c6010488f..12a47f70b147e 100644 --- a/content/en/serverless/aws_lambda/securing_functions.md +++ b/content/en/serverless/aws_lambda/securing_functions.md @@ -4,7 +4,7 @@ further_reading: - link: "/security/application_security/" tag: "Documentation" text: "App and API Protection" -- link: "/security/application_security/how-appsec-works" +- link: "/security/application_security/how-it-works" tag: "Documentation" text: "How App and API Protection Works" --- diff --git a/content/en/software_catalog/endpoints/_index.md b/content/en/software_catalog/endpoints/_index.md index 416f351bcc7a8..0cd64867b5861 100644 --- a/content/en/software_catalog/endpoints/_index.md +++ b/content/en/software_catalog/endpoints/_index.md @@ -10,7 +10,7 @@ further_reading: - link: "/synthetics/api_tests/http_tests/" tag: "Documentation" text: "Synthetic API Tests" -- link: "/security/application_security/how-appsec-works/#api-security" +- link: "/security/application_security/how-it-works/#api-security" tag: "Documentation" text: "AAP API Security" - link: "https://www.datadoghq.com/blog/primary-risks-to-api-security/" diff --git a/content/en/software_catalog/navigating.md b/content/en/software_catalog/navigating.md index c8d05ebedf989..2ee9ed19c0228 100644 --- a/content/en/software_catalog/navigating.md +++ b/content/en/software_catalog/navigating.md @@ -130,7 +130,7 @@ To access additional details describing your CI status and static analysis viola [5]: /tracing/guide/configuring-primary-operation/ [6]: /universal_service_monitoring/guide/using_usm_metrics/#usm-metrics-vs-apm-metrics [7]: /tracing/guide/configure_an_apdex_for_your_traces_with_datadog_apm/ -[8]: /security/application_security/how-appsec-works/ +[8]: /security/application_security/how-it-works/ [9]: /cloud_cost_management/ [10]: /cloud_cost_management/?tab=aws [11]: /cloud_cost_management/tag_pipelines diff --git a/content/en/tracing/configure_data_security/_index.md b/content/en/tracing/configure_data_security/_index.md index 81c8d2d925428..5d427b4f89c11 100644 --- a/content/en/tracing/configure_data_security/_index.md +++ b/content/en/tracing/configure_data_security/_index.md @@ -677,4 +677,4 @@ PCI compliance for APM is not available for the {{< region-param key="dd_site_na [10]: /tracing/trace_collection/custom_instrumentation/ruby/?tab=activespan#post-processing-traces [11]: https://ddtrace.readthedocs.io/en/stable/advanced_usage.html#trace-filtering [12]: /security/sensitive_data_scanner/ -[13]: /security/application_security/how-appsec-works/#data-privacy +[13]: /security/application_security/how-it-works/#data-privacy diff --git a/content/en/tracing/services/service_page.md b/content/en/tracing/services/service_page.md index 93440e383919d..acc0a3c65d517 100644 --- a/content/en/tracing/services/service_page.md +++ b/content/en/tracing/services/service_page.md @@ -283,7 +283,7 @@ Visualize the cost associate with your service's infrastructure used in the Cost [15]: /profiler/ [16]: /tracing/trace_explorer/query_syntax/#facets [17]: https://www.datadoghq.com/blog/log-patterns/ -[18]: /security/application_security/how-appsec-works/ +[18]: /security/application_security/how-it-works/ [19]: https://www.datadoghq.com/blog/datadog-watchdog-insights-log-management/ [21]: /database_monitoring/connect_dbm_and_apm/ [22]: /cloud_cost_management/ diff --git a/content/en/tracing/trace_collection/automatic_instrumentation/dd_libraries/go.md b/content/en/tracing/trace_collection/automatic_instrumentation/dd_libraries/go.md index 87be59e1f768b..b9ad7d52d61ef 100644 --- a/content/en/tracing/trace_collection/automatic_instrumentation/dd_libraries/go.md +++ b/content/en/tracing/trace_collection/automatic_instrumentation/dd_libraries/go.md @@ -244,14 +244,14 @@ To troubleshoot builds that `orchestrion` manages, see [Troubleshooting Go Compi [4]: https://pkg.go.dev/gopkg.in/DataDog/dd-trace-go.v1/ddtrace [6]: https://github.com/DataDog/orchestrion -[7]: /security/application_security/threats/exploit-prevention +[7]: /security/application_security/exploit-prevention [8]: https://go.dev/doc/devel/release#policy [10]: https://pkg.go.dev/cmd/go#hdr-Modules__module_versions__and_more [11]: https://github.com/DataDog/orchestrion/releases [12]: /profiler [13]: /tracing/troubleshooting/go_compile_time/ [14]: /getting_started/tagging/unified_service_tagging/ -[15]: /security/application_security/threats/exploit-prevention/ +[15]: /security/application_security/exploit-prevention/ [16]: /tracing/trace_collection/library_config/go/#traces diff --git a/content/en/tracing/trace_collection/library_config/java.md b/content/en/tracing/trace_collection/library_config/java.md index 2d038841e286e..a001e142009e7 100644 --- a/content/en/tracing/trace_collection/library_config/java.md +++ b/content/en/tracing/trace_collection/library_config/java.md @@ -619,6 +619,6 @@ Deprecated since version 1.9.0 [16]: /tracing/trace_collection/custom_instrumentation/java/otel/ [17]: /opentelemetry/interoperability/environment_variable_support [18]: /tracing/guide/aws_payload_tagging/?code-lang=java -[19]: /security/application_security/threats/setup/threat_detection/java/ +[19]: /security/application_security/setup/threat_detection/java/ [20]: https://ant.apache.org/manual/dirtasks.html#patterns [21]: /tracing/trace_collection/library_config/#traces diff --git a/content/en/tracing/trace_explorer/trace_view.md b/content/en/tracing/trace_explorer/trace_view.md index ab2c24ee7eea5..aee4536a426fa 100644 --- a/content/en/tracing/trace_explorer/trace_view.md +++ b/content/en/tracing/trace_explorer/trace_view.md @@ -232,7 +232,7 @@ Click **View in AAP** to investigate further using [Datadog App and API Protecti {{< img src="tracing/trace_view/security_tab.png" alt="Security tab" style="width:90%;">}} -[1]: /security/application_security/how-appsec-works/ +[1]: /security/application_security/how-it-works/ {{% /tab %}} {{% tab "Profiles" %}} From e3c54167b1f7cbf69097a53cb75824dd4ad3de8e Mon Sep 17 00:00:00 2001 From: Michael Cretzman <58786311+michaelcretzman@users.noreply.github.com> Date: Tue, 13 May 2025 13:05:37 -0700 Subject: [PATCH 5/6] incorp peer edit adding 2 fixes. Will this the other things mentioned in a separate commit. Co-authored-by: DeForest Richards <56796055+drichards-87@users.noreply.github.com> --- content/en/security/application_security/exploit-prevention.md | 2 +- content/en/security/application_security/how-it-works/_index.md | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/content/en/security/application_security/exploit-prevention.md b/content/en/security/application_security/exploit-prevention.md index 72975597e6deb..3ba9bea7cccad 100644 --- a/content/en/security/application_security/exploit-prevention.md +++ b/content/en/security/application_security/exploit-prevention.md @@ -36,7 +36,7 @@ Combine telemetry from the Datadog tracer with predefined heuristics to detect a ### Example 1: Server-side request forgery -An attacker tricks the server into making unauthorized requests to internal systems or external servers, potentially leaking information or a further exploitation. +An attacker tricks the server into making unauthorized requests to internal systems or external servers, potentially leaking information or enabling further exploitation. AAP Exploit Prevention checks whether an internal or external request's URL, which is partially or totally controlled by a user parameter, has been manipulated by an attacker to alter the original purpose of the request. diff --git a/content/en/security/application_security/how-it-works/_index.md b/content/en/security/application_security/how-it-works/_index.md index e39e1a6d5bfb4..3460ee0da6fed 100644 --- a/content/en/security/application_security/how-it-works/_index.md +++ b/content/en/security/application_security/how-it-works/_index.md @@ -3,6 +3,7 @@ title: How App and API Protection Works in Datadog aliases: - /security_platform/guide/how-appsec-works/ - /security_platform/application_security/how-appsec-works/ + - /security/application_security/how-appsec-works/ - /security/guide/how-appsec-works/ --- From 92590717217f876911d043c7c40e68625c04de96 Mon Sep 17 00:00:00 2001 From: Michael Cretzman Date: Tue, 13 May 2025 14:09:45 -0700 Subject: [PATCH 6/6] fixed lib support info and procedure step format error --- .../exploit-prevention.md | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/content/en/security/application_security/exploit-prevention.md b/content/en/security/application_security/exploit-prevention.md index 3ba9bea7cccad..afaa5ab74163b 100644 --- a/content/en/security/application_security/exploit-prevention.md +++ b/content/en/security/application_security/exploit-prevention.md @@ -61,18 +61,20 @@ AAP Exploit Prevention intercepts all SQL queries to determine if a user paramet ### Library Compatibility -| Exploit Type | .NET | Python | Go | Java | Node.js | PHP | Ruby | +| Exploit Type | [.NET][5] | [Python][6] | [Go][7] | [Java][8] | [Node.js][9] | [PHP][10] | [Ruby][11] | |------------------------------------|------------------|------------------|-------------------------|------------------|------------------|------------------|-------------------| -| Server-side Request Forgery (SSRF) | v3.3.0 | v2.15.0 | v1.70.1 | v1.42.0 | v5.20.0, v4.44.0 | Avail. in Q1 '25 | Avail. in Q1 '25 | -| Local File Inclusion (LFI) | v3.5.0 | v2.15.0 | [orchestrion][3] v1.0.0 | v1.42.0 | v5.24.0, v4.48.0 | Avail. in Q1 '25 | Avail. in Q1 '25 | -| SQL Injection (SQLi) | v3.4.0 | v2.16.0 | v1.70.1 | v1.42.0 | v5.25.0, v4.49.0 | Avail. in Q1 '25 | Avail. in Q4 '24 | -| Command Injection | v3.4.0 | v2.15.0 | Avail. in Q4 '24 | v1.45.0 | v5.25.0, v4.49.0 | Avail. in Q1 '25 | Avail. in Q1 '25 | +| Server-side Request Forgery (SSRF) | v3.3.0 | v2.15.0 | v1.70.1 | v1.42.0 | v5.20.0, v4.44.0 | v1.7.0 | v2.15.0 | +| Local File Inclusion (LFI) | v3.5.0 | v2.15.0 | [orchestrion][3] v1.0.0 | v1.42.0 | v5.24.0, v4.48.0 | v1.6.0 | Not supported | +| SQL Injection (SQLi) | v3.4.0 | v2.16.0 | v1.70.1 | v1.42.0 | v5.25.0, v4.49.0 | v1.9.0 | v2.15.0 | +| Command Injection | v3.4.0 | v2.15.0 | Not supported | v1.45.0 | v5.25.0, v4.49.0 | Not supported | Not supported | + ## Enabling Exploit Prevention 1. Navigate to [In-App WAF][4] (**Security > App and API Protection > Protection > In-App WAF**). 2. If you have applied a Datadog managed policy to your services, then follow these steps: + a. Clone the policy. For example, you can use the **Managed - Block attack tools** policy. @@ -106,3 +108,10 @@ In addition, AAP also generates a signal correlating all the blocked traces and [2]: /agent/remote_config/?tab=configurationyamlfile#enabling-remote-configuration [3]: /tracing/trace_collection/automatic_instrumentation/dd_libraries/go/#overview [4]: https://app.datadoghq.com/security/appsec/in-app-waf +[5]: https://github.com/DataDog/dd-trace-dotnet +[6]: https://github.com/DataDog/dd-trace-py +[7]: https://github.com/DataDog/dd-trace-go +[8]: https://github.com/DataDog/dd-trace-java +[9]: https://github.com/DataDog/dd-trace-js +[10]: https://github.com/DataDog/dd-trace-php +[11]: https://github.com/DataDog/dd-trace-rb