Cloud Security Management Threats (CSM Threats) monitors file, network, and process activity across your environment to detect real-time threats to your infrastructure. As part of the Datadog platform, you can combine the real-time threat detection of CSM Threats with metrics, logs, traces, and other telemetry to see the full context surrounding a potential attack on your workloads.

Detect threats to your production workloads in real-time

Monitor file and process activity at the kernel level to detect threats to your infrastructure, such as Amazon EC2 instances, Docker containers, and Kubernetes clusters. Combine CSM Threats with Network Performance Monitoring and detect suspicious activity at the network level before a workload is compromised.

CSM Threats uses the Datadog Agent to monitor your environment. If you don’t already have the Datadog Agent set up, start with setting up the Agent on a supported operating system. There are four types of monitoring that the Datadog Agent uses for CSM Threats:

1. Process Execution Monitoring to watch process executions for malicious activity on hosts or containers in real-time.
2. File Integrity Monitoring to watch for changes to key files and directories on hosts or containers in real-time.
3. DNS Activity Monitoring to watch network traffic for malicious activity on hosts and containers in real-time.
4. Kernel Activity Monitoring to watch for kernel-layer attacks like process hijacking, container breakouts, and more in real-time.

Proactively block threats with Active Protection

By default, all OOTB Agent crypto mining threat detection rules are enabled and actively monitoring for threats.

Active Protection enables you to proactively block and terminate crypto mining threats identified by the Datadog Agent threat detection rules.

Manage out-of-the-box and custom detection rules

CSM Threats comes with more than 50 out-of-the-box detection rules that are maintained by a team of security experts. The rules surface the most important risks so that you can immediately take steps to remediate. Agent expression rules define the workload activities to be collected for analysis while backend detection rules analyze the activities and identify attacker techniques and other risky patterns of behavior.

Use Remote Configuration to automatically deploy new and updated rules to the Agent. Customize the rules by defining how each rule monitors process, network, and file activity, create custom rules, and set up real-time notifications for new signals.

Set up real-time notifications

Send real-time notifications when a threat is detected in your environment, so that your teams can take action to mitigate the risk. Notifications can be sent to Slack, email, PagerDuty, webhooks, and more.

Use template variables and Markdown to customize notification messages. Edit, disable, and delete existing notification rules, or create new rules and define custom logic for when a notification is triggered based on severity and rule type.

Investigate and remediate security signals

Investigate and triage security signals in the Signals Explorer. View detailed information about the impacted files or processes, related signals and logs, and remediation steps.

Get started