Datadome Protection
Overview
Datadome offers is a bot protection solution, providing real-time detection and mitigation of malicious bots, safeguarding websites and APIs from fraud, scraping, and other automated threats with advanced security measures.
- Vendor: DataDdome
- Supported environment: SaaS
- Detection based on: Alert
- Supported application or feature: Web application firewall logs
Step-by-Step Configuration Procedure
This setup guide will show you how to forward your Datadome Protection logs to Sekoia.io
Instruction on Sekoia
Configure Your Intake
This section will guide you through creating the intake object in Sekoia, which provides a unique identifier called the "Intake key." The Intake key is essential for later configuration, as it references the Community, Entity, and Parser (Intake Format) used when receiving raw events on Sekoia.
- Go to the Sekoia Intake page.
- Click on the
+ New Intakebutton at the top right of the page. - Search for your Intake by the product name in the search bar.
- Give it a Name and associate it with an Entity (and a Community if using multi-tenant mode).
- Click on
Create.
Note
For more details on how to use the Intake page and to find the Intake key you just created, refer to this documentation.
Instructions on the 3rd Party Solution
Enable forwarding
- Connect on the Datadome Dashboard
- On the left panel, click
Management - On the ribbon, go to
Integrationtab - In the
Webhooksection, clickAdd Webhook - Type the name of the integration
- As URL, type
https://intake.sekoia.io/plain?intake_key=<YOUR INTAKE KEY> - Select
Defaultas the payload format - Select
All threatsas threats - Click
Save
Raw Events Samples
In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.
{
"accountName": "Example account",
"isProtected": false,
"threatName": "Credential Stuffing",
"endpointName": "WEB (default)",
"duration": "",
"startDateTime": "20 January, 18:53 UTC +00:00",
"endDateTime": "",
"requestsCount": "123,456,789",
"peakSpeed": "0",
"ipCount": "123,456,789",
"uaCount": "123,456,789",
"countryCount": "123,456,789",
"urlCount": "123,456,789"
}
{
"accountName": "Account name",
"isProtected": false,
"threatName": "Threat",
"endpointName": "Endpoint",
"duration": "8 minutes 15 seconds",
"startDateTime": "06 September, 08:01 UTC +00:00",
"endDateTime": "06 September, 08:09 UTC +00:00",
"requestsCount": "10,558",
"peakSpeed": "1,457",
"ipCount": "393",
"uaCount": "82",
"countryCount": "17",
"urlCount": "2,221"
}
Detection section
The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.
Related Built-in Rules
The following Sekoia.io built-in rules match the intake Datadome Protection. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
SEKOIA.IO x Datadome Protection on ATT&CK Navigator
Datadome Protection Intrusion Detection
Detects when Datadome protection raises an alert linked to intrusion. Datadome is used against fraud and bots.
- Effort: master
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Web application firewall logs |
Datadome provides real-time detection and mitigation of malicious bots |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | alert |
| Category | intrusion_detection |
| Type | info |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "{\"accountName\": \"Example account\", \"isProtected\": false, \"threatName\": \"Credential Stuffing\", \"endpointName\": \"WEB (default)\", \"duration\": \"\", \"startDateTime\": \"20 January, 18:53 UTC +00:00\", \"endDateTime\": \"\", \"requestsCount\": \"123,456,789\", \"peakSpeed\": \"0\", \"ipCount\": \"123,456,789\", \"uaCount\": \"123,456,789\", \"countryCount\": \"123,456,789\", \"urlCount\": \"123,456,789\"}",
"event": {
"category": [
"intrusion_detection"
],
"kind": "alert",
"start": "2024-01-20T18:53:00Z",
"type": [
"info"
]
},
"@timestamp": "2024-01-20T18:53:00Z",
"cloud": {
"account": {
"name": "Example account"
}
},
"datadome": {
"country_count": 123456789,
"ip_count": 123456789,
"peak_speed": 0,
"requests_count": 123456789,
"ua_count": 123456789,
"url_count": 123456789
},
"host": {
"name": "WEB (default)"
},
"observer": {
"product": "Datadome protection",
"vendor": "Datadome"
},
"threat": {
"indicator": {
"name": "Credential Stuffing"
}
}
}
{
"message": "{\n \"accountName\": \"Account name\",\n \"isProtected\": false,\n \"threatName\": \"Threat\",\n \"endpointName\": \"Endpoint\",\n \"duration\": \"8 minutes 15 seconds\",\n \"startDateTime\": \"06 September, 08:01 UTC +00:00\",\n \"endDateTime\": \"06 September, 08:09 UTC +00:00\",\n \"requestsCount\": \"10,558\",\n \"peakSpeed\": \"1,457\",\n \"ipCount\": \"393\",\n \"uaCount\": \"82\",\n \"countryCount\": \"17\",\n \"urlCount\": \"2,221\"\n}",
"event": {
"category": [
"intrusion_detection"
],
"duration": 495000000000,
"end": "2024-09-06T08:09:00Z",
"kind": "alert",
"start": "2024-09-06T08:01:00Z",
"type": [
"info"
]
},
"@timestamp": "2024-09-06T08:01:00Z",
"cloud": {
"account": {
"name": "Account name"
}
},
"datadome": {
"country_count": 17,
"ip_count": 393,
"peak_speed": 1457,
"requests_count": 10558,
"ua_count": 82,
"url_count": 2221
},
"host": {
"name": "Endpoint"
},
"observer": {
"product": "Datadome protection",
"vendor": "Datadome"
},
"threat": {
"indicator": {
"name": "Threat"
}
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
cloud.account.name |
keyword |
The cloud account name. |
datadome.country_count |
number |
|
datadome.ip_count |
number |
|
datadome.peak_speed |
number |
|
datadome.requests_count |
number |
|
datadome.ua_count |
number |
|
datadome.url_count |
number |
|
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.duration |
long |
Duration of the event in nanoseconds. |
event.end |
date |
event.end contains the date when the event ended or when the activity was last observed. |
event.kind |
keyword |
The kind of the event. The highest categorization field in the hierarchy. |
event.start |
date |
event.start contains the date when the event started or when the activity was first observed. |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
host.name |
keyword |
Name of the host. |
observer.product |
keyword |
The product name of the observer. |
observer.vendor |
keyword |
Vendor name of the observer. |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.