Skip to content

Datadome Protection

Overview

Datadome offers is a bot protection solution, providing real-time detection and mitigation of malicious bots, safeguarding websites and APIs from fraud, scraping, and other automated threats with advanced security measures.

  • Vendor: DataDdome
  • Supported environment: SaaS
  • Detection based on: Alert
  • Supported application or feature: Web application firewall logs

Step-by-Step Configuration Procedure

This setup guide will show you how to forward your Datadome Protection logs to Sekoia.io

Instruction on Sekoia

Configure Your Intake

This section will guide you through creating the intake object in Sekoia, which provides a unique identifier called the "Intake key." The Intake key is essential for later configuration, as it references the Community, Entity, and Parser (Intake Format) used when receiving raw events on Sekoia.

  1. Go to the Sekoia Intake page.
  2. Click on the + New Intake button at the top right of the page.
  3. Search for your Intake by the product name in the search bar.
  4. Give it a Name and associate it with an Entity (and a Community if using multi-tenant mode).
  5. Click on Create.
  6. You will be redirected to the Intake listing page, where you will find a new line with the name you gave to the Intake.

Note

For more details on how to use the Intake page and to find the Intake key you just created, refer to this documentation.

Instructions on the 3rd Party Solution

Enable forwarding

  1. Connect on the Datadome Dashboard
  2. On the left panel, click Management
  3. On the ribbon, go to Integration tab
  4. In the Webhook section, click Add Webhook
  5. Type the name of the integration
  6. As URL, type https://intake.sekoia.io/plain?intake_key=<YOUR INTAKE KEY>
  7. Select Default as the payload format
  8. Select All threats as threats
  9. Click Save

Raw Events Samples

In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.

{
    "accountName": "Example account",
    "isProtected": false,
    "threatName": "Credential Stuffing",
    "endpointName": "WEB (default)",
    "duration": "",
    "startDateTime": "20 January, 18:53 UTC +00:00",
    "endDateTime": "",
    "requestsCount": "123,456,789",
    "peakSpeed": "0",
    "ipCount": "123,456,789",
    "uaCount": "123,456,789",
    "countryCount": "123,456,789",
    "urlCount": "123,456,789"
}
{
    "accountName": "Account name",
    "isProtected": false,
    "threatName": "Threat",
    "endpointName": "Endpoint",
    "duration": "8 minutes 15 seconds",
    "startDateTime": "06 September, 08:01 UTC +00:00",
    "endDateTime": "06 September, 08:09 UTC +00:00",
    "requestsCount": "10,558",
    "peakSpeed": "1,457",
    "ipCount": "393",
    "uaCount": "82",
    "countryCount": "17",
    "urlCount": "2,221"
}

Detection section

The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.

The following Sekoia.io built-in rules match the intake Datadome Protection. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.

SEKOIA.IO x Datadome Protection on ATT&CK Navigator

Datadome Protection Intrusion Detection

Detects when Datadome protection raises an alert linked to intrusion. Datadome is used against fraud and bots.

  • Effort: master

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Web application firewall logs Datadome provides real-time detection and mitigation of malicious bots

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind alert
Category intrusion_detection
Type info

Transformed Events Samples after Ingestion

This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.

{
    "message": "{\"accountName\": \"Example account\", \"isProtected\": false, \"threatName\": \"Credential Stuffing\", \"endpointName\": \"WEB (default)\", \"duration\": \"\", \"startDateTime\": \"20 January, 18:53 UTC +00:00\", \"endDateTime\": \"\", \"requestsCount\": \"123,456,789\", \"peakSpeed\": \"0\", \"ipCount\": \"123,456,789\", \"uaCount\": \"123,456,789\", \"countryCount\": \"123,456,789\", \"urlCount\": \"123,456,789\"}",
    "event": {
        "category": [
            "intrusion_detection"
        ],
        "kind": "alert",
        "start": "2024-01-20T18:53:00Z",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2024-01-20T18:53:00Z",
    "cloud": {
        "account": {
            "name": "Example account"
        }
    },
    "datadome": {
        "country_count": 123456789,
        "ip_count": 123456789,
        "peak_speed": 0,
        "requests_count": 123456789,
        "ua_count": 123456789,
        "url_count": 123456789
    },
    "host": {
        "name": "WEB (default)"
    },
    "observer": {
        "product": "Datadome protection",
        "vendor": "Datadome"
    },
    "threat": {
        "indicator": {
            "name": "Credential Stuffing"
        }
    }
}
{
    "message": "{\n    \"accountName\": \"Account name\",\n    \"isProtected\": false,\n    \"threatName\": \"Threat\",\n    \"endpointName\": \"Endpoint\",\n    \"duration\": \"8 minutes 15 seconds\",\n    \"startDateTime\": \"06 September, 08:01 UTC +00:00\",\n    \"endDateTime\": \"06 September, 08:09 UTC +00:00\",\n    \"requestsCount\": \"10,558\",\n    \"peakSpeed\": \"1,457\",\n    \"ipCount\": \"393\",\n    \"uaCount\": \"82\",\n    \"countryCount\": \"17\",\n    \"urlCount\": \"2,221\"\n}",
    "event": {
        "category": [
            "intrusion_detection"
        ],
        "duration": 495000000000,
        "end": "2024-09-06T08:09:00Z",
        "kind": "alert",
        "start": "2024-09-06T08:01:00Z",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2024-09-06T08:01:00Z",
    "cloud": {
        "account": {
            "name": "Account name"
        }
    },
    "datadome": {
        "country_count": 17,
        "ip_count": 393,
        "peak_speed": 1457,
        "requests_count": 10558,
        "ua_count": 82,
        "url_count": 2221
    },
    "host": {
        "name": "Endpoint"
    },
    "observer": {
        "product": "Datadome protection",
        "vendor": "Datadome"
    },
    "threat": {
        "indicator": {
            "name": "Threat"
        }
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
@timestamp date Date/time when the event originated.
cloud.account.name keyword The cloud account name.
datadome.country_count number
datadome.ip_count number
datadome.peak_speed number
datadome.requests_count number
datadome.ua_count number
datadome.url_count number
event.category keyword Event category. The second categorization field in the hierarchy.
event.duration long Duration of the event in nanoseconds.
event.end date event.end contains the date when the event ended or when the activity was last observed.
event.kind keyword The kind of the event. The highest categorization field in the hierarchy.
event.start date event.start contains the date when the event started or when the activity was first observed.
event.type keyword Event type. The third categorization field in the hierarchy.
host.name keyword Name of the host.
observer.product keyword The product name of the observer.
observer.vendor keyword Vendor name of the observer.

For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.

Further readings