Skip to content

Datadome Protection

Overview

Datadome offers is a bot protection solution, providing real-time detection and mitigation of malicious bots, safeguarding websites and APIs from fraud, scraping, and other automated threats with advanced security measures.

Warning

Important note - This format is currently in beta. We highly value your feedback to improve its performance.

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Web application firewall logs Datadome provides real-time detection and mitigation of malicious bots

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind alert
Category intrusion_detection
Type info

Event Samples

Find below few samples of events and how they are normalized by Sekoia.io.

{
    "message": "{\"accountName\": \"Example account\", \"isProtected\": false, \"threatName\": \"Credential Stuffing\", \"endpointName\": \"WEB (default)\", \"duration\": \"\", \"startDateTime\": \"20 January, 18:53 UTC +00:00\", \"endDateTime\": \"\", \"requestsCount\": \"123,456,789\", \"peakSpeed\": \"0\", \"ipCount\": \"123,456,789\", \"uaCount\": \"123,456,789\", \"countryCount\": \"123,456,789\", \"urlCount\": \"123,456,789\"}",
    "event": {
        "category": [
            "intrusion_detection"
        ],
        "kind": "alert",
        "start": "2024-01-20T18:53:00Z",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2024-01-20T18:53:00Z",
    "cloud": {
        "account": {
            "name": "Example account"
        }
    },
    "host": {
        "name": "WEB (default)"
    },
    "observer": {
        "product": "Datadome protection",
        "vendor": "Datadome"
    },
    "threat": {
        "indicator": {
            "name": "Credential Stuffing"
        }
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
@timestamp date Date/time when the event originated.
cloud.account.name keyword The cloud account name.
event.category keyword Event category. The second categorization field in the hierarchy.
event.duration long Duration of the event in nanoseconds.
event.end date event.end contains the date when the event ended or when the activity was last observed.
event.kind keyword The kind of the event. The highest categorization field in the hierarchy.
event.start date event.start contains the date when the event started or when the activity was first observed.
event.type keyword Event type. The third categorization field in the hierarchy.
host.name keyword Name of the host.
observer.product keyword The product name of the observer.
observer.vendor keyword Vendor name of the observer.

Configure

This setup guide will show you how to forward your Datadome Protection logs to Sekoia.io

Create the intake

Go to the intake page and create a new intake from the format Datadome Protection.

Enable forwarding

  1. Connect on the Datadome Dashboard
  2. On the left panel, click Management
  3. On the ribbon, go to Integration tab
  4. In the Webhook section, click Add Webhook
  5. Type the name of the integration
  6. As URL, type https://intake.sekoia.io/plain?intake_key=<YOUR INTAKE KEY>
  7. Select Default as the payload format
  8. Select All threats as threats
  9. Click Save

Further readings