mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 21:19:40 +03:00
c21af3347e
- Add scripts/agent.py and references/api-reference.md to all remaining skills - Update all 648 LICENSE files: copyright now reads 'Mahipal' - Add implementing-security-monitoring-with-datadog (new skill with full anatomy) - All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
3.4 KiB
3.4 KiB
API Reference: Implementing Security Monitoring with Datadog
Datadog Security Monitoring API
| Endpoint | Method | Description |
|---|---|---|
/api/v2/security_monitoring/rules |
GET | List all detection rules |
/api/v2/security_monitoring/rules |
POST | Create detection rule |
/api/v2/security_monitoring/rules/{id} |
GET | Get rule details |
/api/v2/security_monitoring/signals/search |
POST | Search security signals |
/api/v2/security_monitoring/signals/{id} |
GET | Get signal details |
/api/v2/security_monitoring/signals/{id}/assignee |
PATCH | Update signal assignee |
/api/v2/security_monitoring/signals/{id}/state |
PATCH | Update signal state |
/api/v1/logs/config/pipelines |
GET | List log pipelines |
/api/v1/logs/config/indexes |
GET | List log indexes |
/api/v1/monitor |
GET | List all monitors |
Authentication
# All requests require both keys
curl -X GET "https://api.datadoghq.com/api/v2/security_monitoring/rules" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
Python SDK (datadog-api-client)
from datadog_api_client import Configuration, ApiClient
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
configuration = Configuration()
# Keys read from DD_API_KEY and DD_APP_KEY env vars automatically
with ApiClient(configuration) as api_client:
api = SecurityMonitoringApi(api_client)
rules = api.list_security_monitoring_rules()
signals = api.search_security_monitoring_signals(
body={"filter": {"query": "status:critical", "from": "now-24h", "to": "now"}}
)
Detection Rule Types
| Type | Source | Use Case |
|---|---|---|
| Log Detection | Ingested logs | SIEM correlation rules |
| Cloud Configuration | Cloud accounts | CSPM compliance checks |
| Infrastructure Configuration | Agent hosts | Host security posture |
| Application Security | APM traces | WAF and attack detection |
| Signal Correlation | Security signals | Multi-signal chaining |
Signal Severity Levels
| Severity | Triage Priority | Example |
|---|---|---|
| CRITICAL | Immediate | Active exploitation detected |
| HIGH | < 4 hours | Credential compromise |
| MEDIUM | < 24 hours | Policy violation |
| LOW | Next review cycle | Informational anomaly |
| INFO | No action | Audit trail |
Log Source Integration
# datadog.yaml agent configuration
logs_enabled: true
logs_config:
container_collect_all: true
# Security-relevant log sources
# conf.d/auth.d/conf.yaml
logs:
- type: file
path: /var/log/auth.log
service: sshd
source: syslog
tags: ["security:authentication"]
Cloud SIEM Rule Query Syntax
# Failed SSH logins from single IP
source:syslog service:sshd @evt.outcome:failure | count by @network.client.ip > 10
# AWS root account usage
source:cloudtrail @userIdentity.type:Root @evt.name:ConsoleLogin
# Kubernetes privileged container
source:kubernetes @objectRef.resource:pods @requestObject.spec.containers.securityContext.privileged:true
References
- Datadog Security Monitoring API: https://docs.datadoghq.com/api/latest/security-monitoring/
- Datadog Cloud SIEM: https://docs.datadoghq.com/security/cloud_siem/
- Detection Rules: https://docs.datadoghq.com/security/detection_rules/
- datadog-api-client-python: https://github.com/DataDog/datadog-api-client-python