mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 21:19:40 +03:00
c21af3347e
- Add scripts/agent.py and references/api-reference.md to all remaining skills - Update all 648 LICENSE files: copyright now reads 'Mahipal' - Add implementing-security-monitoring-with-datadog (new skill with full anatomy) - All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
101 lines
3.4 KiB
Markdown
101 lines
3.4 KiB
Markdown
# API Reference: Implementing Security Monitoring with Datadog
|
|
|
|
## Datadog Security Monitoring API
|
|
|
|
| Endpoint | Method | Description |
|
|
|----------|--------|-------------|
|
|
| `/api/v2/security_monitoring/rules` | GET | List all detection rules |
|
|
| `/api/v2/security_monitoring/rules` | POST | Create detection rule |
|
|
| `/api/v2/security_monitoring/rules/{id}` | GET | Get rule details |
|
|
| `/api/v2/security_monitoring/signals/search` | POST | Search security signals |
|
|
| `/api/v2/security_monitoring/signals/{id}` | GET | Get signal details |
|
|
| `/api/v2/security_monitoring/signals/{id}/assignee` | PATCH | Update signal assignee |
|
|
| `/api/v2/security_monitoring/signals/{id}/state` | PATCH | Update signal state |
|
|
| `/api/v1/logs/config/pipelines` | GET | List log pipelines |
|
|
| `/api/v1/logs/config/indexes` | GET | List log indexes |
|
|
| `/api/v1/monitor` | GET | List all monitors |
|
|
|
|
## Authentication
|
|
|
|
```bash
|
|
# All requests require both keys
|
|
curl -X GET "https://api.datadoghq.com/api/v2/security_monitoring/rules" \
|
|
-H "DD-API-KEY: ${DD_API_KEY}" \
|
|
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
|
|
```
|
|
|
|
## Python SDK (datadog-api-client)
|
|
|
|
```python
|
|
from datadog_api_client import Configuration, ApiClient
|
|
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
|
|
|
|
configuration = Configuration()
|
|
# Keys read from DD_API_KEY and DD_APP_KEY env vars automatically
|
|
|
|
with ApiClient(configuration) as api_client:
|
|
api = SecurityMonitoringApi(api_client)
|
|
rules = api.list_security_monitoring_rules()
|
|
signals = api.search_security_monitoring_signals(
|
|
body={"filter": {"query": "status:critical", "from": "now-24h", "to": "now"}}
|
|
)
|
|
```
|
|
|
|
## Detection Rule Types
|
|
|
|
| Type | Source | Use Case |
|
|
|------|--------|----------|
|
|
| Log Detection | Ingested logs | SIEM correlation rules |
|
|
| Cloud Configuration | Cloud accounts | CSPM compliance checks |
|
|
| Infrastructure Configuration | Agent hosts | Host security posture |
|
|
| Application Security | APM traces | WAF and attack detection |
|
|
| Signal Correlation | Security signals | Multi-signal chaining |
|
|
|
|
## Signal Severity Levels
|
|
|
|
| Severity | Triage Priority | Example |
|
|
|----------|----------------|---------|
|
|
| CRITICAL | Immediate | Active exploitation detected |
|
|
| HIGH | < 4 hours | Credential compromise |
|
|
| MEDIUM | < 24 hours | Policy violation |
|
|
| LOW | Next review cycle | Informational anomaly |
|
|
| INFO | No action | Audit trail |
|
|
|
|
## Log Source Integration
|
|
|
|
```yaml
|
|
# datadog.yaml agent configuration
|
|
logs_enabled: true
|
|
logs_config:
|
|
container_collect_all: true
|
|
|
|
# Security-relevant log sources
|
|
# conf.d/auth.d/conf.yaml
|
|
logs:
|
|
- type: file
|
|
path: /var/log/auth.log
|
|
service: sshd
|
|
source: syslog
|
|
tags: ["security:authentication"]
|
|
```
|
|
|
|
## Cloud SIEM Rule Query Syntax
|
|
|
|
```
|
|
# Failed SSH logins from single IP
|
|
source:syslog service:sshd @evt.outcome:failure | count by @network.client.ip > 10
|
|
|
|
# AWS root account usage
|
|
source:cloudtrail @userIdentity.type:Root @evt.name:ConsoleLogin
|
|
|
|
# Kubernetes privileged container
|
|
source:kubernetes @objectRef.resource:pods @requestObject.spec.containers.securityContext.privileged:true
|
|
```
|
|
|
|
### References
|
|
|
|
- Datadog Security Monitoring API: https://docs.datadoghq.com/api/latest/security-monitoring/
|
|
- Datadog Cloud SIEM: https://docs.datadoghq.com/security/cloud_siem/
|
|
- Detection Rules: https://docs.datadoghq.com/security/detection_rules/
|
|
- datadog-api-client-python: https://github.com/DataDog/datadog-api-client-python
|