1. Setting up real-time alerts for unexpected user behavior using DataDog Security Monitoring Rules

    TypeScript

    To set up real-time alerts for unexpected user behavior using DataDog Security Monitoring Rules, you'll be creating a security monitoring rule in DataDog that triggers alerts based on the conditions specified in the rule. The alerts can be customized to be triggered when certain thresholds are reached or when specific behaviors are detected that are considered out of the ordinary.

    In Pulumi, you use the datadog.SecurityMonitoringRule resource to set up such a rule. This resource allows you to define the details of the rule, such as the query to evaluate, what constitutes a trigger, and the notifications to send out if the rule is triggered.

    The rule's cases property is where you specify different scenarios that should trigger an alert. For each case, you can set a status (like 'info', 'warning', or 'critical'), and what notifications to send. These notifications could be sent to an email, a DataDog event stream, or integrated with collaboration tools like Slack or PagerDuty.

    The queries define what behavior is being monitored. In our program, we will define a query that looks for unexpected user behavior, such as multiple failed login attempts or deviation from usual command patterns.

    Below is a Pulumi program in TypeScript which demonstrates how to create a simple DataDog Security Monitoring Rule. This rule will monitor for a generic unexpected user behavior, and you should adjust the query based on your specific use case:

    import * as pulumi from "@pulumi/pulumi"; import * as datadog from "@pulumi/datadog"; // Create a new security monitoring rule const rule = new datadog.SecurityMonitoringRule("unexpectedUserBehaviorRule", { // Define the message for when the rule triggers message: "User behavior deviated from the norm. Review for potential security threat.", // Define the query to execute. Adjust this query according to your use case. // For example, to monitor for multiple failed login attempts. queries: [{ name: "unexpected_behavior", query: 'type:user_login_failed.status:error', groupByFields: [], distinctFields: [], metrics: [], }], // Define the cases for what triggers the rule cases: [ { name: "High number of failed logins", status: "critical", // Could be "info", "warning" as well. condition: 'count() > 100', // Condition for case to match. Adjust this based on what you consider to be critical. notifications: ["@pagerduty"], // Notify via pagerduty. Can also use "@slack-<channel>" or emails. } ], // Additional options (keepAlive and maxSignalDuration are in seconds) options: { keepAlive: 3600, maxSignalDuration: 7200, }, // Enable or disable the rule isEnabled: true, }); // Export the ID of the new rule export const ruleId = rule.id;

    Explanation

    • SecurityMonitoringRule: This is a resource provided by the DataDog Pulumi provider to define a security monitoring rule.
    • message: Text to include with notifications when the rule is triggered.
    • queries: Part of the rule that specifies what to monitor. Adjust the query to match what behavior you consider unexpected.
    • cases: The conditions under which alerts should be triggered. You can have multiple cases for different severity levels or conditions.
    • notifications: Specify where alerts should be sent. Could be email, a DataDog event stream, a Slack channel, PagerDuty, etc.
    • options: Control additional rule settings like how long a case must be true before considering it to be "currently true" (keepAlive) or the maximum duration for the signal to be maintained regardless of the query results (maxSignalDuration).
    • isEnabled: Allows you to enable (true) or disable (false) the security monitoring rule.

    Remember to adjust the query and condition in the cases to reflect the specific metrics or logs that indicate unexpected behavior for your use case.