From USM Anywhere, you can send an alarm or event notification to your Datadog event console so that team members are alerted. This facilitates communication and collaboration within the same messaging tool that your organization uses for infrastructure monitoring. When you have this integration configured in USM Anywhere, you can create orchestration rules to automatically send these notifications when an eventAny traffic or data exchange detected by AT&T Cybersecurity products through a sensor, or through external devices such as a firewall. or alarmAlarms provide notification of an event or sequence of events that require attention or investigation. matches the rule criteria.
See https://www.alienvault.com/pricing for more information about the feature and data support provided by each of the USM Anywhere editions.
Note: While direct integration with USM Anywhere is the easiest and most straightforward way to send messages to your Datadog environment from USM Anywhere, you can use the Amazon SNS messaging service as an alternative. In this case, you create the API key in Datadog and then set up the integration in the Lambda function that you created in AWS to support USM Anywhere messaging (see Sending Notifications Through Amazon SNS and Set Up a Datadog Events Integration Through Amazon SNS).
Datadog provides a mechanism to create API keys as a way to post data from external sources into Datadog events. All requests to the Datadog API must be authenticated. Requests that write data require reporting access and require an API key. You must first create this API key to configure the integration with USM Anywhere.
To create the API key for Datadog
- Log in to your Datadog account and go to https://app.datadoghq.com/account/settings#api.
For the New API key, enter a name for the key and click Create API key.
Make sure to copy the generated key value and store it in a secured location.
(Amazon SNS Only) For the New application key, click Create Application key and copy the generated value.
Note: This key is not used for a direct integration with USM Anywhere. However, if you plan to use the Amazon SNS messaging service for a custom integration, any requests that read data require full access and an application key.
After you have generated and copied the API key for your Datadog environment, you can configure USM Anywhere for Datadog notifications. After this configuration is in place, any orchestration rules set up for Datadog notification will send the triggered notification to your Datadog events.
To configure the connection between Datadog events and USM Anywhere
Create an orchestration rule to match new alarms or events and trigger a notification to Datadog events. You can use an existing alarm or event with the desired characteristics to easily set the matching conditions for the rule.
To create an orchestration rule to trigger a Datadog notification
- Go to Activity > Alarms or Activity > Events.
- Click the alarm or event to open the details.
Click Create Rule and select Create Notification Rule.
Enter the Rule Name and set the matching conditions you want for the rule.
The Create Rule dialog box displays property values for the selected alarm or event that you can use to specify the match conditions. For more information, see Orchestration Rules.
- For Notification Method, select the Datadog option.
Set the Datadog Priority.
At the bottom of the dialog box, set the Rule Condition parameters to specify the criteria for a matching alarm or event to trigger the rule.
- If you create the rule from an applied action, this section provides suggested property/value pairs from the selected alarm or event that you can use as conditions for the rule. Click the icon to delete the items that you do not want to include in the matching conditions. You can also add other conditions that are not suggested.
- If you create the rule from the Rules page, you must use the Add Condition and Add Group functions to define the property/value pairs that you want to use as conditions for the rule.
- At the bottom of the dialog box, click More to display the optional multiple occurrence and window length parameters.
Select an operator and add one or more conditions to form the conditional expression. You can include a condition group to evaluate a subset of conditions. The Current Rule box displays the constructed expression in standard syntax. The box displays a red border if the expression is syntactically invalid as currently specified. A valid expression is required to save the rule definition.
Select the operator used to determine the match for multiple conditions:
- Select AND to match all conditions.
- Select OR to match any one condition.
- Select AND NOT to exclude items matching all conditions after the first.
- Select OR NOT to include all items that do not match any conditions after the first.
Click Add Condition to add a condition. For each condition, specify the field name, evaluator, and value. If the evaluation returns true for the condition, it is a match.
Click Add Group to add a condition group. A new group includes a condition and its own operator used to match the conditions within the group. You can nest condition groups.Occurrences
Specify the number of event or alarm occurrences that produce a match on the conditional expression to trigger the rule. The default value is 1. You can enter the number of occurrences or use the arrow to scroll the value up or down.
USM Anywhere uses this in conjunction with the Length option to specify the number of occurrences within a time period that will trigger the rule. For example, you can define a rule to trigger for an unauthorized access attempt when a failed SSHProgram to securely log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another through Secure Copy (SCP). login occurs three times within a five minute window.Length
Specify the length of the window to identify a match for multiple occurrences. Enter the number and choose a time unit value of seconds, minutes, or hours. This time period identifies the amount of time that transpires from the first occurrence to the last occurrence. If the number of occurrences is not met within this period, the rule does not trigger.
- Click Save Rule.
If you prefer to use Amazon SNS to forward notifications to your Datadog Events, you can add the API key to the Lambda function in your AWS account.
Important: For this integration type, you do not add the Datadog API key in USM Anywhere. When you create the orchestration rule, you select the Amazon SNS notification method.
Before you can complete this integration, you must have an SNS topic and a Lambda Function for USM Anywhere notifications set up in your AWS account (see Setting Up an SNS Topic and a Lambda Function) and a Datadog API key (see Create a Datadog API Key).
To integrate USM Anywhere notifications with Datadog Events through Amazon SNS
In the Lambda function code, paste this code and replace [INSERT_DATADOG_API_KEY] and [INSERT_DATADOG_APPLICATION_KEY] with your Datadog keys.
You can also modify the Datadog fields and adapt them to your environment, similar to the following:
alert_type = "info" default_priority = "normal" default_tags = ["environment:test", "security"] send_payload = True
Use the default Role setting (Create a new role from templates) and specify the Role name as lambda_basic_execution.
- Expand the Advanced settings and set the Timeout to 10 seconds.
- Click Next.
- Click Create function.
To check the integration with Datadog
- Go to your Lambda function, click Monitoring, and verify that the Invocation Count graph shows some data.
Click View logs in CloudWatch and open the last entry.
You should see entries similar to the following:
- Go to the Datadog event URL and check that you see the USM Anywhere alarm in the Datadog console.