You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/en/security/automation_pipelines/_index.md
+21-28Lines changed: 21 additions & 28 deletions
Original file line number
Diff line number
Diff line change
@@ -14,15 +14,7 @@ further_reading:
14
14
text: "Set Due Date Rules"
15
15
---
16
16
17
-
{{< callout btn_hidden="true">}}
18
-
Automation Pipelines is in Preview. To enroll and access the automated rules, you must register for each set of rules separately:
19
-
<ul><li><ahref="https://www.datadoghq.com/product-preview/security-automation-pipelines/">Mute and Assign Due Date</a></li>
20
-
<li><ahref="https://www.datadoghq.com/product-preview/customize-your-security-inbox/">Add to Security Inbox</a></li></ul>
21
-
{{< /callout >}}
22
-
23
-
Automation Pipelines allows you to set up automated rules for newly discovered vulnerabilities, thus accelerating triage and remediation efforts at scale.
Automation Pipelines allows you to set up automated rules for newly discovered findings, thus accelerating triage and remediation efforts at scale.
26
18
27
19
## Availability
28
20
@@ -32,43 +24,44 @@ Automation Pipelines is available for:
32
24
- Attack paths
33
25
- Identity risks
34
26
- Vulnerabilities
27
+
- Application Code Vulnerability
28
+
- Application Library Vulnerability
29
+
- Container Image Vulnerability
30
+
- API Security Finding
31
+
- Host Vulnerability
35
32
36
33
## How it works
37
34
38
-
Automation Pipelines operates through a rules-based system that allows you to automate how new vulnerabilities are managed. Here's how it works:
35
+
Automation Pipelines operates through a rules-based system that allows you to automate how new findings are managed. Here's how it works:
39
36
40
-
-**Rule configuration**: Each rule consists of multiple criteria, designed to filter vulnerabilities based on specific attributes. Within a rule, the combination of these criteria operates as a logical AND; however, if any criteria include multiple values, those values operate as a logical OR. This structure gives you the flexibility to create rules that precisely target your needs.
41
-
-**Rule matching**: Automation Pipelines evaluates vulnerabilities against your rules in the order you've listed them. As each vulnerability is processed, Automation Pipelines moves through the list until it finds a matching rule, at which point the specified action—such as muting non-urgent issues or highlighting critical threats—is triggered.
37
+
-**Rule configuration**: Each rule consists of multiple criteria, designed to filter findings based on specific attributes. Within a rule, the combination of these criteria operates as a logical AND; however, if any criteria include multiple values, those values operate as a logical OR. This structure gives you the flexibility to create rules that precisely target your needs.
38
+
-**Rule matching**: Automation Pipelines evaluates findings against your rules in the order you've listed them. As each finding is processed, Automation Pipelines moves through the list until it finds a matching rule, at which point the specified action—such as muting non-urgent issues or highlighting critical threats—is triggered. Automation Pipeline rules apply immediately to new findings. For existing findings, updates can take up to two hours.
42
39
43
40
## Use cases
44
41
45
-
### Mute non-urgent findings so you can prioritize immediate threats
42
+
### Mute non-urgent findings to focus on what matters
46
43
47
-
Mitigate information overload by muting non-urgent findings, so you can focus on critical threats. This allows you to:
44
+
Reduce alert fatigue and prioritize critical threats by automatically muting non-urgent findings. This allows you to:
48
45
49
-
-**Proactively discard non-urgent findings**: Automatically filter out known scenarios that don't require immediate action, such as false positives or accepted risks, without manual intervention.
50
-
-**Focus on true risks**: Prioritize and address genuine threats, ensuring your attention is directed towards remediating real and pressing issues.
51
-
-**Streamline security alerts**: Eliminate noise from security alerts related to:
52
-
- Known false positives
53
-
- Resources deemed non-critical or unimportant
54
-
- Intentional vulnerabilities in controlled environments
55
-
- Ephemeral resources that naturally flag without posing long-term concerns
46
+
-**Automatically ignore low-priority issues**: Suppress known false positives, accepted risks, and other findings that don't require immediate action. No manual review is needed.
47
+
-**Prioritize real threats**: Keep your attention on high-impact alerts that demand investigation and remediation.
48
+
-**Declutter your alert stream**: Eliminate noise from false positives, non-critical resources, test or staging environments, and short-lived resources that trigger alerts but pose no long-term risk.
56
49
57
50
### Customize the Security Inbox to highlight what's important to your organization
58
51
59
52
Customize the Security Inbox by defining specific conditions that determine which security issues are highlighted. This allows you to:
60
53
61
-
-**Resurface issues not captured by default**: Highlight issues that might be missed by out-of-the-box or custom detection rules, ensuring no critical issue is overlooked.
54
+
-**Resurface issues not captured by default**: Highlight issues that might be missed by out-of-the-box or custom detection rules to ensure critical issues are not overlooked.
62
55
-**Strengthen compliance and address key system concerns**: Address concerns affecting regulatory compliance or important business systems, regardless of severity.
63
-
-**Prioritize current risks**: Focus on immediate threats, such as identity risks after an incident, or industry-wide vulnerabilities.
56
+
-**Prioritize current risks**: Focus on immediate threats, such as identity risks after an incident, or industry-wide findings.
64
57
65
-
### Set due dates for vulnerabilities to align with your security SLOs
58
+
### Set due dates for findings to align with your security SLAs
66
59
67
-
Assign deadlines for vulnerability remediation to ensure compliance and improve team accountability. This allows you to:
60
+
Assign remediation deadlines to findings to improve accountability and stay compliant with your security policies. This allows you to:
68
61
69
-
-**Align with compliance frameworks**: Automatically set due dates that conform to industry regulations like FedRAMP or PCI.
70
-
-**Enhance accountability**: Utilize security SLOs to hold teams responsible for timely vulnerability remediation, reducing the administrative burden of follow-upsand status checks.
71
-
-**Facilitate proactive risk management**: Encourage prompt action on vulnerabilities to mitigate the risk of exploitation, leveraging SLOs as a strategic tool to prioritize and expedite security tasks.
62
+
-**Stay compliant by design**: Automatically apply due dates that align with industry standards, such as FedRAMP, PCI, and others.
63
+
-**Drive accountability across teams**: Use SLAs to ensure timely remediation without constant follow-ups, giving security and engineering clear expectations.
64
+
-**Promote proactive risk management** Encourage faster response times and reduce exposure by using SLAs to prioritize and track remediation efforts.
Automation Pipelines is in Preview. To enroll in the Preview for mute rules, click <strong>Request Access</strong>.
13
-
{{< /callout >}}
14
-
15
11
Configure mute rules to streamline security alerts by automatically filtering out non-urgent findings. This approach helps reduce noise from known false positives and accepted risks, allowing you to focus on addressing the most critical threats.
16
12
17
13
## Create a mute rule
18
14
19
15
1. On the [Automation Pipelines][2] page, click **Add a New Rule** and select **Mute**.
20
-
1. Enter a descriptive name for the rule, for example, **Cloud Infrastructure Anomaly Warnings**.
16
+
1. Enter a descriptive name for the rule, for example, **Compensating control in place for account payment-prod**.
21
17
1. Use the following boxes to configure the rule criteria:
22
18
-**Any of these types**: The types of findings that the rule should check for. Available types include:
23
19
-**Misconfiguration**
24
20
-**Attack Path**
25
21
-**Identity Risk**
26
22
-**API Security Finding**
23
+
-**Application Code Vulnerability**
24
+
-**Application Library Vulnerability**
25
+
-**Container Image Vulnerability**
26
+
-**API Security Finding**
27
+
-**Host Vulnerability**
27
28
-**Any of these tags or attributes**: The resource tags or attributes that must match for the rule to apply.
28
29
1. To add severity criteria to the rule, click **Add Severity**.
29
30
1. Specify the mute reason and duration:
@@ -40,7 +41,7 @@ Configure mute rules to streamline security alerts by automatically filtering ou
40
41
41
42
## Rule matching order
42
43
43
-
When Datadog identifies a vulnerability, it evaluates the vulnerability against your sequence of mute rules. Starting with the first rule, if there's a match, Datadog mutes the vulnerability for the specified duration and stops evaluating further. If no match occurs, Datadog moves to the next rule. This process continues until a match is found or all rules are checked without a match.
44
+
When Datadog identifies a finding, it evaluates the finding against your sequence of mute rules. Starting with the first rule, if there's a match, Datadog mutes the finding for the specified duration and stops evaluating further. If no match occurs, Datadog moves to the next rule. This process continues until a match is found or all rules are checked without a match.
Automation Pipelines is in Preview. To enroll in the Preview for Add to Security Inbox rules, click <strong>Request Access</strong>.
16
-
{{< /callout >}}
17
-
18
14
Configure inbox rules to manage your Security Inbox effectively, ensuring only the most relevant security issues are highlighted. By customizing conditions, you can focus on critical concerns, prioritize key risks, support compliance, and bring attention to issues that might otherwise be overlooked.
19
15
20
16
## Create an inbox rule
@@ -27,13 +23,18 @@ Configure inbox rules to manage your Security Inbox effectively, ensuring only t
27
23
-**Attack Path**
28
24
-**Identity Risk**
29
25
-**API Security Finding**
26
+
-**Application Code Vulnerability**
27
+
-**Application Library Vulnerability**
28
+
-**Container Image Vulnerability**
29
+
-**API Security Finding**
30
+
-**Host Vulnerability**
30
31
-**Any of these tags or attributes**: The resource tags or attributes that must match for the rule to apply.
31
32
1. To add severity criteria to the rule, click **Add Severity**.
32
33
1. Click **Save**. The rule applies to new findings immediately and starts checking existing findings within the next hour.
33
34
34
35
## Rule matching order
35
36
36
-
When Datadog identifies a vulnerability, it evaluates the vulnerability against your sequence of inbox rules. Starting with the first rule, if there's a match, Datadog adds the vulnerability to the Security Inbox and stops evaluating further. If no match occurs, Datadog moves to the next rule. This process continues until a match is found or all rules are checked without a match.
37
+
When Datadog identifies a finding, it evaluates the finding against your sequence of inbox rules. Starting with the first rule, if there's a match, Datadog adds the finding to the Security Inbox and stops evaluating further. If no match occurs, Datadog moves to the next rule. This process continues until a match is found or all rules are checked without a match.
Automation Pipelines is in Preview. To enroll in the Preview for due date rules, click <strong>Request Access</strong>.
11
-
{{< /callout >}}
12
-
13
-
Configure due date rules to ensure vulnerabilities are addressed within your specified SLO time frames. By setting these due dates, you can automate accountability, meet compliance requirements, and prioritize the prompt remediation of security issues, thereby preventing potential exploitation.
9
+
Configure due date rules to ensure findings are addressed within your specified SLO time frames. By setting these due dates, you can automate accountability, meet compliance requirements, and prioritize the prompt remediation of security issues, thereby preventing potential exploitation.
14
10
15
11
## Create a due date rule
16
12
@@ -25,8 +21,9 @@ Configure due date rules to ensure vulnerabilities are addressed within your spe
25
21
-**Attack Path**
26
22
-**Identity Risk**
27
23
-**API Security Finding**
24
+
-**Host Vulnerability**
28
25
-**Any of these tags or attributes**: The resource tags or attributes that must match for the rule to apply.
29
-
1. Set a due date for each severity level that requires one, effective from the discovery of a matching severity vulnerability.
26
+
1. Set a due date for each severity level that needs one. The due date starts from when the matching finding was discovered, not when the rule was created.
30
27
1. Click **Save**. The rule applies to new findings immediately and starts checking existing findings within the next hour.
31
28
32
29
## Where due dates appear
@@ -41,16 +38,16 @@ When a finding has a due date, you can see it in these locations:
41
38
42
39
## Rule matching order
43
40
44
-
When Datadog identifies a vulnerability, it evaluates the vulnerability against your sequence of due date rules. Starting with the first rule, if there's a match, Datadog sets a due date on the vulnerability for the specified duration and stops evaluating further. If no match occurs, Datadog moves to the next rule. This process continues until a match is found or all rules are checked without a match.
41
+
When Datadog identifies a finding, it evaluates the finding against your sequence of due date rules. Starting with the first rule, if there's a match, Datadog sets a due date on the finding for the specified duration and stops evaluating further. If no match occurs, Datadog moves to the next rule. This process continues until a match is found or all rules are checked without a match.
45
42
46
43
## Removing due dates
47
44
48
-
When managing vulnerabilities, due dates can be removed under various conditions, such as:
45
+
When managing findings, due dates can be removed under various conditions, such as:
49
46
50
-
- The detection rule that triggered the vulnerability passes successfully.
51
-
- The vulnerability is muted, either manually or automatically through a mute rule.
52
-
- The due date rule associated with the vulnerability is disabled or deleted.
53
-
- The associated due date rule is modified so that its criteria no longer match the vulnerability.
47
+
- The detection rule that triggered the finding passes successfully.
48
+
- The finding is muted, either manually or automatically through a mute rule.
49
+
- The due date rule associated with the finding is disabled or deleted.
50
+
- The associated due date rule is modified so that its criteria no longer match the finding.
Automation Pipelines is in Preview. To enroll in the Preview for Add to Security Inbox rules, click <strong>Request Access</strong>.
74
-
{{< /callout >}}
75
-
76
72
Automation Pipelines enables you to configure rules that customize your Security Inbox, allowing you to highlight issues that are critical to your organization. By setting up these automated rules, you can streamline the management of newly discovered vulnerabilities, enhancing triage and remediation efforts at scale. Leveraging both the Automation Pipelines and Add to Security Inbox rules, you can optimize your security operations in the following ways:
77
73
78
74
-**Resurface issues not captured by default**: Highlight issues that might be missed by default or custom detection rules, ensuring no critical issue is overlooked.
0 commit comments