Security teams face a constant trade-off between detection coverage and alert fatigue. Broad, rule-based detection approaches surface every possible indicator of compromise (IoC) but generate unmanageable alert volumes. Narrow, tightly scoped rules reduce noise but risk missing critical signals. And while individual indicators of compromise can highlight suspicious behavior, they often lack the surrounding context needed to tell a complete story of how an attack unfolded. For example, detecting a container that is installing curl could suggest data exfiltration or it could just be a routine operation. Investigators need context, correlation, and a clear narrative to distinguish between benign activity and real compromise.
The latest evolution of Datadog Workload Protection addresses this challenge by introducing new features that transform disconnected runtime signals into unified, narrative-driven investigations. The first two pillars of this new experience—Execution Contexts and an all-new Investigation Graph and Threat Timeline (currently in Preview)—help security analysts connect related events, prioritize genuine threats, and visualize the full attack path from initial exploit to impact.
In this post, we’ll explore how you can:
Runtime security signals are most useful when they can be understood in relation to one another. Workload Protection’s new Execution Context automatically groups runtime events that belong to the same process lineage or exploitation chain, helping you see how an attack evolves over time rather than responding to each alert in isolation.
For example, if an attacker exploits a shell injection vulnerability and then modifies cron jobs or query instance metadata, those actions are now grouped together under a single Execution Context. This grouping eliminates fragmented alerts and enables investigators to focus on the broader compromise attempt rather than chasing individual anomalies.
Each event detected by Workload Protection is tagged with a correlation key that associates it with others in the same execution chain. This correlation key can be in two forms:
To ensure accuracy, Workload Protection intelligently handles context inheritance (for example, by propagating the same correlation key from a compromised process to all its child processes) and prioritizes overlapping contexts when needed.
Starting with the Datadog Agent version 7.68, Workload Protection supports five built-in Execution Context layers designed to capture the most common runtime scenarios:
By grouping events intelligently, these contexts dramatically improve alert fidelity, helping analysts quickly identify real compromises and dismiss noise.
Once related events are correlated, investigators need a way to explore them visually. The Investigation Graph provides a dynamic, visual map of processes, resources, and runtime events that shows how an attack unfolded step by step across services, hosts, and containers.
To give analysts a complete picture of what’s happening in an environment, the Investigation Graph merges process trees, deduplicates repetitive activity, and surfaces contextual details such as:
You can also directly pivot to other telemetry data, such as that surfaced by Datadog Cloud SIEM or Infrastructure Monitoring, to validate configuration weaknesses or operational anomalies connected to the same incident. With this unified visualization, the Investigation Graph turns a collection of runtime alerts into an interactive threat map, helping teams move from detection to understanding much faster.
While the Investigation Graph shows relationships, analysts also need to understand when each step occurred. The new Threat Timeline presents a chronological narrative of every event within a correlated threat story.
The Threat Timeline combines all correlated events, triage statuses, and recommended actions into a single view. This helps teams retrace an attacker’s movements from the initial exploit to subsequent lateral actions, without needing to toggle between dashboards or tools. Each event includes contextual details and links to correlated metrics, logs, and traces. This gives responders the information they need to make fast, informed decisions.
These new investigation capabilities mark the beginning of a broader shift in how Datadog Workload Protection helps security teams analyze threats. Soon, correlation will extend beyond runtime telemetry data to include context from infrastructure, cloud configurations, and even application performance data. By connecting runtime signals to higher-level operational and configuration insights, Datadog will help you understand not just what happened but how and why it happened, and where the next threat might emerge.
The new investigation experience in Datadog Workload Protection helps analysts focus on what matters most by transforming fragmented signals into coherent attack stories. With correlated contexts, interactive visualizations, and narrative timelines, security teams can accelerate investigation, reduce noise, and make data-driven triage decisions across their environments.
To learn more, see the Workload Protection documentation. The Investigation Graph and Threat Timeline are currently in Preview; if you’re interested in early access, contact your Datadog representative. If you’re new to Datadog, sign up for a 14-day free trial.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。