惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

L
LangChain Blog
C
Check Point Blog
博客园 - Franky
V
Visual Studio Blog
云风的 BLOG
云风的 BLOG
aimingoo的专栏
aimingoo的专栏
Microsoft Security Blog
Microsoft Security Blog
V2EX - 技术
V2EX - 技术
AI
AI
Hacker News - Newest:
Hacker News - Newest: "LLM"
Jina AI
Jina AI
S
Security @ Cisco Blogs
Security Archives - TechRepublic
Security Archives - TechRepublic
H
Hacker News: Front Page
H
Hackread – Cybersecurity News, Data Breaches, AI and More
O
OpenAI News
Attack and Defense Labs
Attack and Defense Labs
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
爱范儿
爱范儿
H
Heimdal Security Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
G
Google Developers Blog
G
GRAHAM CLULEY
V
V2EX
The Register - Security
The Register - Security
人人都是产品经理
人人都是产品经理
B
Blog RSS Feed
Schneier on Security
Schneier on Security
M
MIT News - Artificial intelligence
Stack Overflow Blog
Stack Overflow Blog
Help Net Security
Help Net Security
大猫的无限游戏
大猫的无限游戏
C
CERT Recently Published Vulnerability Notes
The GitHub Blog
The GitHub Blog
V
Vulnerabilities – Threatpost
The Last Watchdog
The Last Watchdog
J
Java Code Geeks
S
Secure Thoughts
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
量子位
NISL@THU
NISL@THU
K
Kaspersky official blog
Engineering at Meta
Engineering at Meta
T
Threatpost
Recent Commits to openclaw:main
Recent Commits to openclaw:main
宝玉的分享
宝玉的分享
Security Latest
Security Latest
T
The Exploit Database - CXSecurity.com
博客园_首页
A
Arctic Wolf

Datadog | The Monitor blog

Introducing our open source AI-native SAST Instrument and monitor Boomi integration flows with OpenTelemetry and Datadog Not all index scans are equal: How we cut query latency by over 99% Platform engineering metrics: What to measure and what to ignore Integrate Recorded Future threat intelligence with Datadog Cloud SIEM CI/CD security: threat modeling using a MITRE-style threat matrix CI/CD security: How to secure your GitHub ecosystem Ingress NGINX is EOL: A practical guide for migrating to Kubernetes Gateway API Operating agentic AI with Amazon Bedrock AgentCore and Datadog LLM Observability: Lessons from NTT DATA Introducing the Datadog Code Security MCP Capture and analyze custom heatmaps in Session Replay Understand session replays faster with AI summaries and smart chapters Monitor ClickHouse query performance with Datadog Database Monitoring How we designed empathetic alert sounds for on-call engineers Search and act across Datadog to resolve issues faster with Bits Assistant Measure the business impact of every product change with Datadog Experiments Analyzing round trip query latency Configuring JavaScript caches for better performance Introducing Bits AI Dev Agent for Code Security Datadog achieves ISO 42001 certification for responsible AI Monitor Nutanix clusters, hosts, and VMs with Datadog Monitor Juniper Mist in Datadog A new Host Map for modern infrastructure Annotate traces to improve LLM quality with Datadog LLM Observability What’s new in Cloud SIEM: AI-powered investigations, enhanced threat intelligence, and scalable security operations Explore Kubernetes with native OpenTelemetry data Monitor Oracle Fusion Cloud Applications with Datadog Announcing the Datadog Terraform provider v4.0.0 Scaling Kubernetes workloads on custom metrics How to design cloud environments for AI-powered threat analysis Monitor Aruba Central in Datadog How we centralize and remediate risks with Datadog Case Management Accelerate incident response with Datadog and ServiceNow Monitor your application and network load balancer logs Understanding Karpenter architecture for Kubernetes autoscaling Tools for collecting metrics and logs from Karpenter Monitor Karpenter with Datadog What your product data is actually saying Key metrics for monitoring Karpenter Securing Datadog’s platform in the AI age: The role of observability data Four ways engineering teams use the Datadog MCP Server to power AI agents Approaching your observability migration with the right mindset Meet the new Bits AI SRE: Deeper reasoning, twice as fast Key learnings from the 2026 State of DevSecOps study Use plain English to query your multi-cloud infrastructure in Resource Catalog Simplifying troubleshooting across the user journey with Datadog Synthetic Monitoring Protect your OCI resources with Datadog Cloud Security This Month in Datadog - February 2026 Amazon EC2 security: How misconfigured and public AMIs expand your cloud attack surface Enable end-to-end visibility into your Java apps with a single command Measure and improve mobile app startup performance with Datadog RUM Evaluating our AI Guard application to improve quality and control cost Identify untested code across every level of your codebase Make use of guardrail metrics and stop babysitting your releases Monitor Versa Networks SD-WAN performance in Datadog Improve performance and reliability with APM Recommendations Remediate transitive vulnerabilities faster with Datadog Software Composition Analysis Generate audit-ready vulnerability and compliance reports with Datadog Sheets Monitor Fortinet FortiManager performance in Datadog Improve test coverage across codebases with Datadog Code Coverage Move fast, don’t break things: Consistent testing standards at scale Enrich logs with ServiceNow CMDB context before routing to any SIEM or logging tool Monitor Lustre with Datadog Make faster, better product decisions with Datadog Product Analytics Surface and remediate runtime posture issues with Workload Protection Findings Protect agentic AI applications with Datadog AI Guard How to optimize JavaScript code with CSS Trace Google Pub/Sub workloads in Cloud Run with Datadog Detect human names in logs with ML in Sensitive Data Scanner How we cut our NLQ agent debugging time from hours to minutes with LLM Observability Debug PostgreSQL query latency faster with EXPLAIN ANALYZE in Datadog Database Monitoring Datadog acquires Propolis Unify and correlate frontend and backend data with retention filters Scale compliance across global frameworks with Datadog Cloud Security Monitor Arista VeloCloud SD-WAN performance with Datadog Building reliable dashboard agents with Datadog LLM Observability Simplify log collection and aggregation for MSSPs with Datadog Observability Pipelines Mitigation for Node.js denial-of-service vulnerability affecting Datadog APM Automate flaky test fixes with the Bits AI Dev Agent and Test Optimization How we built an AI SRE agent that investigates like a team of engineers Datadog integrations 2025 recap: Observability for AI, security, and hybrid cloud Design effective executive dashboards with Datadog Implement dbt data quality checks with dbt-expectations Bring faster visibility into AWS Lambda functions with remote instrumentation Troubleshoot faster with the GitLab Source Code integration in Datadog How Cambia Health Solutions saved $30,000 monthly with Cloud Cost Management and the Datadog Resource Catalog Normalize any logs for Cloud SIEM with Datadog's OCSF processor Optimizing Datadog at scale: Cost-efficient observability at Zendesk Detect, diagnose, and resolve network issues easily with CNM Network Health Connect engineering errors to user impact in early-stage products Cilium configuration for Kubernetes operations at scale Designing feedback loops for progressive delivery Ship features faster and safer with Datadog Feature Flags Choosing the right OpenTelemetry Collector distribution Route your monitor alerts with Datadog monitor notification rules Automate Cloud SIEM investigations with Bits AI Security Analyst Cloud threat detection: How to identify risky activity across control and data planes Collecting Kafka performance metrics Monitoring Kafka with Datadog Monitoring Kafka performance metrics
Monitor AWS WAF activity with Datadog
2024-06-04 · via Datadog | The Monitor blog

In Part 2 of this series, we looked at Amazon’s built-in monitoring services for AWS WAF activity and audit logs. In this post, we’ll demonstrate how Datadog complements your WAF’s existing protection and extends its capabilities to not only offer protection at the perimeter but also to the APIs and services within your network. To accomplish this, Datadog offers a turnkey AWS WAF integration that allows you to automatically discover and monitor web ACLs, in addition to monitoring web ACL metrics and logs. You can review this information in Datadog App and API Protection (AAP), which leverages Datadog tracing libraries and the Agent to provide insight into which services your web ACLs are protecting. AAP takes this visibility a step further by using built-in threat intelligence and a distributed, in-app WAF to automatically identify and stop malicious activity. We’ll also look at how this extends the capabilities of your existing AWS WAF in more detail.

Enable Datadog’s AWS WAF integration

Datadog provides a built-in integration for AWS WAF, which enables you to collect the metrics and logs we discussed in Part 1 of this series. To get started, you will need to first set up Datadog’s Amazon Web Services integration if you haven’t already. The steps in this section walk you through the process of enabling both metric and log collection for all AWS services, including AWS WAF. For metrics, you can configure Datadog to automatically collect data via CloudWatch API polling and Kinesis Firehose streams. Datadog recommends using CloudWatch for collecting the most up-to-date metric data.

You have two options for sending AWS WAF logs, depending on which type you’d like to monitor. Audit logs leverage Kinesis Firehose destinations, while web ACL activity logs use a Forwarder Lambda function. You can check out our documentation for more information about configuring those options.

Once configured, make sure that you enable metric and log collection for AWS WAF by navigating to the AWS integration tile and toggling on each option. For metrics, search for AWS WAF under the “Metric Collection” tab and toggle the options for either WAF Classic or WAFV2.

Enable Datadog's AWS WAF integration

For AWS WAF logs, you can toggle the “Web Application Firewall Logs” option under the “Log Collection” tab. These configurations allow Datadog to automatically collect and provide deeper insights into AWS WAF data. Next, we’ll look at how you can visualize all of this data in one place.

Visualize AWS WAF metrics and logs

Once you configure Datadog’s AWS WAF integration, you can easily visualize service metrics by creating a custom dashboard. The sample dashboard below includes some of the key metrics and logs that we described in Part 1 of this series, such as the total number of allowed and blocked requests and the top sources of network traffic, as well as a stream of web ACL audit logs. It also includes a breakdown of categorized bot activity, which includes whether the activity was verified by AWS WAF.

AWS WAF dashboard

Having a reference point like a dashboard can help you monitor activity at a high level and detect unusual traffic patterns. For example, you can use the anomalies algorithm on the aws.wafv2.blocked_requests metric to discover any changes that deviate from historical trends. The following screenshot shows that the total number of blocked requests that Datadog expected for the selected time period ranged between 14 and 17.

AWS WAF blocked anamolies graph

Apart from highlighting significant spikes, such as the two seen above, anomaly detection can help you monitor trends in WAF activity over a period of time. For example, if the anomaly boundaries increase significantly, you may need to determine if the associated rule is blocking too many requests and needs to be updated.

In addition to monitoring metrics, Datadog enables you to track AWS WAF logs via Datadog Log Management, which provides a cost-effective solution for collecting, storing, and querying logs. Your activity and audit logs serve as the starting point for troubleshooting issues with configured WAF and web ACLs.

For example, your audit logs capture important information about changes to both WAF and web ACL settings. The following audit log shows that a user attempted to list available web ACLs but did not have the appropriate permissions.

AWS WAF log

These logs also include information about which AWS user attempted the action, and you can review them in context with other activity across your AWS environment by pivoting to Cloud SIEM Investigator. In the following screenshot, you can see that a single user failed to execute list or describe API calls for components of multiple different types of resources, including web ACLs.

AWS WAF Datadog Cloud SIEM indentity

These scenarios could indicate a threat actor bypassed a WAF and is testing the level of access their user and applied role have in your environment. Cloud SIEM also includes built-in detection rules for AWS WAF, enabling you to instantly know about key activity and audit scenarios, such as when a web ACL rule blocked traffic or when a specific web ACL was modified or deleted.

Leverage Datadog’s advanced log management capabilities

Cloud SIEM helps you quickly surface immediate threats from activity captured in logs, but you may still need to drill down into specific logs for further analysis. AWS WAF can generate a high volume of logs at any given time, which makes it more difficult to query the data you need during a time-sensitive investigation. Datadog Observability Pipelines solves this problem by enabling you to generate custom metrics from AWS WAF logs, separating the most immediately helpful information from complex log data. For example, you can create metrics on specific activity log facets, such as rule names from AWS’s baseline rule group, in order to better track historical trends from web ACL activity like blocking requests from bad bots.

Once you extract metrics, you can drop the logs entirely, or retain them with Datadog Flex Logs or the long-term storage solution of your choice. Datadog Flex Logs decouples the cost of log storage from the costs of querying, enabling you to keep AWS WAF logs for the relative long term while still being able to instantly query them without incurring the typical costs of indexing. This capability is invaluable for conducting in-depth investigations.

Next, we’ll look at how Datadog App and API Protection can help you detect and stop malicious activity like this before it passes through the boundaries of your environment.

Monitor web ACL activity in Datadog AAP

In addition to monitoring AWS WAF metrics and logs, you need the ability to view each of the requests that your web ACLs allow or block. Not having that visibility makes it more difficult to act on an issue that your metric or log data surfaces. Datadog AAP provides that necessary context by integrating with AWS WAF. Once the integration is enabled, AAP will automatically discover when a web ACL is present in your environment and is managing traffic to your instrumented services. Datadog AAP will also walk you through the process of enabling the AWS WAF integration, so you can determine which steps have yet to be completed and easily review your web ACLs in context using Datadog’s built-in threat management.

Enable AWS WAF directly in Datadog AAP

If a web ACL blocks a specific IP address, for example, you will be able to view this information, including relevant WAF metrics and logs, directly in AAP.

Datadog AAP signal for AWS WAF

In the preceding trace, the UserAgent_BadBots_HEADER WAF rule automatically blocked requests from a single IP address, which you can review in Datadog AAP. You can also review associated WAF logs and the flagged IP to determine if any further action is required. With this complete context, you have the ability to improve your WAF’s protection capabilities and secure more than just your environment’s perimeter. We’ll look at the importance of extending your WAF’s reach, and how Datadog accomplishes this, next.

Extend your firewall protection with Datadog AAP

Perimeter firewalls like AWS WAF serve as a first line of defense for your environment. They monitor incoming traffic for potentially malicious activity and stop identified threats before they reach your applications and APIs. However, due to the challenges of maintaining these types of WAFs and the gaps in coverage they can leave, it’s important to extend your firewall protection to other layers besides the network’s perimeter. This enables you to build a comprehensive defense-in-depth strategy for your applications.

With the rapidly evolving boundaries of a dynamic cloud environment, scaling perimeter firewalls can be difficult. In these environments, perimeter firewalls require constant tuning to ensure that they only block malicious traffic and do not cause latency—or worse—false positives. As mentioned in Part 1, this process typically requires continually testing how precisely web ACL rules respond to traffic. But in many cases, web ACL configurations are owned by a single team, which can create knowledge gaps for other teams in how to maintain them and interpret their logs.

Apart from the challenges in maintaining perimeter firewalls, simple misconfigurations, which are more common in large-scale environments, can give threat actors easy access. Additionally, application or resource vulnerabilities can grant threat actors direct access to an environment, regardless of the state of its perimeter firewall. That’s why building protection that continually monitors and responds to traffic from the perimeter down to individual services, APIs, and resources is crucial for mitigating gaps in security coverage. This approach allows you to build protection controls that can appropriately respond to a wider range of threats.

In addition to the visibility that Datadog AAP brings to your existing WAFs, it also offers distributed protection capabilities with enhanced application context, business logic, and exploit prevention. Through Datadog’s tracing libraries, AAP provides granular visibility into application services and APIs. This means that Datadog can automatically stop exploits, such as SQL and command injections, before they affect your applications. And if a threat actor takes advantage of an application vulnerability, AAP will automatically flag the source IP, which you can decide to block via AWS WAF directly in Datadog.

Block IPs via AWS WAF directly in Datadog

Start monitoring AWS WAF today

In this post, we looked at how Datadog enables you to monitor your AWS WAF metrics and logs. We also discussed how Datadog AAP’s integration with AWS WAF brings complete context to monitoring and preventing malicious activity. To learn more, you can check out our documentation for AWS WAF and Datadog AAP. If you don’t already have a Datadog account, you can sign up for a free 14-day trial.