Every security engineer has experienced this issue: after spending a lot of time creating a new SIEM alert to catch malicious behavior, you deploy it, only to find there are over 100 service accounts triggering false positives. Your SIEM is suddenly flooded with false alerts, and your team is overwhelmed as a result. You then spend hours or even days investigating these alerts and fixing your detection rule, hoping it will work better next time.

Cloud environments today continue to grow in size and complexity, which increases the demand for improved security coverage in order to protect an organization’s assets, data, and reputation. This growth has also created significant and complex challenges in identifying insider or external threats, compromised accounts, and anomalous behavior across environments.

With the alarming number of data breaches and vulnerabilities today, security is now a primary concern for organizations and their customers, but knowing how to efficiently develop and scale secure applications is still a problem. Tackling this challenge requires considering the potential security risks of a new feature or service much earlier in the development cycle, an idea that is foundational to the Secure by Design approach.

The Domain Name System (DNS) translates domain names (e.g., datadoghq.com) into IP addresses via a process called DNS resolution. This translation facilitates all kinds of network communication, from enabling web browsers to connect to a desired page without requiring users to remember IP addresses, to internal communication across private infrastructure, such as Kubernetes environments.

AWS WAF is a managed web application firewall that monitors network traffic to your AWS applications and resources. As a perimeter-based firewall, AWS WAF is designed to secure the boundaries between your applications and the public internet. This means that it’s capable of protecting all of the various elements of your AWS architecture, including Amazon API Gateways, load balancers, and Amazon CloudFront distributions.

In Part 1 of this series, we looked at how AWS WAF helps you monitor network traffic to AWS resources, as well as key metrics and logs for detecting WAF misconfigurations and malicious activity. In this post, we’ll walk through using AWS’s native tooling to query that data.

In Part 2 of this series, we looked at Amazon’s built-in monitoring services for AWS WAF activity and audit logs. In this post, we’ll demonstrate how Datadog complements your WAF’s existing protection and extends its capabilities to not only offer protection at the perimeter but also to the APIs and services within your network.