This guide simplifies the process of evaluating Datadog's Cloud SIEM security capabilities to detect AWS threats and alert in real-time. This is done by simulating attacks using Stratus Red Team.
- A functional Datadog trial or production environment with:
- An AWS sandbox account - Stratus Red Team is meant to be used against a cloud account that does not handle production workloads or infrastructure.
- Stratus Red Team installed, to executing simulated attack techniques against the AWS environment (supports MacOS, Linux, Windows and Docker).
- Prior AWS authentication through the CLI using either
aws-vault
or the AWS CLI, withAdministratorAccess
permissions
Stratus Red Team supports attacks for other platforms including Azure, Google Cloud and Kubernetes. This guide focuses on AWS.
To install Stratus Red Team, follow the Stratus Red Team installation guide.
You can detonate the stratus attacks individually as shown below.
- Detonate an attack technique:
stratus detonate aws.exfiltration.s3-backdoor-bucket-policy
- Detonate multiple attack techniques:
stratus detonate aws.exfiltration.s3-backdoor-bucket-policy aws.defense-evasion.cloudtrail-stop
- Detonate an attack technique, then automatically clean up any resources deployed on AWS:
stratus detonate aws.exfiltration.s3-backdoor-bucket-policy --cleanup
Utilizing the stratus.sh script, you can detonate all available stratus attacks at once. This process takes around 30 minutes to complete and might hit limits in your AWS account (e.g. number of VPCs), so we suggest detonating each attack individually.
- Cleanup a specific attack technique
stratus cleanup aws.defense-evasion.cloudtrail-stop
- Cleanup all detonated attack techniques
stratus cleanup --all
For more details on usage, refer to the Stratus Red Team Usage Guide and Stratus Red Team Command Reference
Note that Datadog's out-of-the-box Cloud SIEM Rules are not limited to the attack techniques available in Stratus Red Team.
In Datadog, navigate to Security > Cloud SIEM > Signals and filter by source:cloudtrail @http.useragent:*stratus-red-team*
to validate the signals generated by the emulation.
Expect the following detections: