Cryptomining scripts can potentially be detected by Amazon GuardDuty and that information can be forwarded to Datadog—or Datadog APM could detect the drop in performance from the hijacked machine—but neither tool has the ability to fully investigate and remediate the threat on its own. D3 can retrieve the event, run it through MITRE ATT&CK correlation to identify tactics and techniques, and extract IOCs to compare against third-party threat intelligence to determine risk. Based on this information, the user can escalate the event to an incident if further investigation is required. D3 has a prebuilt automation-powered playbook for cryptojacking, which includes domain analysis and EC2 instance analysis.
By combining Datadog Security Monitoring for threat detection with D3 SOAR for incident enrichment and response, you can automatically escalate security threats to D3 and assess their criticality through data enrichment and MITRE ATT&CK matrix correlation. D3 can then trigger an automated response playbook or guide human analysts efficiently through manual steps, all within a single window.
Our Connected SOAR Security Alliance brings hundreds of vendors together, allowing customers to benefit from our deep industry relationships and fully vendor-agnostic, independent SOAR platform.