# Step 1: Evidence Details

|System|Source of data|Frameworks|Purpose|
|---|---|---|---|
|Datadog|Datadog Detection Rules|Datadog|Get Log Detection Rules data from Datadog.|

```
RecomendedEvidenceName: DatadogDetectionRules
```



# Step 2: Define the System Specific Data


In [None]:
# GET /api/v2/security_monitoring/rules
{
    "data": [
        {
            "id": "def-000-syp",
            "version": 1,
            "name": "1Password activity observed from Tor client IP",
            "createdAt": 1687969747558,
            "creationAuthorId": 0,
            "updateAuthorId": 0,
            "isDefault": true,
            "isPartner": false,
            "isEnabled": true,
            "isDeleted": false,
            "isDeprecated": false,
            "queries": [
                {
                    "query": "source:1password @threat_intel.results.category:tor",
                    "groupByFields": [
                        "@usr.email"
                    ],
                    "hasOptionalGroupByFields": false,
                    "distinctFields": [],
                    "aggregation": "count",
                    "name": "tor_client_activity"
                }
            ],
            "options": {
                "keepAlive": 3600,
                "maxSignalDuration": 86400,
                "detectionMethod": "threshold",
                "evaluationWindow": 300
            },
            "cases": [
                {
                    "name": "",
                    "status": "critical",
                    "notifications": [],
                    "condition": "tor_client_activity > 0"
                }
            ],
            "message": "## Goal\nDetect when 1Password activity is observed from a Tor exit node. \n\n## Strategy\nThis rule monitors 1Password logs to determine when an activity originated from a Tor client. Datadog enriches all ingested logs with [expert-curated threat intelligence][1] in real-time. An attacker may use a Tor client to anonymize their true origin.  \n\n## Triage and response\n1. Determine if `{{@usr.email}}` from IP address `{{@network.client.ip}}` should have made the `{{@evt.name}}` API call.\n2. If the results of the triage indicate that an attacker has taken the action, begin your company's incident response process and an investigation.\n\n## Changelog\n* 17 August 2023 - Updated query to replace attribute `@threat_intel.results.subcategory:tor` with `@threat_intel.results.category:tor`.\n\n[1]: https://www.datadoghq.com/blog/datadog-threat-intelligence/#expert-threat-intelligence-managed-by-datadog",
            "tags": [
                "source:1password",
                "scope:onepassword",
                "security:attack"
            ],
            "defaultTags": [
                "source:1password",
                "security:attack",
                "scope:onepassword"
            ],
            "hasExtendedTitle": true,
            "type": "log_detection",
            "filters": []
        }
    ],
    "meta": {
        "page": {
            "total_count": 429,
            "total_filtered_count": 1
        }
    }
}

# Step 2a: API & Flow


 - GET /api/v2/security_monitoring/rules
    - The response will give a list of Detection Rules.
    - Prepare the extended schema with the details.




# Step 2b: Define the Extended Schema


In [None]:
# DatadogDetectionRules
{
    "System": "datadog",
    "Source": "compliancecow",
    "ResourceID": "def-000-syp",
    "ResourceName": "1Password activity observed from Tor client IP",
    "ResourceType": "Detection Rule",
    "ResourceLocation": "N/A",
    "ResourceTags": "N/A",
    "ResourceURL": "https://app.datadoghq.com/security/configuration/siem/rules/view/def-000-syp",
    "RuleType": "log_detection",
    "RuleMessage": "## Goal\nDetect when 1Password activity is observed from a Tor exit node. \n\n## Strategy\nThis rule monitors 1Password logs to determine when an activity originated from a Tor client. Datadog enriches all ingested logs with [expert-curated threat intelligence][1] in real-time. An attacker may use a Tor client to anonymize their true origin.  \n\n## Triage and response\n1. Determine if `{{@usr.email}}` from IP address `{{@network.client.ip}}` should have made the `{{@evt.name}}` API call.\n2. If the results of the triage indicate that an attacker has taken the action, begin your company's incident response process and an investigation.\n\n## Changelog\n* 17 August 2023 - Updated query to replace attribute `@threat_intel.results.subcategory:tor` with `@threat_intel.results.category:tor`.\n\n[1]: https://www.datadoghq.com/blog/datadog-threat-intelligence/#expert-threat-intelligence-managed-by-datadog",
    "DefaultRule": true,
    "RuleEnabled": true,
    "RuleDeprecated": false,
    "RuleCases": [
        {
            "Condition": "tor_client_activity > 0",
            "Name": "",
            "Status": "critical"
        }
    ],
    "RulePriority": "critical",
    "RuleTags": [
        "source:1password",
        "scope:onepassword",
        "security:attack"
    ],
    "RuleCreationDate": "2023-06-28T16:29:07.558000+00:00",
    "UserAction": "",
    "ActionStatus": "",
    "ActionResponseURL": ""
}

# 3. Control Setup Details

| Control Details            |                                                 |
|----------------------------|-------------------------------------------------|
| **RuleName**               | GetDatadogDetectionRules                        |
| **PreRequisiteRuleNames**  |                                                 |
| **ExtendedSchemaRuleNames**|                                                 |
| **ApplicationClassName**   | datadogconnector                                |
| **PostSynthesizerName**    | N/A                                             |