DataDog · emmlejeail · Jan 20, 2025 · Jan 20, 2025 · Jan 20, 2025 · Jan 20, 2025
@@ -3060,7 +3060,7 @@ menu:
       parent: ndm_setup
       identifier: ndm_snmptraps
       weight: 30004
-    - name: SD-WAN 
+    - name: SD-WAN
       url: network_monitoring/devices/sd-wan
       parent: ndm_setup
       identifier: ndm_sd-wan
@@ -6099,6 +6099,16 @@ menu:
       parent: appsec_threats
       identifier: threats_user_info
       weight: 722
+    - name: Attacker Fingerprint
+      url: security/application_security/threats/attacker_fingerprint/
+      parent: appsec_threats
+      identifier: threats_attacker_fingerprint
+      weight: 723
+    - name: Attacker Clustering
+      url: security/application_security/threats/attacker_clustering/
+      parent: appsec_threats
+      identifier: threats_attacker_clustering
+      weight: 724
     - name: Application Security for Serverless
       url: security/application_security/serverless/
       parent: application_security

@@ -93,6 +93,14 @@ flagged attackers
 : IPs that send large amounts of attack traffic. We recommend reviewing and blocking Flagged IPs. Thresholds are not user-configurable.
 : See [Attacker Explorer][17]
 
+attacker fingerprint
+: Identifiers computed from request characteristics to track an attacker across multiple requests.
+: See [Attacker Fingerprint][18]
+
+attacker cluster
+: A set of attributes identifying an attacker across a distributed attack.
+: See [Attacker Clustering][19]
+
 ## Attacks and known vulnerabilities terms
 
 Open Web Application Security Project (OWASP)
@@ -147,3 +155,5 @@ Object-Graph Navigation Language Injection (OGNLi)
 [15]: /security/application_security/threats/trace_qualification/
 [16]: /security/application_security/threats/threat-intelligence/
 [17]: /security/application_security/threats/attacker-explorer/
+[18]: /security/application_security/threats/attacker_fingerprint/
+[19]: /security/application_security/threats/attacker_clustering/
@@ -0,0 +1,69 @@
+---
+title: Attacker Clustering
+disable_toc: false
+further_reading:
+- link: "/security/application_security/threats/attacker_fingerprint"
+  tag: "Documentation"
+  text: "Attacker Fingerprint"
+- link: "/security/application_security/threats/threat-intelligence/"
+  tag: "Documentation"
+  text: "Threat Intelligence"
+- link: "/security/application_security/threats/event_rules"
+  tag: "Documentation"
+  text: "In-App WAF Rules"
+- link: "/security/application_security/threats/security_signals/"
+  tag: "Documentation"
+  text: "Security Signals"
+---
+
+
+## Overview
+
+Attacker Clustering improves distributed attack blocking. Datadog Application Security Management (ASM) identifies security signal traffic attacker patterns and to help you mitigate distributed attacks more efficiently.
+
+Attacker clustering highlights a set of common attributes shared by a significant portion of traffic and suggests blocking based on those attributes.
+
+Blocking on attacker attributes means you keep your application or API protected even as the attacker rotates between IPs.
+
+## What signals are used for attacker clusters?
+
+The attacker clustering is computed for every [ASM security signal][4] emitted from a detection rule tagged with `category:account_takeover` or `category:fraud`
+
+Out of the box, attacker clustering is computed for the ASM detection rules that detect API abuse, credential stuffing, or brute force attacks.
+
+If you want the attacker clustering executed on custom detection rules, add these tags in the detection rule editor (see screenshot below).
+
+{{< img src="security/application_security/threats/tag-on-detection-rule.png" alt="Screenshot of the Detection rule editor showing where to add tags"  >}}
+
+## Attacker clustering attributes
+
+Attacker clustering is computed using the following request attributes:
+* Browser name
+* Browser version
+* OS name
+* OS version
+* User agent header
+* [Datadog attacker fingerprinting][2]
+
+When the attacker attributes are identified, they are displayed on the signal side panel and **Signals** page. Attacker attributes can be a combination of the attributes listed above.
+
+{{< img src="security/application_security/threats/attacker-attributes.png" alt="Screenshot of an ASM signals with attacker attributes identified"  >}}
+
+## Attacker clustering mechanism
+
+The clustering algorithm analyzes the frequency of attributes in the attack traffic. It selects attributes that appear frequently while also filtering out typical traffic noise. This process results in attributes that can be blocked to stop or slow the attacker.
+
+The algorithm tracks the changes in the attack traffic by identifying emerging trends as the attacker changes tactics (for example, changing headers, tool, etc.). The attacker cluster is updated with the latest traffic trends.
+
+Traffic associated with threat intelligence is also considered in the clustering mechanism. The more an attribute is correlated with [Threat Intelligence][1], the higher the chance to create an attacker cluster around this attribute.
+
+The attacker clustering attributes selected are then shown as regular expressions that can be used to block with ASM's [In-App WAF][3] or to filter out traffic in ASM Traces explorer for investigation.
+
+## Further reading
+
+{{< partial name="whats-next/whats-next.html" >}}
+
+[1]: /security/application_security/threats/threat-intelligence/
+[2]: /security/application_security/threats/attacker_fingerprint
+[3]: /security/application_security/threats/event_rules
+[4]: /security/application_security/threats/security_signals/
@@ -0,0 +1,73 @@
+---
+title: Attacker Fingerprint
+disable_toc: false
+further_reading:
+- link: "/security/application_security/threats/attacker_clustering"
+  tag: "Documentation"
+  text: "Attacker Clustering"
+---
+
+This topic describes a feature called **Datadog Attacker Fingerprint** to identify attackers beyond IP addresses.
+
+## Overview
+
+Datadog Attacker Fingerprint identifies attackers beyond IP addresses. Datadog Attacker fingerprints are automatically computed and added to your traces on attack or login attempts when Application Security Management (ASM) is enabled on your service.
+
+Datadog Attacker fingerprints are composed of several fragments:
+* Endpoint Identifier
+* Session Identifier
+* Header Identifier
+* Network Identifier
+
+Each fragment identifies request specifics by looking for certain headers and query body fields, and by hashing cookie values and query parameters.
+
+## Attacker Fingerprint fragment details
+
+### Endpoint identifier
+
+The endpoint identifier fragment provides information about a specific endpoint, as well as the parameters used to call it. This fragments uses the following information:
+* HTTP method
+* Hash of the request URI (excluding any query parameters)
+* Hash of the sorted query parameter fields
+* Hash of the sorted top-level body fields
+
+### Session identifier
+
+The session identifier fragment tracks users based on their session information and whether they are authenticated. This fragment uses the following information:
+* Hash of the user ID
+* Hash of the sorted cookie fields
+* Hash of the cookie values by fields
+* Hash of the session ID if available
+
+If all of the fields are unavailable, the fragment is omitted as it does not provide meaningful information.
+
+### Header identifier
+
+The header identifier fragment provides information about the headers used in the request. This particular fragment uses the following information:
+* Known headers: Referer, Connection, Accept-Encoding, Content-Encoding, Cache-Control, TE, Accept-Charset, Content-Type, Accept, Accept-Language.
+* Hash of the user agent
+* The number of unknown headers
+* Hash of the sorted unknown headers. The list of unknown headers excludes all XFF headers, cookies and x-datadog headers.
+
+
+### Network identifier
+
+The network identifier fragment provides information about the network part of the request. This fragment uses the following information:
+* The number of IPs in the XFF header used by the caller to determine the client’s IP.
+* The presence or absence of the known XFF headers in the following order: x-forwarded-for, x-real-ip, true-client-ip, x-client-ip, x-forwarded, forwarded-for, x-cluster-client-ip, fastly-client-ip, cf-connecting-ip, cf-connecting-ipv6.
+
+
+## How to use Attacker Fingerprints
+
+Fragments can be used as filters in the ASM Traces explorer by filtering on the desired fingerprint field. For example: `@appsec.fingerprint.header.common_headers:0110000110` will filter on all requests that have the same common headers (Connection, Accept-Encoding, Content-Type and Accept).
+
+{{< img src="security/application_security/threats/attacker-fingerprint-trace.png" alt="Screenshot of an ASM trace with attacker fingerprint in the trace side panel"  >}}
+
+Attacker fingerprints are used in the [Attacker Clustering][1] feature. If a significant portion of your traffic presents the same fingerprint attributes, attacker clustering will show it has a common attack attribute.
+
+
+## Further reading
+
+{{< partial name="whats-next/whats-next.html" >}}
+
+[1]: /security/application_security/threats/attacker_clustering