Workload Protection's new Coverage feature #31134
Conversation
- revised for clarity - added more prescriptive content
github-actions
bot
added
Architecture
📝 Documentation Team Review RequiredThis pull request requires approval from the @DataDog/documentation team before it can be merged. Please ensure your changes follow our documentation guidelines and wait for a team member to review and approve your changes. |
Preview links (active after the
|
deleting file from PR
…of github.com:DataDog/documentation into mcretzman/DOCS-11460-workload-protection-coverage-map
| * Track coverage for serverless functions | ||
| * Filter by environment, enabled features, agent version, etc. | ||
| - [Coverage Map][3]: | ||
| * View a real-time map of workload protection status |
There was a problem hiding this comment.
I would say near real-time (usually 1-2 mins, worst - 5)
content/en/security/workload_protection/inventory/coverage_map.md
Outdated
Show resolved
Hide resolved
| * Reduce blind spots by monitoring for unprotected workloads. | ||
| * Shorten detection and response times with direct remediation workflows. | ||
| * Maintain continuous compliance and policy alignment. | ||
| * Integrate posture checks into CI/CD and infrastructure reviews. |
There was a problem hiding this comment.
we don't have CI/CD integrations here
There was a problem hiding this comment.
right. What I mean here is using Coverage to check the hosts used in your CI/CD pipeline as part of infra reviews.
|
|
||
| Here are some ways to use Coverage to improve your workload security. | ||
|
|
||
| ### Eliminate gaps in security coverage |
There was a problem hiding this comment.
I wrote down a few use cases we can highlight:
Use Cases
- Detect and remediate policy deployment issues
Use the Incomplete infrastructure coverage widget or visually scan the map to identify assets with policy deployment problems.
Select the problematic asset to open the side panel.
Review the list of deployed policies. Policies with errors are highlighted.
Select a highlighted policy to view its rules and the errors reported by the agent.
Edit the policy or the problematic rule.
Redeploy and confirm the fix in the map.
- Identify assets missing workload protection
The Improve infrastructure coverage widget flags assets without full protection.
Look for the NO WP label. This indicates that the Datadog Agent is installed, but Cloud Workload Security (CWS) is not enabled. These workloads are not monitored.
Look for the NO AGENT label. This indicates that no Datadog Agent is installed on the host.
Select either label to navigate to the corresponding page. From there, add or review agents and features.
- Experiment with new rules
Test and iterate on custom security rules.
Write and deploy a new rule.
Search for the rule by Rule ID, Policy ID, or hostname.
Confirm that the agent has loaded the rule successfully.
If errors appear, review the details, fix the rule, and redeploy.
- Identify assets missing key features
Check information-level issues to find gaps in protection.
Review the outdated_agent flag. This means the Agent is running an outdated version and may not support the latest CWS features.
Review the missing coverage data flag. This means the Agent is not reporting coverage data needed to generate full insights.
Update the Agent to ensure complete coverage.
- Search assets by MITRE ATT&CK techniques and tactics
Search across assets to see how many are covered by specific MITRE ATT&CK techniques and tactics.
Open the search function.
Enter the desired MITRE ATT&CK technique or tactic.
Review the number of assets covered.
We will add more later since we don't think to stop here
There was a problem hiding this comment.
Can we use these items? For the rest of cases I think we may mislead customers
DOCS-11460
What does this PR do? What is the motivation?
Documents Workload Protection's new Coverage feature.
Merge instructions
Merge readiness: