Datadog

📘

TL;DR Datadog:

To integrate Datadog and perform searches with Query:

• Generate Datadog API Key and Application Key from your Datadog's Organization Settings
• Using above values, configure connection to Datadog from your Go Query interface
• Perform searches using the new connection

Overview

Datadog is an application monitoring and security platform that collects and bring together logs, metrics, and security events from your environment. If you are using Datadog, you can now query logs and events from your tenant.

Prerequisites

Obtain API Key

Login to Datadog and go to Organization Settings -> API Keys page to get a key that Query can use. Note that Datadog will provide you with separate KEY ID and KEY. Ensure that you use the KEY and not the KEY ID.

Obtain Application Key

Next, go to Organization Settings -> Application Keys page to get an application key that Query can use. Note that Datadog will provide you with separate KEY ID and KEY. Ensure that you use the KEY and not the KEY ID.

Access to Events API (beta)

For querying Events from Datadog, as of writing, you have to contact your Datadog support (via a support ticket) to enable the Events API (beta) feature in your tenant. This step is needed only if your use-case needs querying Events from Datadog. This step is not needed, if you are just querying Logs.

Adding connection in Query

From the Connections page in Query, add a new connection to Datadog, providing your Datadog tenant's URL, along with the API and Application keys obtained above.

Querying from Datadog

You can search for any device's logs by the device's hostname.

Search results will contain:

• Events from Datadog Service Management. These get mapped to Security Finding in Query's OCSF schema.
• Logs from Datadog. These get mapped to Process Activity in Query's OCSF schema.

Resources

Please refer to Datadog Documentation here on Key Management https://docs.datadoghq.com/account_management/org_settings/