Datadog
TL;DR Datadog:
To integrate Datadog and perform searches with Query:
- Generate Datadog API Key and Application Key from your Datadog's Organization Settings
- Using above values, configure connection to Datadog from your Go Query interface
- Perform searches using the new connection
Overview
Datadog is an application monitoring and security platform that collects and bring together logs, metrics, and security events from your environment. If you are using Datadog, you can now query logs and events from your tenant.
Prerequisites
Obtain API Key
Login to Datadog and go to Organization Settings -> API Keys
page to get a key that Query can use. Note that Datadog will provide you with separate KEY ID and KEY. Ensure that you use the KEY and not the KEY ID.
Obtain Application Key
Next, go to Organization Settings -> Application Keys
page to get an application key that Query can use. Note that Datadog will provide you with separate KEY ID and KEY. Ensure that you use the KEY and not the KEY ID.
Access to Events API (beta)
For querying Events from Datadog, as of writing, you have to contact your Datadog support (via a support ticket) to enable the Events API (beta) feature in your tenant. This step is needed only if your use-case needs querying Events from Datadog. This step is not needed, if you are just querying Logs.
Adding connection in Query
From the Connections
page in Query, add a new connection to Datadog, providing your Datadog tenant's URL, along with the API and Application keys obtained above.
Querying from Datadog
You can search for any device's logs by the device's hostname.
Search results will contain:
- Events from Datadog Service Management. These get mapped to Security Finding in Query's OCSF schema.
- Logs from Datadog. These get mapped to Process Activity in Query's OCSF schema.
Resources
Please refer to Datadog Documentation here on Key Management https://docs.datadoghq.com/account_management/org_settings/
Updated about 1 year ago