Datadog

Version: 1.0.3

Datadog is the essential monitoring and security platform for cloud applications. It brings together end-to-end traces, metrics, and logs to make your applications, infrastructure, and third-party services entirely observable. These capabilities help businesses secure their systems, avoid downtime, and ensure customers are getting the best user experience.

Connect Datadog with LogicHub

  1. Navigate to Automations > Integrations.
  2. Search for Datadog.
  3. Click Details, then the + icon. Enter the required information in the following fields.
    • Label: Enter a connection name.
    • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
    • Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
    • Remote Agent: Run this integration using the LogicHub Remote Agent.
    • App Key: App Key created in Datadog for this instance.
    • API Key: API key required for authentication to Datadog.
  4. After you've entered all the details, click Connect.

Actions for Datadog

Get Security Signals

Fetches security signals that match a search query.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Query

Jinja-templated text containing search query for listing security signals (Default is '*'). Example: host:{{column_name}}

Required

Sort

Sort order for the results. (Default is Chronological).

Required

Limit

Limits the number of rows from the search. (Default is 100000).

Required

Start time

Jinja-templated, ISO formatted minimum timestamp for requested security signals. Default is execution start time. Example: 2019-09-26T07:58:30.996+02:00.

Required

End time

Jinja-templated, ISO formatted maximum timestamp for requested security signals. Default is execution end time. Example: 2019-09-26T07:58:30.996+02:00

Required

Output

Each row contains a JSON object of a Security Signal.

{
   "attributes":{
      "attributes":{
         "entities":[
            "@network.client.ip:172.17.0.1",
            "host:ubuntu"
         ],
         "groupByPaths":[
            "host"
         ],
         "http":{
            "method":"GET",
            "referer":"-",
            "status_code":200,
            "url_details":{
               "path":"/"
            },
            "useragent_details":{
               "browser":{
                  "family":"curl"
               },
               "device":{
                  "family":"Other"
               },
               "os":{
                  "family":"Other"
               }
            }
         },
         "network":{
            "client":{
               "ip":"172.17.0.1"
            }
         },
         "queries":[
            {
               "groupByPaths":[
                  "host"
               ],
               "query":"@http.status_code:200"
            }
         ],
         "relatedLogsQuery":{
            "from":"2021-02-16T08:05:07.000Z",
            "query":"@http.status_code:200 host:\"ubuntu\"",
            "to":"2021-02-17T08:20:07.000Z"
         },
         "samples":[
            {
               "content":{
                  "custom":{
                     "date_access":1613463607000,
                     "http":{
                        "method":"GET",
                        "referer":"-",
                        "status_category":"OK",
                        "status_code":200,
                        "url":"/",
                        "url_details":{
                           "path":"/"
                        },
                        "useragent":"curl/7.68.0",
                        "useragent_details":{
                           "browser":{
                              "family":"curl",
                              "major":"7",
                              "minor":"68",
                              "patch":"0"
                           },
                           "device":{
                              "category":"Other",
                              "family":"Other"
                           },
                           "os":{
                              "family":"Other"
                           }
                        },
                        "version":"1.1"
                     },
                     "network":{
                        "bytes_written":5,
                        "client":{
                           "ip":"172.17.0.1"
                        }
                     }
                  },
                  "host":"ubuntu",
                  "host_id":3881504510,
                  "ingest_size_in_bytes":329,
                  "message":"172.17.0.1 - - [16/Feb/2021:08:20:07 +0000] \"GET / HTTP/1.1\" 200 5 \"-\" \"curl/7.68.0\"",
                  "service":"webapp",
                  "source":"nginx",
                  "status":"ok",
                  "tags":[
                     "docker_image:datadog-ngix:latest",
                     "short_image:datadog-ngix",
                     "source:nginx",
                     "container_name:nginx",
                     "container_id:7c7325c142c880141ec3e31ad4bbfe8ae8815f902ced70635903ebfbdc50a708",
                     "image_tag:latest",
                     "image_name:datadog-ngix",
                     "service:webapp"
                  ],
                  "tiebreaker":-1157172501,
                  "timestamp":"2021-02-16T08:20:07.000Z"
               },
               "eventId":"AQAAAXep7NbYuwby6wAAAABBWGVwN05qNEFBQkZSajBTM25FYmlRQUE",
               "id":"AXep7Nj4AABFRj0S3nEbiQAA",
               "queryIndex":0,
               "trackKey":{
                  "orgId":536355,
                  "type":"logs"
               }
            }
         ],
         "title":"200 - case 2",
         "workflow":{
            "events_matched":1,
            "first_seen":"2021-02-16T08:20:07.000Z",
            "last_seen":"2021-02-16T08:20:07.000Z",
            "rule":{
               "detectionMethod":"threshold",
               "id":"dfn-nuv-z2j",
               "name":"200",
               "type":"Log Detection",
               "version":1
            }
         }
      },
      "host":"ubuntu",
      "message":"%%%\n200\n%%%",
      "service":[
         "webapp"
      ],
      "status":"critical",
      "tags":[
         "source:nginx",
         "docker_image:datadog-ngix:latest",
         "short_image:datadog-ngix",
         "source:nginx",
         "container_name:nginx",
         "container_id:7c7325c142c880141ec3e31ad4bbfe8ae8815f902ced70635903ebfbdc50a708",
         "image_tag:latest",
         "image_name:datadog-ngix",
         "service:webapp"
      ],
      "timestamp":"2021-02-16T08:20:11.188Z"
   },
   "error":null,
   "has_error":false,
   "id":"AQAAAXep7Oc0AAAAAAAAAABkZm4tbnV2LXoyai0xLUFYZXA3Tmo0QUFCRlJqMFMzbkViaVFBQQ",
   "type":"signal"
}

Search Logs

Fetches logs that match a log search query.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Query

Jinja-templated text containing search query for listing security signals (Default is '*'). Example: host:{{column_name}}

Required

Index

Jinja-templated text containing comma separated indices for logs (Default is '*'). Example: {{column_name}}

Required

Sort

Sort order for the results. (Default is Chronological).

Required

Limit

Limits the number of rows from the search. (Default is 100000).

Required

Start time

Jinja-templated, ISO formatted minimum timestamp for requested security signals. Default is execution start time. Example: 2019-09-26T07:58:30.996+02:00

Required

End time

Jinja-templated, ISO formatted maximum timestamp for requested security signals. Default is execution end time. Example: 2019-09-26T07:58:30.996+02:00

Required

Output

Each row contains a JSON log object.

{
   "attributes":{
      "attributes":{
         "hostname":"fa1e1e739d95"
      },
      "host":"fa1e1e739d95",
      "message":"hello world",
      "status":"info",
      "tags":[
         "source:agent",
         "env:prod",
         "env:prod",
         "user:joe.doe",
         "source:agent"
      ],
      "timestamp":"2021-02-16T02:30:46.022Z"
   },
   "error":null,
   "has_error":false,
   "id":"AQAAAXeorQAGojnJQQAAAABBWGVvclFBR0FBQlN1SEhvQmNsZDhBQUE",
   "type":"log"
}

Did this page help you?