Many organizations have logs, metrics, and security events in Datadog, including key sources like UNIX/Linux syslog and Windows Event Logs. This data is sometimes valuable to investigations and audits, but either may not be present in the SIEM, or if it is, drives ingestion expenses and data duplication.
Query integrates with Datadog using Datadog’s public REST APIs for searching logs and events. (See our integration documentation here, and Datadog’s API docs at API Reference). Query will provide visibility to relevant logs and security events from your Datadog tenant. Query will normalize data pulled from Datadog into Query’s OCSF based QDM (Query Data Model) which then enables cross-platform joins.
With the Datadog integration added to Query’s federated search, Query will show you:
- All Events from Datadog Service Management for a device mapped to Security Findings in QDM. You can see key Datadog event fields like priority, status, service, message, and title get extracted and mapped into the Security Finding.
- Any process information logged centrally into Datadog from that device will be mapped to Process Activity in QDM. You can see key Datadog log fields like priority, service, and message get extracted and mapped into the Process Activity.
- Based upon additional integrations in your environment (for example, if you have Microsoft AD and Threat Intelligence sources integrated with Query in addition to DataDog), Query can show you
- Who is the user of the device and what is their role
- Additional alerts associated with the user or the device, such as based upon email, web, or file activity.
- Relevant follow up searches to get vulnerability, malware, and threat intelligence information associated with related entities like files, processes, and applications on that device.
The benefits of Datadog integration are:
- Improved search and enrichment capability of Datadog data
- Expansion of Datadog capabilities without incurring independent of technology challenges
- Eliminates need to duplicate data in Datadog and a SIEM
- Eliminates need to incur ingestion expenses from your SIEM for data in Datadog
- Allows Datadog data to be normalized and integrated with data from other data sources integrated with your Query instance