Skip to main content

Datadog

The Datadog alert channel provides a unified view of your metrics, logs, and performance data combined with your cloud security data.

Follow the procedures described below to integrate Lacework and Datadog.

Create an API Key in Datadog for Lacework

Integrating Lacework and Datadog requires you to create an API key in Datadog. Ensure you create an API key, not an application key.

  1. Log in to the Datadog interface and navigate to Organization Settings > API Keys.
    You can also connect to https://app.datadoghq.com/organization-settings/api-keys.
  2. Click + New Key.
    datadog_apikey_2.png
  3. In the popup window, add the name for the new API key.
    datadog_apikey_4.png
  4. Click Create Key.
    This adds the new API key to the list.
  5. Verify the newly created API key. This is what you provide as input in the Lacework Console. datadog_apikey_3.png

For additional information about Datadog, refer to their documentation: https://docs.datadoghq.com/account_management/api-app-keys/.

Create a Datadog Alert Channel from the Lacework Console

  1. Log in to the Lacework Console as a Lacework user with administrative privileges.
  2. Go to Settings > Notifications > Alert channels.
  3. Click + Add new.
  4. Select Datadog.
  5. Click Next.
  6. Follow the steps in the next section.

Create a Datadog Alert Channel

Ensure you already have a Datadog API key as described in Create an API Key in Datadog for Laceworkx. You can have as many channels as needed but it is best to have a unique Datadog API key for each. Complete the following steps:

  1. Enter a unique name for the alert channel.
  2. Click Next.
  3. For Datadog Service, select Logs Detail (default), Logs Summary, or Events Summary.
  4. For Datadog Site, select com or eu. This is where you want to store your logs, either the US or Europe.
  5. For API Key, enter the API key that you created previously. This is required to submit metrics and alerts to Datadog.
  6. Click Save.
  7. Click Alert rules and configure your required alert routing details/options by leveraging the alert channel you created.

Select a Datadog Service to Use

If you have a Datadog license for logs, then you get the most functionality from the alert channel because you can index, search, add monitors, rehydrate, create dashboards, and perform other critical functions with the data. If you do not have a license for logs, then you can only view data in the event stream.

Summary vs. Detailed Data

Lacework recommends sending all detailed data because this results in higher-level log fidelity and details. If you want to trim data, however, you can send the summary.

View Lacework Data in the Datadog Dashboard

To view data that Lacework sends, query the sent data, and set up monitors or dashboards you must log in to the Datadog Dashboard and then click the logs and search. That screen should display a new source called Lacework.

2020-02-20_10-33-27.png

The log data shows the JSON output of Lacework alerts. When viewing detailed alerts, you can see all information from the alert itself as you can in the Lacework Console. Inside the alert there are also links to the Lacework dashboard if more triage is needed.

2020-02-20_10-44-41.png

Create a Lacework Datadog Alert Channel Using Terraform

For organizations using Terraform to manage their environments, Lacework maintains the Terraform provider for Lacework, which enables configuration of Lacework alert channels using automation.

If you are new to the Lacework Terraform Provider, or Lacework Terraform Modules, read through the Terraform for Lacework Overview to learn the basics on how to configure the provider, and more.

# Configure Datadog Alert Channel in Lacework
resource "lacework_alert_channel_datadog" "example" {
name = "Datadog Alert Channel Example"
datadog_site = "eu"
datadog_service = "Events Summary"
api_key = "datadog-key"
}

Additional information on the lacework_alert_channel_datadog resource can be found on the Terraform Registry.