Collect Datadog logs

This document explains how to ingest Datadog logs to Google Security Operations. Datadog is a cloud-based monitoring and analytics platform that collects metrics, traces, and logs from applications, infrastructure, and cloud services. You can share Datadog logs to Google SecOps using either Cloud Storage or a webhook.

Before you begin

Ensure that you have the following prerequisites:

• A Google SecOps instance
• Privileged user access to Datadog
• Access to Google Cloud console (for API key creation or Cloud Storage configuration)

Option 1: Datadog log sharing through Cloud Storage configuration

Configure Datadog integration with Google Cloud

Set up an integration for Google Cloudin Datadog. For more information, see the Datadog Google Cloud integration setup.

Create a Cloud Storage Bucket

1. Sign in to the Google Cloud console.

2. Go to the Cloud Storage Buckets page.

   Go to Buckets

3. Click Create.

4. On the Create a bucket page, enter your bucket information. After each of the following steps, click Continue to proceed to the next step:

   1. In the Get started section, do the following:

      1. Enter a unique name that meets the bucket name requirements (for example, datadog-data).

      2. To enable hierarchical namespace, click the expander arrow to expand the Optimize for file oriented and data-intensive workloads section, and then select Enable Hierarchical namespace on this bucket.

      3. To add a bucket label, click the expander arrow to expand the Labels section.

      4. Click Add label, and specify a key and a value for your label.

   2. In the Choose where to store your data section, do the following:

      1. Select a Location type.
      2. Use the location type drop-down to select a Location where object data within your bucket will be permanently stored.

   3. In the Choose a storage class for your data section, either select a default storage class for the bucket, or select Autoclass for automatic storage class management of your bucket's data.

   4. In the Choose how to control access to objects section, select not to enforce public access prevention, and select an access control model for your bucket's objects.

   5. In the Choose how to protect object data section, do the following:

      1. Select any of the options under Data protection that you want to set for your bucket.
      2. To choose how your object data will be encrypted, click the expander arrow labeled Data encryption, and select a Data encryption method.

5. Click Create.

Create a Google Cloud Service Account

1. Go to IAM & Admin > Service Accounts.
2. Create a new service account.
3. Give it a descriptive name (for example, datadog-user).
4. Grant the service account with Storage Object Admin role on the Cloud Storage bucket you created in the previous step.
5. Create a key for the service account and select JSON as the key type.
6. Download the JSON key file for the service account. Keep this file secure.

Configure Datadog to send logs to Cloud Storage

1. Sign in to Datadog using a privileged account.
2. Go to Logs > Log Forwarding.
3. Click + Create New Archive.
4. Select Google Cloud Storage.
5. Input the required parameters and click Save.

Configure a feed in Google SecOps to ingest logs from the Cloud Storage bucket

1. Go to SIEM Settings > Feeds.
2. Click Add New Feed.
3. On the next page, click Configure a single feed.
4. In the Feed name field, enter a name for the feed (for example, Datadog Logs GCS).
5. Select Google Cloud Storage V2 as the Source type.
6. Select Datadog as the Log type.
7. Click Get Service Account to obtain the unique service account for this feed.
8. Grant this service account the Storage Object Viewer role on the Cloud Storage bucket created earlier.
9. Click Next.
10. Specify values for the following input parameters:
    • Storage Bucket URI: The CCloud Storage bucket URI in the format gs://datadog-data.
    • Source deletion option: Select the deletion option according to your preference.
    • Maximum File Age: Include files modified in the last number of days. Default is 180 days.
    • Asset namespace: The asset namespace.
    • Ingestion labels: The label applied to the events from this feed.
11. Click Next.
12. Review the feed configuration in the Finalize screen, and then click Submit.

Option 2: Datadog log sharing through Webhook configuration

Set up feeds

To configure a feed, follow these steps:

1. Go to SIEM Settings > Feeds.
2. Click Add New Feed.
3. On the next page, click Configure a single feed.
4. In the Feed name field, enter a name for the feed (for example, Datadog Logs).
5. Select Webhook as the Source type.
6. Select Datadog as the Log type.
7. Click Next.
8. Optional: Specify values for the following input parameters:
   • Split delimiter: the delimiter that is used to separate log lines, such as \n.
9. Click Next.
10. Review the feed configuration in the Finalize screen, and then click Submit.
11. Click Generate Secret Key to generate a secret key to authenticate this feed.
12. Copy and store the secret key. You cannot view this secret key again. If needed, you can regenerate a new secret key, but this action makes the previous secret key obsolete.
13. From the Details tab, copy the feed endpoint URL from the Endpoint Information field. You need to specify this endpoint URL in your client application.
14. Click Done.

Create an API key for the webhook feed

1. Go to Google Cloud console > Credentials: Go to Credentials.
2. Click Create credentials, and then select API key.
3. Restrict the API key access to the Chronicle API.

Specify the endpoint URL

1. In your client application, specify the HTTPS endpoint URL provided in the webhook feed.

2. Enable authentication by specifying the API key and secret key as part of the custom header in the following format:

   X-goog-api-key = API_KEY
   X-Webhook-Access-Key = SECRET
   

   Recommendation: Specify the API key as a header instead of specifying it in the URL.

3. If your webhook client doesn't support custom headers, you can specify the API key and secret key using query parameters in the following format:

   ENDPOINT_URL?key=API_KEY&secret=SECRET
   

   Replace the following:

   • ENDPOINT_URL: the feed endpoint URL.
   • API_KEY: the API key to authenticate to Google Security Operations.
   • SECRET: the secret key that you generated to authenticate the feed.

Configure Datadog to send logs to webhook

1. Sign in to Datadog using a privileged account.
2. Go to Logs > Log Forwarding.
3. Select Custom Destinations.
4. Click + Create a New Destination.
5. Specify values for the following input parameters:
   • Choose a destination type: Select HTTP.
   • Name the destination: Provide a descriptive name for the webhook (for example, Google SecOps Webhook).
   • Configure the destination: Paste the feed ENDPOINT_URL. Choose one of the following authentication options (not both):
     • Option A (recommended): leave the URL without credentials and pass API_KEY and SECRET as custom headers (configured in the next step).
     • Option B: append the credentials to the URL as query parameters, in the format ENDPOINT_URL?key=API_KEY&secret=SECRET. Use this only if the client cannot send custom headers.
   • Configure authentication settings: Datadog requires at least one authentication header to save the destination. Add the following header. The webhook endpoint ignores it, so it does not affect the request.
     • Header name: Authorization.
     • Header value: application/json.
6. Click Save.

Reference links

• Sharing Logs to CCloud Storage
• Forwarding Logs to Webhook

UDM mapping table

Need more help? Get answers from Community members and Google SecOps professionals.