Datadog

This integration allows sending all threat notifications and workflow evaluations to Datadog using the HTTP Logs endpoint.

Steps to set up the Verosint integration with Datadog:

Log in to Verosint and navigate to the workspace settings page.
Click Add next to the Datadog logo on the SIEM Logs card

Fill out the required details

URL: The URL of the HTTP Logs intake endpoint. The default value is shown for the US1 region. You can use the linked page to change the region and find the appropriate URL if the default is not acceptable. The full list of intake endpoints (see the above link for the up-to-date list):

Region	URL
US1	`https://http-intake.logs.datadoghq.com/api/v2/logs`
US3	`https://http-intake.logs.us3.datadoghq.com/api/v2/logs`
US5	`https://http-intake.logs.us5.datadoghq.com/api/v2/logs`
EU	`https://http-intake.logs.datadoghq.eu/api/v2/logs`
AP1	`https://http-intake.logs.ap1.datadoghq.com/api/v2/logs`
US1-FED	`https://http-intake.logs.ddog-gov.com/api/v2/logs`

API Key: The API key that is authorized to send logs.
Tags: Tags that should be sent with each threat notification (optional).
Events to Send: The event types to send.

Example Datadog SIEM Logs dialog

📘
Testing Notifications
It is recommended to send a test notification to validate that all parameters are set correctly. It will also enable the Datadog administrator to see and configure alerts based on the attributes of the threat notification.

Datadog Attributes Populated In Threat Notifications

Attribute Name	Value
`ddsource`	`verosint`
`ddtags`	`source:verosint` in addition to the configured tags
`evt.category`	`threat`
`evt.name`	Name of the threat such as `CREDENTIAL_STUFFING`
`evt.outcome`	The status of the threat such as `STARTED` or `ENDED`
`hostname`	`api.verosint.com`
`message`	JSON formatted with the following properties \n`url`: the URL of the threat in the Verosint app \n`timestamp`: the timestamp of the threat in the UTC timezone \n`threat`: the details of the threat as a JSON object
`service`	`verosint`

Datadog Attributes Populated in Workflow Evaluations

Attribute Name	Value	Optional
`ddsource`	`verosint`
`ddtags`	`source:verosint` in addition to the configured tags
`evt.name`	`workflow_evaluation`
`evt.outcome`	The outcome of the workflow evaluation, e.g. `Allow`
`hostname`	`api.verosint.com`
`message`	JSON formatted workflow evaluation
`network.geoip.country.iso_code`	Identifies the two-letter country code (ISO 3166-1) from which an IP address is located	✅
`network.geoip.city.name`	Identifies the city in which the IP address is located	✅
`network.geoip.region.iso_code`	Identifies the geographical region (state/province) in which the IP is located	✅
`service`	`verosint`
`usr.email`	The email address
`usr.id`	The account ID	✅

ℹ️
Optional Attributes
Some attributes are only present in the log if the corresponding identifier - such as IP address - was used in the workflow evaluation

🚧
Format of the Message Attribute
The message attribute contains the entire workflow evaluation payload in a JSON format. The format may be subject to change without notice.