Datadog
This integration allows sending all threat notifications and workflow evaluations to Datadog using the HTTP Logs endpoint.
Steps to set up the Verosint integration with Datadog:
-
Log in to Verosint and navigate to the workspace settings page.
-
Click Add next to the Datadog logo on the SIEM Logs card
-
Fill out the required details
-
URL: The URL of the HTTP Logs intake endpoint. The default value is shown for the
US1region. You can use the linked page to change the region and find the appropriate URL if the default is not acceptable. The full list of intake endpoints (see the above link for the up-to-date list):Region URL US1 https://http-intake.logs.datadoghq.com/api/v2/logsUS3 https://http-intake.logs.us3.datadoghq.com/api/v2/logsUS5 https://http-intake.logs.us5.datadoghq.com/api/v2/logsEU https://http-intake.logs.datadoghq.eu/api/v2/logsAP1 https://http-intake.logs.ap1.datadoghq.com/api/v2/logsUS1-FED https://http-intake.logs.ddog-gov.com/api/v2/logs -
API Key: The API key that is authorized to send logs.
-
Tags: Tags that should be sent with each threat notification (optional).
-
Events to Send: The event types to send.
-
Example Datadog SIEM Logs dialog
Testing Notifications
It is recommended to send a test notification to validate that all parameters are set correctly. It will also enable the Datadog administrator to see and configure alerts based on the attributes of the threat notification.
Datadog Attributes Populated In Threat Notifications
| Attribute Name | Value |
|---|---|
ddsource | verosint |
ddtags | source:verosint in addition to the configured tags |
evt.category | threat |
evt.name | Name of the threat such as CREDENTIAL_STUFFING |
evt.outcome | The status of the threat such as STARTED or ENDED |
hostname | api.verosint.com |
message | JSON formatted with the following propertiesurl: the URL of the threat in the Verosint apptimestamp: the timestamp of the threat in the UTC timezonethreat: the details of the threat as a JSON object |
service | verosint |
Datadog Attributes Populated in Workflow Evaluations
| Attribute Name | Value | Optional |
|---|---|---|
ddsource | verosint | |
ddtags | source:verosint in addition to the configured tags | |
evt.name | workflow_evaluation | |
evt.outcome | The outcome of the workflow evaluation, e.g. Allow | |
hostname | api.verosint.com | |
message | JSON formatted workflow evaluation | |
network.geoip.country.iso_code | Identifies the two-letter country code (ISO 3166-1) from which an IP address is located | ✅ |
network.geoip.city.name | Identifies the city in which the IP address is located | ✅ |
network.geoip.region.iso_code | Identifies the geographical region (state/province) in which the IP is located | ✅ |
service | verosint | |
usr.email | The email address | |
usr.id | The account ID | ✅ |
Optional Attributes
Some attributes are only present in the log if the corresponding identifier - such as IP address - was used in the workflow evaluation
Format of the Message Attribute
The message attribute contains the entire workflow evaluation payload in a JSON format. The format may be subject to change without notice.
Updated 17 days ago