Lacework & Datadog Integration

A unified view of metrics and logs, along with performance and cloud security data

Performance and Security Data in a Single View

 

This two-way integration provides significant value to any modern architecture, for a unified view of metrics, logs, and performance data, along with cloud security data. This includes:

  • A single view of metrics, alerts, logs, and performance data combined with security data
  • The ability to combine data across different sources to answer complex questions
  • Archiving of logs with the ability to rehydrate (index), past logs/events
  • Routing of alerts/escalations through a standard path
  • Complex rules and alerting based on Datadog infrastructure and combined data
  • The ability to identify containers/hosts that are not running Lacework
  • The ability to build custom security dashboards in Datadog based on Lacework data

 

Integration Details

Section 1: Creating an API Key in Datadog for Lacework

 

  • Create an integration API key for Lacework within the Datadog (DD) UI. You can do this by visiting Integrations from the UI, and then APIs, or by connecting to https://app.datadoghq.com/account/settings#api
  • Make sure to create an API key, not an Application key

 

Lacework & Datadog Integration

 

  • Click on API Keys, and add the name the new Application Key

 

Lacework & Datadog Integration

 

  • You will now see a new API key in the list:

 

Lacework & Datadog Integration

 

  • Move your cursor over the purple area, and your API key will be visible. This is what you will need as input for the Lacework UI

 

Section 2: Setting up the Datadog Integration in Lacework

Within the Lacework UI, visit Integrations via the configuration menu, and you will see a new integration called Datadog in the outgoing section of the UI.

Once you select this, you simply need to click on Add Integration and you will see the following:

 

Lacework & Datadog Integration

 

You can have as many integrations as you like, but it is best to have a unique Datadog API key for each. In this screen, you will need to add the following items:

  • Name = The name of the integration you want to assign to it
  • Datadog Type = Event Data / Log Summary (default) / Log Details (see more details below in the FAQ)
  • Datadog Site = com / eu. This is where you want your logs to be stored. Either US or Europe
  • API Key = The key you created in the Datadog API key setup previously
  • Alert Severity = Which type of alerts you want to send to the Datadog integration

Below is an example of a completed integration setup:

 

Lacework & Datadog Integration

 

Section 3: Viewing the Lacework Data in the Datadog Dashboard

In order to view the data that Lacework is sending, setup monitors, query the data, or setup dashboards, you will need to log in to the Datadog UI and click on Logs and Search. Within this screen, you should see a new source called Lacework. You can view the logs from Lacework by this selection, and view on the right-hand side of the screen:

 

Lacework & Datadog Integration

 

The log data shows the JSON output of the Lacework alerts, and when viewing detailed alerts, you can see all the information from the alert itself just like in the Lacework UI. Inside the alert there are also links to the Lacework dashboard, if there is more triaging that needs to take place.

 

Lacework & Datadog Integration

 

 

For additional information or assistance on the integration please contact Lacework or Datadog support, or view the Datadog integration page.

 

Customer Reviews

Supported Platforms

FAQs About the Lacework and Datadog Integration

If you have a Datadog license for logs, then you are able to get the most functionality from this integration, due to the fact you can index, search, add monitors, rehydrate, create dashboards and perform other critical functions with the data. If you do not have a license, then you will only be able to view data in the event stream.

We recommend sending all detailed data. You will receive a much higher level of fidelity and log details, but if you want to trim, you are able to just send a summary.

Share this with your network
Twitter Twitter Twitter Share