The Datadog integration provides a unified view of your metrics, logs, and performance data combined with your cloud security data.
Follow the procedures described below to integrate Lacework and Datadog.
Create an API Key in Datadog for Lacework
Integrating Lacework and Datadog requires you to create an API key in Datadog. Ensure you create an API key, not an application key.
- Log in to the Datadog interface and navigate to Integrations > APIs.
You can also connect to https://app.datadoghq.com/account/settings#api.
- Click API Keys.
- At the bottom of the section, add the name for the new API key.
- Click Create API Key.
This adds the new API key to the list.
- Move your cursor over the purple area to reveal the API key. This is what you provide as input in the Lacework Console.
For additional information about Datadog, refer to their documentation: https://docs.datadoghq.com/account_management/api-app-keys/.
Set Up the Datadog Integration in Lacework
After you have a Datadog API key, you can create an integration in Lacework. You can have as many integrations as needed but it is best to have a unique Datadog API key for each.
- Log in to the Lacework Console with a Lacework user that has administrative privileges.
- Select Settings > Integrations.
- Under OUTGOING, select Datadog.
- Click + Add Integration.
- Complete the fields:
- Name: Enter a unique name for the integration.
- Datadog Service: Select Logs Detail (default), Logs Summary, or Events Summary. See additional information about which service to select.
- Datadog Site: Select com or eu. This is where you want to store your logs, either the US or Europe.
- API Key: Enter the API key that you created previously. This is required to submit metrics and events to Datadog.
- Alert Severity Level: Select a severity level threshold for Lacework to forward. The default is all alerts.
- Click Save.
Select a Datadog Service to Use
If you have a Datadog license for logs, then you get the most functionality from the integration because you can index, search, add monitors, rehydrate, create dashboards, and perform other critical functions with the data. If you do not have a license for logs, then you can only view data in the event stream.
Summary vs. Detailed Data
Lacework recommends sending all detailed data because this results in higher-level log fidelity and details. If you want to trim data, however, you can send the summary.
View Lacework Data in the Datadog Dashboard
To view data that Lacework sends, query the sent data, and set up monitors or dashboards you must log in to the Datadog Dashboard and then click the logs and search. That screen should display a new source called Lacework. If you choose to view Lacework logs by selecting and viewing on the screen's right side they should resemble this example:
The log data shows the JSON output of Lacework alerts. When viewing detailed alerts, you can see all information from the alert itself as you can in the Lacework Console. Inside the alert there are also links to the Lacework dashboard if more triage is needed.