Ingesting events using Datadog

Ingesting webhook events into Datadog SIEM consists of the following steps:

• Create a Datadog API key

• Set up a Datadog API client to send events to Datadog

• Create a webhook in the Push app that points to the Datadog API client

Datadog provides API clients in multiple languages such as Python, Rust, and Typescript. The example in this documentation uses the Python API client.

1. Head to your Datadog admin console and click on your account name in the bottom left corner. Under Organization Settings, choose API Keys.

2. Click on New Key in the top right corner, provide a descriptive name, and click on Create Key.

3. Then copy the API key and store it somewhere safe, and select Finish.

Note that your environment and needs may differ from the example we use in this guide. The main requirements are that you need to provide a publicly reachable URL for the Push platform to send webhook events to, and you need the Datadog API client to handle the requests.

At Push, we handle this with an AWS Lambda function, but you should be able to adjust the example code and use it within your preferred environment.

import json
import os
import logging
from Datadog_api_client import ApiClient, Configuration
from Datadog_api_client.v2.api.logs_api import LogsApi
from Datadog_api_client.v2.model.http_log import HTTPLog
from Datadog_api_client.v2.model.http_log_item import HTTPLogItem

# Multiply the timestamp value to convert into millisecond format
# This is because Datadog expects milliseconds or else it may discard the event
json_obj = json.loads(event["body"])
if len(str(json_obj["timestamp"])) == 10:
    json_obj["timestamp"] = json_obj["timestamp"] * 1000

if (
    event["requestContext"]["http"]["method"] == "POST"
    and event["requestContext"]["http"]["path"] == "/"
):

    body = HTTPLog(
        [
            HTTPLogItem(
                ddtags="",
                message=json.dumps(json_obj),
                service="pushsecurity",
            ),
        ]
    )

    configuration = Configuration()
    configuration.server_variables["site"] = "Datadoghq.eu" # or Datadoghq.com depending on your tenant
    configuration.api_key["apiKeyAuth"] = "<your Datadog API key>"

    with ApiClient(configuration) as api_client:
        api_instance = LogsApi(api_client)
        response = api_instance.submit_log(body=body)
        # Request was accepted on a 202 empty JSON response 
        if response == {}:
            logging.debug("Successfully received by Datadog", response=response)
        else:
            logging.error("Failed to send to Datadog", response=response)
else:
    logging.warn("Unexpected request format, ignoring")

Essentially, the code takes the JSON data provided by the webhook event, does some basic arithmetic on the timestamp field due to Datadog requiring milliseconds to be present in UNIX epoch timestamps, and ships it off to Datadog. Don’t forget to set your Datadog site and API key variables.

Keep the URL of your API client handy, as you’ll be using it in the next step!

Once you’re set up, the client should be ready to start receiving webhook events from Push.

Finally, go to the Push admin console to add a webhook and paste in the URL of your Datadog API client.

Refer to the Generic setup steps for SIEM or SOAR for instructions.