...
Datadog is the essential monitoring and security platform for cloud applications. It brings together end-to-end traces, metrics, and logs to make your applications, infrastructure, and third-party services entirely observable. These capabilities help businesses secure their systems, avoid downtime, and ensure customers are getting the best user experience.
Connect Datadog with Devo SOAR
Navigate to Automations > Integrations.
Search for Datadog.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Enter a connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Remote Agent: Run this integration using the Devo SOAR Remote Agent.
App Key: App Key created in Datadog for this instance.
API Key: API key required for authentication to Datadog.
After you've entered all the details, click Connect.
Actions for Datadog
Get Security Signals
Fetches security signals that match a search query.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Query | Jinja-templated text containing search query for listing security signals (Default is '*'). Example: host:{{column_name}} | Required |
Sort | Sort order for the results. (Default is Chronological). | Required |
Limit | Limits the number of rows from the search. (Default is 100000). | Required |
Start time | Jinja-templated, ISO formatted minimum timestamp for requested security signals. Default is execution start time. Example: 2019-09-26T07:58:30.996+02:00. | Required |
End time | Jinja-templated, ISO formatted maximum timestamp for requested security signals. Default is execution end time. Example: 2019-09-26T07:58:30.996+02:00 | Required |
Output
Each row contains a JSON object of a Security Signal.
...
Code Block |
---|
## Search Logs Fetches logs that match a log search query. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :--------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------- | | Query | [Jinja-templated](doc:jinja-template) text containing search query for listing security signals (Default is '\*'). Example: host:{{column_name}} | Required | | Index | [Jinja-templated](doc:jinja-template) text containing comma separated indices for logs (Default is '\*'). Example: {{column_name}} | Required | | Sort | Sort order for the results. (Default is Chronological). | Required | | Limit | Limits the number of rows from the search. (Default is 100000). | Required | | Start time | [Jinja-templated](doc:jinja-template), ISO formatted minimum timestamp for requested security signals. Default is execution start time. Example: 2019-09-26T07:58:30.996+02:00 | Required | | End time | [Jinja-templated](doc:jinja-template), ISO formatted maximum timestamp for requested security signals. Default is execution end time. Example: 2019-09-26T07:58:30.996+02:00 | Required | ### Output Each row contains a JSON log object. ``` {json}{ "attributes":{ "attributes":{ "hostname":"fa1e1e739d95" }, "host":"fa1e1e739d95", "message":"hello world", "status":"info", "tags":[ "source:agent", "env:prod", "env:prod", "user:joe.doe", "source:agent" ], "timestamp":"2021-02-16T02:30:46.022Z" }, "error":null, "has_error":false, "id":"AQAAAXeorQAGojnJQQAAAABBWGVvclFBR0FBQlN1SEhvQmNsZDhBQUE", "type":"log" } |
Create an Incident
Create an incident. This endpoint requires the incident_write authorization scope.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Attributes | Jinja-templated JSON containing attributes of the incident. Example: '{"title": "Example-title","customer_impacted": false,"fields": {"state": {"type": "dropdown","value": "resolved"}}}' | Required |
Relationships | Jinja-templated JSON containing relationships of the incident. Example: '{"commander_user": {"data": {"type": "users","id": "29afasdf6-b738-11ed-bb14-6aasdfasdf39"}}}' | Optional |
Output
JSON containing the following items:
...
Code Block |
---|
## List Incidents Get all incidents for the user’s organization. This endpoint requires the incident_read authorization scope. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :---------------- | :----------------------------------------------------------------------------------------------------------------------------------- | :------- | | Additional Params | [Jinja-templated](doc:jinja-template) JSON containing params to be passed in request. Example: '{"page[size]": 2,"page[offset]": 3}' | Optional | ### Output JSON containing the following items: ``` {json}{ "data":[ { "type":"incidents", "id":"aca3b9a2-012b-506d-b2e1-8ee48b2dca87", "attributes":{ "public_id":1, "title":"Example-Create_an_incident_returns_CREATED_response", "resolved":null, "customer_impact_scope":null, "customer_impact_start":null, "customer_impact_end":null, "customer_impacted":false, "notification_handles":null, "last_modified_by_uuid":"af292796-b738-11ed-bb14-6a6fc077be39", "created":"2023-02-28T09:58:26.388721+00:00", "modified":"2023-02-28T09:58:26.388721+00:00", "detected":"2023-02-28T09:58:26.378626+00:00", "created_by_uuid":"af292796-b738-11ed-bb14-6a6fc077be39", "creation_idempotency_key":null, "customer_impact_duration":0, "time_to_detect":0, "time_to_repair":0, "time_to_internal_response":0, "time_to_resolve":0, "fields":{ "severity":{ "type":"dropdown", "value":"UNKNOWN" }, "state":{ "type":"dropdown", "value":"resolved" }, "detection_method":{ "type":"dropdown", "value":"unknown" }, "root_cause":{ "type":"textbox", "value":null }, "summary":{ "type":"textbox", "value":null }, "services":{ "type":"autocomplete", "value":null }, "teams":{ "type":"autocomplete", "value":null } }, "field_analytics":null, "severity":"UNKNOWN", "state":"resolved", "non_datadog_creator":null, "visibility":"organization", "case_id":null }, "relationships":{ "created_by_user":{ "data":{ "type":"users", "id":"af292796-b738-11ed-bb14-6a6fc077be39" } }, "last_modified_by_user":{ "data":{ "type":"users", "id":"af292796-b738-11ed-bb14-6a6fc077be39" } }, "commander_user":{ "data":{ "type":"users", "id":"af292796-b738-11ed-bb14-6a6fc077be39" } }, "user_defined_fields":{ "data":[ { "type":"user_defined_field", "id":"766d5d3c-58a1-503c-97de-25a7e884504d" }, { "type":"user_defined_field", "id":"ee92e695-107e-5700-8d7e-4815ceec9923" }, { "type":"user_defined_field", "id":"e51285b5-6210-51d2-8d39-8a74312c1307" }, { "type":"user_defined_field", "id":"6f8e7b10-3190-5426-8bd7-ad105b9b27ab" }, { "type":"user_defined_field", "id":"cb3aa49a-b0b0-515c-bbb1-e2fa57a69a4d" }, { "type":"user_defined_field", "id":"35ee9427-1441-5814-8c05-f8df176227c1" }, { "type":"user_defined_field", "id":"cfd4e544-c64a-5ccc-b412-a2ec6f7ac981" } ] }, "integrations":{ "data":[ ] }, "attachments":{ "data":[ ] }, "responders":{ "data":[ { "type":"incident_responders", "id":"a2cfc337-45fc-5490-aeed-54e8e34f4f70" } ] }, "impacts":{ "data":[ ] } } } ], "meta":{ "pagination":{ "offset":0, "next_offset":5, "size":5 } }, "error":null, "has_error":false } |
Get Incident Details
Get the details of an incident by incident_id. This endpoint requires the incident_read authorization scope.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Incident Id | Jinja-templated text containing the incident Id. Example: 'asdfasfeaw-awef-awef-asdfasdf' | Required |
Output
JSON containing the following items:
...
Code Block |
---|
## Delete an Incident Deletes an existing incident from the users organization. This endpoint requires the incident_write authorization scope. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :---------- | :-------------------------------------------------------------------------------------------------------------- | :------- | | Incident Id | [Jinja-templated](doc:jinja-template) text containing the incident Id. Example: 'asdfasfeaw-awef-awef-asdfasdf' | Required | ### Output JSON containing the following items: ``` {json}{ "message":"Incident deleted successfully", "error":null, "has_error":false } |
Update an Incident
Updates an incident. Provide only the attributes that should be updated as this request is a partial update. This endpoint requires the incident_write authorization scope.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Incident Id | Jinja-templated text containing the incident Id. Example: 'asdfasfeaw-awef-awef-asdfasdf' | Required |
Incident | Jinja-templated JSON containing body of the request. Example: '{"data": {"type": "incidents","attributes": {"title": "Example-Create_an_incident_returns_CREATED_response","customer_impacted": false,"fields": {"state": {"type": "dropdown","value": "resolved"}}},"relationships": {"commander_user": {"data": {"type": "users","id": "af292796-b738-11ed-bb14-6a6fc077be39"}}}}}' | Required |
Output
JSON containing the following items:
...
Code Block |
---|
## List Attachments Get all attachments for a given incident. This endpoint requires the incident_read authorization scope. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :---------- | :-------------------------------------------------------------------------------------------------------------- | :------- | | Incident Id | [Jinja-templated](doc:jinja-template) text containing the incident Id. Example: 'asdfasfeaw-awef-awef-asdfasdf' | Required | ### Output JSON containing the following items: ``` {json}{ "data":[ { "type":"incident_attachments", "id":"5062eaab-e856-5c60-a514-bcf3a1f3d6f0", "attributes":{ "modified":"2023-03-07T09:36:47.656548+00:00", "attachment_type":"link", "attachment":{ "title":"Example-Create_an_incident_attachment_returns_OK_response", "documentUrl":"https://docs.google.com/spreadsheets/d/1R1C1Lx_0ELE3xc" } }, "relationships":{ "last_modified_by_user":{ "data":{ "type":"users", "id":"af292796-b738-11ed-bb14-6a6fc077be39" } } } } ], "error":null, "has_error":false } |
Create, Update, and Delete Incident Attachments
The bulk update endpoint for creating, updating, and deleting attachments for a given incident.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Incident Id | Jinja-templated text containing the incident Id. Example: 'asdfasfeaw-awef-awef-asdfasdf' | Required |
Attachment Details | Jinja-templated JSON containing data which is An array of incident attachments. An attachment object without an "id" key indicates that you want to create that attachment. An attachment object without an "attributes" key indicates that you want to delete that attachment. An attachment object with both the "id" key and a populated "attributes" object indicates that you want to update that attachment. Example: '{"data": [{"type": "incident_attachments","attributes": {"attachment_type": "link/postmortem","attachment": {"documentUrl": "https://www.example.com/doc","title": "Example-Create_an_incident_attachment_returns_OK_response"}}}]}' | Optional |
Output
JSON containing the following items:
...
Code Block |
---|
## List Users Get the list of all users in the organization. This list includes all users even if they are deactivated or unverified. This endpoint requires the user_access_read authorization scope. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :---------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------- | | Additional Params | [Jinja-templated](doc:jinja-template) JSON containing params to be passed in request. Example: '{"page[size]": 2,"page[offset]": 3, filter[status]\:"Disabled"}' | Optional | ### Output JSON containing the following items: ``` {json}{ "included":[ { "type":"permissions", "id":"c13a2368-7d61-11ed-b5b7-da7ad0900002", "attributes":{ "name":"continuous_profiler_read", "display_name":"Continuous Profiler Read", "description":"View data in Continuous Profiler.", "created":"2022-12-16T16:50:32.545882+00:00", "group_name":"APM", "display_type":"read", "restricted":false } } ], "data":[ { "type":"users", "id":"af292796-b738-11ed-bb14-6asdfasdf", "attributes":{ "name":"Sumit yadav", "handle":"sumit.yadav@logichub.com", "created_at":"2023-02-28T07:22:40.312284+00:00", "modified_at":"2023-02-28T07:22:40.316250+00:00", "email":"sumit.yadav@logichub.com", "icon":"https://secure.gravatar.com/avatar/0902013a35e2d0dfd135f189fbc25532?s=48&d=retro", "title":null, "verified":true, "service_account":false, "disabled":false, "allowed_login_methods":[ ], "status":"Active" }, "relationships":{ "roles":{ "data":[ { "type":"roles", "id":"aef1c858-b738-11ed-bdbf-da7ad0900002" } ] }, "org":{ "data":{ "type":"orgs", "id":"aee0c5b2-b738-11ed-84b1-da7ad0900002" } } } } ], "has_error":false, "meta":{ "page":{ "total_count":1, "total_filtered_count":1 } }, "error":null } |
Release Notes
v2.1.2
- Added 8 new actions:Create an Incident
,List Incidents
,Get Incident Details
,Delete an Incident
,Update an Incident
,List Attachments
,Create, Update, and Delete Incident Attachments
andList Users
.v2.0.0
- Updated architecture to support IO via filesystem
...