Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Datadog is the essential monitoring and security platform for cloud applications. It brings together end-to-end traces, metrics, and logs to make your applications, infrastructure, and third-party services entirely observable. These capabilities help businesses secure their systems, avoid downtime, and ensure customers are getting the best user experience.

Connect Datadog with Devo SOAR

  1. Navigate to Automations > Integrations.

  2. Search for Datadog.

  3. Click Details, then the + icon. Enter the required information in the following fields.

  4. Label: Enter a connection name.

  5. Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.

  6. Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).

  7. Remote Agent: Run this integration using the Devo SOAR Remote Agent.

  8. App Key: App Key created in Datadog for this instance.

  9. API Key: API key required for authentication to Datadog.

  10. After you've entered all the details, click Connect.

Actions for Datadog

Get Security Signals

Fetches security signals that match a search query.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Query

Jinja-templated text containing search query for listing security signals (Default is '*'). Example: host:{{column_name}}

Required

Sort

Sort order for the results. (Default is Chronological).

Required

Limit

Limits the number of rows from the search. (Default is 100000).

Required

Start time

Jinja-templated, ISO formatted minimum timestamp for requested security signals. Default is execution start time. Example: 2019-09-26T07:58:30.996+02:00.

Required

End time

Jinja-templated, ISO formatted maximum timestamp for requested security signals. Default is execution end time. Example: 2019-09-26T07:58:30.996+02:00

Required

Output

Each row contains a JSON object of a Security Signal.

...

Code Block
## Search Logs

Fetches logs that match a log search query.

### Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

| Input Name | Description                                                                                                                                                                    | Required |
| :--------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------- |
| Query      | [Jinja-templated](doc:jinja-template) text containing search query for listing security signals (Default is '\*'). Example: host:{{column_name}}                               | Required |
| Index      | [Jinja-templated](doc:jinja-template) text containing comma separated indices for logs (Default is '\*'). Example: {{column_name}}                                             | Required |
| Sort       | Sort order for the results. (Default is Chronological).                                                                                                                        | Required |
| Limit      | Limits the number of rows from the search. (Default is 100000).                                                                                                                | Required |
| Start time | [Jinja-templated](doc:jinja-template), ISO formatted minimum timestamp for requested security signals. Default is execution start time. Example: 2019-09-26T07:58:30.996+02:00 | Required |
| End time   | [Jinja-templated](doc:jinja-template), ISO formatted maximum timestamp for requested security signals. Default is execution end time. Example: 2019-09-26T07:58:30.996+02:00   | Required |

### Output

Each row contains a JSON log object.


``` {json}{
   "attributes":{
      "attributes":{
         "hostname":"fa1e1e739d95"
      },
      "host":"fa1e1e739d95",
      "message":"hello world",
      "status":"info",
      "tags":[
         "source:agent",
         "env:prod",
         "env:prod",
         "user:joe.doe",
         "source:agent"
      ],
      "timestamp":"2021-02-16T02:30:46.022Z"
   },
   "error":null,
   "has_error":false,
   "id":"AQAAAXeorQAGojnJQQAAAABBWGVvclFBR0FBQlN1SEhvQmNsZDhBQUE",
   "type":"log"
}

Create an Incident

Create an incident. This endpoint requires the incident_write authorization scope.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Attributes

Jinja-templated JSON containing attributes of the incident. Example: '{"title": "Example-title","customer_impacted": false,"fields": {"state": {"type": "dropdown","value": "resolved"}}}'

Required

Relationships

Jinja-templated JSON containing relationships of the incident. Example: '{"commander_user": {"data": {"type": "users","id": "29afasdf6-b738-11ed-bb14-6aasdfasdf39"}}}'

Optional

Output

JSON containing the following items:

...

Code Block
## List Incidents

Get all incidents for the user’s organization. This endpoint requires the incident_read authorization scope.

### Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

| Input Name        | Description                                                                                                                          | Required |
| :---------------- | :----------------------------------------------------------------------------------------------------------------------------------- | :------- |
| Additional Params | [Jinja-templated](doc:jinja-template) JSON containing params to be passed in request. Example: '{"page[size]": 2,"page[offset]": 3}' | Optional |

### Output

JSON containing the following items:


``` {json}{
   "data":[
      {
         "type":"incidents",
         "id":"aca3b9a2-012b-506d-b2e1-8ee48b2dca87",
         "attributes":{
            "public_id":1,
            "title":"Example-Create_an_incident_returns_CREATED_response",
            "resolved":null,
            "customer_impact_scope":null,
            "customer_impact_start":null,
            "customer_impact_end":null,
            "customer_impacted":false,
            "notification_handles":null,
            "last_modified_by_uuid":"af292796-b738-11ed-bb14-6a6fc077be39",
            "created":"2023-02-28T09:58:26.388721+00:00",
            "modified":"2023-02-28T09:58:26.388721+00:00",
            "detected":"2023-02-28T09:58:26.378626+00:00",
            "created_by_uuid":"af292796-b738-11ed-bb14-6a6fc077be39",
            "creation_idempotency_key":null,
            "customer_impact_duration":0,
            "time_to_detect":0,
            "time_to_repair":0,
            "time_to_internal_response":0,
            "time_to_resolve":0,
            "fields":{
               "severity":{
                  "type":"dropdown",
                  "value":"UNKNOWN"
               },
               "state":{
                  "type":"dropdown",
                  "value":"resolved"
               },
               "detection_method":{
                  "type":"dropdown",
                  "value":"unknown"
               },
               "root_cause":{
                  "type":"textbox",
                  "value":null
               },
               "summary":{
                  "type":"textbox",
                  "value":null
               },
               "services":{
                  "type":"autocomplete",
                  "value":null
               },
               "teams":{
                  "type":"autocomplete",
                  "value":null
               }
            },
            "field_analytics":null,
            "severity":"UNKNOWN",
            "state":"resolved",
            "non_datadog_creator":null,
            "visibility":"organization",
            "case_id":null
         },
         "relationships":{
            "created_by_user":{
               "data":{
                  "type":"users",
                  "id":"af292796-b738-11ed-bb14-6a6fc077be39"
               }
            },
            "last_modified_by_user":{
               "data":{
                  "type":"users",
                  "id":"af292796-b738-11ed-bb14-6a6fc077be39"
               }
            },
            "commander_user":{
               "data":{
                  "type":"users",
                  "id":"af292796-b738-11ed-bb14-6a6fc077be39"
               }
            },
            "user_defined_fields":{
               "data":[
                  {
                     "type":"user_defined_field",
                     "id":"766d5d3c-58a1-503c-97de-25a7e884504d"
                  },
                  {
                     "type":"user_defined_field",
                     "id":"ee92e695-107e-5700-8d7e-4815ceec9923"
                  },
                  {
                     "type":"user_defined_field",
                     "id":"e51285b5-6210-51d2-8d39-8a74312c1307"
                  },
                  {
                     "type":"user_defined_field",
                     "id":"6f8e7b10-3190-5426-8bd7-ad105b9b27ab"
                  },
                  {
                     "type":"user_defined_field",
                     "id":"cb3aa49a-b0b0-515c-bbb1-e2fa57a69a4d"
                  },
                  {
                     "type":"user_defined_field",
                     "id":"35ee9427-1441-5814-8c05-f8df176227c1"
                  },
                  {
                     "type":"user_defined_field",
                     "id":"cfd4e544-c64a-5ccc-b412-a2ec6f7ac981"
                  }
               ]
            },
            "integrations":{
               "data":[

               ]
            },
            "attachments":{
               "data":[

               ]
            },
            "responders":{
               "data":[
                  {
                     "type":"incident_responders",
                     "id":"a2cfc337-45fc-5490-aeed-54e8e34f4f70"
                  }
               ]
            },
            "impacts":{
               "data":[

               ]
            }
         }
      }
   ],
   "meta":{
      "pagination":{
         "offset":0,
         "next_offset":5,
         "size":5
      }
   },
   "error":null,
   "has_error":false
}

Get Incident Details

Get the details of an incident by incident_id. This endpoint requires the incident_read authorization scope.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Incident Id

Jinja-templated text containing the incident Id. Example: 'asdfasfeaw-awef-awef-asdfasdf'

Required

Output

JSON containing the following items:

...

Code Block
## Delete an Incident

Deletes an existing incident from the users organization. This endpoint requires the incident_write authorization scope.

### Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

| Input Name  | Description                                                                                                     | Required |
| :---------- | :-------------------------------------------------------------------------------------------------------------- | :------- |
| Incident Id | [Jinja-templated](doc:jinja-template) text containing the incident Id. Example: 'asdfasfeaw-awef-awef-asdfasdf' | Required |

### Output

JSON containing the following items:


``` {json}{
   "message":"Incident deleted successfully",
   "error":null,
   "has_error":false
}

Update an Incident

Updates an incident. Provide only the attributes that should be updated as this request is a partial update. This endpoint requires the incident_write authorization scope.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Incident Id

Jinja-templated text containing the incident Id. Example: 'asdfasfeaw-awef-awef-asdfasdf'

Required

Incident

Jinja-templated JSON containing body of the request. Example: '{"data": {"type": "incidents","attributes": {"title": "Example-Create_an_incident_returns_CREATED_response","customer_impacted": false,"fields": {"state": {"type": "dropdown","value": "resolved"}}},"relationships": {"commander_user": {"data": {"type": "users","id": "af292796-b738-11ed-bb14-6a6fc077be39"}}}}}'

Required

Output

JSON containing the following items:

...

Code Block
## List Attachments

Get all attachments for a given incident. This endpoint requires the incident_read authorization scope.

### Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

| Input Name  | Description                                                                                                     | Required |
| :---------- | :-------------------------------------------------------------------------------------------------------------- | :------- |
| Incident Id | [Jinja-templated](doc:jinja-template) text containing the incident Id. Example: 'asdfasfeaw-awef-awef-asdfasdf' | Required |

### Output

JSON containing the following items:


``` {json}{
   "data":[
      {
         "type":"incident_attachments",
         "id":"5062eaab-e856-5c60-a514-bcf3a1f3d6f0",
         "attributes":{
            "modified":"2023-03-07T09:36:47.656548+00:00",
            "attachment_type":"link",
            "attachment":{
               "title":"Example-Create_an_incident_attachment_returns_OK_response",
               "documentUrl":"https://docs.google.com/spreadsheets/d/1R1C1Lx_0ELE3xc"
            }
         },
         "relationships":{
            "last_modified_by_user":{
               "data":{
                  "type":"users",
                  "id":"af292796-b738-11ed-bb14-6a6fc077be39"
               }
            }
         }
      }
   ],
   "error":null,
   "has_error":false
}

Create, Update, and Delete Incident Attachments

The bulk update endpoint for creating, updating, and deleting attachments for a given incident.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Incident Id

Jinja-templated text containing the incident Id. Example: 'asdfasfeaw-awef-awef-asdfasdf'

Required

Attachment Details

Jinja-templated JSON containing data which is An array of incident attachments. An attachment object without an "id" key indicates that you want to create that attachment. An attachment object without an "attributes" key indicates that you want to delete that attachment. An attachment object with both the "id" key and a populated "attributes" object indicates that you want to update that attachment. Example: '{"data": [{"type": "incident_attachments","attributes": {"attachment_type": "link/postmortem","attachment": {"documentUrl": "https://www.example.com/doc","title": "Example-Create_an_incident_attachment_returns_OK_response"}}}]}'

Optional

Output

JSON containing the following items:

...

Code Block
## List Users

Get the list of all users in the organization. This list includes all users even if they are deactivated or unverified. This endpoint requires the user_access_read authorization scope.

### Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

| Input Name        | Description                                                                                                                                                      | Required |
| :---------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------- |
| Additional Params | [Jinja-templated](doc:jinja-template) JSON containing params to be passed in request. Example: '{"page[size]": 2,"page[offset]": 3, filter[status]\:"Disabled"}' | Optional |

### Output

JSON containing the following items:


``` {json}{
   "included":[
      {
         "type":"permissions",
         "id":"c13a2368-7d61-11ed-b5b7-da7ad0900002",
         "attributes":{
            "name":"continuous_profiler_read",
            "display_name":"Continuous Profiler Read",
            "description":"View data in Continuous Profiler.",
            "created":"2022-12-16T16:50:32.545882+00:00",
            "group_name":"APM",
            "display_type":"read",
            "restricted":false
         }
      }
   ],
   "data":[
      {
         "type":"users",
         "id":"af292796-b738-11ed-bb14-6asdfasdf",
         "attributes":{
            "name":"Sumit yadav",
            "handle":"sumit.yadav@logichub.com",
            "created_at":"2023-02-28T07:22:40.312284+00:00",
            "modified_at":"2023-02-28T07:22:40.316250+00:00",
            "email":"sumit.yadav@logichub.com",
            "icon":"https://secure.gravatar.com/avatar/0902013a35e2d0dfd135f189fbc25532?s=48&d=retro",
            "title":null,
            "verified":true,
            "service_account":false,
            "disabled":false,
            "allowed_login_methods":[

            ],
            "status":"Active"
         },
         "relationships":{
            "roles":{
               "data":[
                  {
                     "type":"roles",
                     "id":"aef1c858-b738-11ed-bdbf-da7ad0900002"
                  }
               ]
            },
            "org":{
               "data":{
                  "type":"orgs",
                  "id":"aee0c5b2-b738-11ed-84b1-da7ad0900002"
               }
            }
         }
      }
   ],
   "has_error":false,
   "meta":{
      "page":{
         "total_count":1,
         "total_filtered_count":1
      }
   },
   "error":null
}

Release Notes

  • v2.1.2 - Added 8 new actions: Create an Incident, List Incidents, Get Incident Details, Delete an Incident, Update an Incident, List Attachments, Create, Update, and Delete Incident Attachments and List Users.

  • v2.0.0 - Updated architecture to support IO via filesystem

...