Datadog Security Integration
Forward database audit events to Datadog Security Monitoring. Unify database security with infrastructure observability using Datadog's Cloud SIEM.
Cloud SIEM
Native integration with Datadog's Cloud SIEM for threat detection and investigation.
Custom Dashboards
Build real-time dashboards combining database security with infrastructure metrics.
Detection Rules
Create custom detection rules for database threats with automated alerting.
Configuration Reference
1 Connection Settings
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| name | string | Yes | - | A unique name for this SIEM connection (e.g., "datadog-prod") |
| provider | select | Yes | datadog | SIEM provider - select "Datadog Security" |
| enabled | boolean | No | true | Enable or disable event forwarding |
| api_key | password | Yes | - | Datadog API key for log ingestion |
| site | select | No | datadoghq.com | Datadog site (datadoghq.com, datadoghq.eu, us3.datadoghq.com, etc.) |
2 Datadog-Specific Settings
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| service | string | No | dbaudit | Service name tag for logs |
| source | string | No | dbaudit | Log source identifier |
| tags | array | No | - | Additional tags for logs (e.g., ["env:production", "team:security"]) |
| hostname | string | No | - | Override hostname for logs (defaults to DB Audit server) |
3 Event Filtering
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| event_types | multiselect | No | all | Event types to forward: audit_events, alerts, ai_detections, policy_violations, classification_findings |
| severity_filter | multiselect | No | all | Filter by severity: critical, warning, info |
| database_filter | array | No | - | Limit to specific databases (empty = all databases) |
4 Batching & Reliability
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| batch_size | number | No | 100 | Number of events per batch (1-1000) |
| flush_interval_seconds | number | No | 30 | Maximum time between flushes (5-300 seconds) |
| retry_attempts | number | No | 3 | Number of retry attempts on failure |
Setup Instructions
Create API Key
Create an API key in Datadog for log ingestion.
# Create API key in Datadog:
# 1. Log in to Datadog console
# 2. Navigate to Organization Settings → API Keys
# 3. Click "New Key"
# 4. Name it "dbaudit-integration"
# 5. Copy the generated key
# API key format (example):
# abc123def456abc123def456abc123de
# Datadog site URLs:
# - US1: datadoghq.com (default)
# - US3: us3.datadoghq.com
# - US5: us5.datadoghq.com
# - EU: datadoghq.eu
# - AP1: ap1.datadoghq.com
# - US1-FED: ddog-gov.com
Test Connection
Verify the API key can send logs to Datadog.
# Test Datadog log ingestion
curl -X POST "https://http-intake.logs.datadoghq.com/api/v2/logs" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: YOUR_API_KEY" \
-d '[{
"message": "Test event from DB Audit",
"ddsource": "dbaudit",
"ddtags": "env:test",
"hostname": "dbaudit-server",
"service": "dbaudit"
}]'
# Expected response:
# {} (empty JSON on success, HTTP 202)
# Verify in Datadog:
# Logs → Search: source:dbaudit
Create Log Pipeline (Optional)
Create a log pipeline to parse and enrich DB Audit events.
# Datadog Log Pipeline for DB Audit
# Logs → Configuration → Pipelines → Add Pipeline
Pipeline Name: DB Audit Database Events
Filter: source:dbaudit
# Processors:
# 1. Status Remapper
Type: Status Remapper
Status attribute: severity
# Maps: critical → error, warning → warn, info → info
# 2. Date Remapper
Type: Date Remapper
Date attribute: timestamp
# 3. Service Remapper (optional)
Type: Service Remapper
Service attribute: source.database
# 4. Attribute Remapper for user
Type: Remapper
From: actor.user
To: usr.name
# 5. Attribute Remapper for IP
Type: Remapper
From: actor.client_ip
To: network.client.ip
Note: Log pipelines help normalize events for better searching and dashboards.
Configure in DB Audit
Add the Datadog Security integration in the DB Audit dashboard.
- Navigate to Integrations → SIEM in DB Audit
- Click Add SIEM Integration
- Select Datadog Security as the provider
- Enter your API key and select the correct Datadog site
- Configure service name and tags
- Select event types to forward
- Test the connection and save
Event Format
Events are sent to Datadog with standard log attributes for native integration.
{
"timestamp": "2024-01-15T10:30:45.123Z",
"event_type": "audit_event",
"severity": "warning",
"source": {
"database": "production-postgres",
"db_type": "postgresql",
"host": "db.example.com"
},
"actor": {
"user": "app_user",
"client_ip": "10.0.1.50",
"application": "backend-api"
},
"action": {
"type": "SELECT",
"object": "customers",
"schema": "public",
"statement": "SELECT * FROM customers WHERE...",
"rows_affected": 1500
},
"classification": {
"contains_pii": true,
"data_types": ["email", "phone"]
},
"ddsource": "dbaudit",
"ddtags": "env:production,service:dbaudit",
"service": "dbaudit",
"hostname": "dbaudit-server"
}
Sample Datadog Queries
Use these queries to search and analyze DB Audit events in Datadog Logs.
# Datadog Log Search Queries
# All DB Audit events
source:dbaudit
# Filter by severity
source:dbaudit status:error
# Large data access patterns
source:dbaudit @action.type:SELECT @action.rows_affected:>10000
# Specific user activity
source:dbaudit @actor.user:app_user
# Failed authentication attempts
source:dbaudit @event_type:auth_failure
# PII access monitoring
source:dbaudit @classification.contains_pii:true
# Events by database
source:dbaudit @source.database:production-postgres
# Group by user and count
source:dbaudit | stats count by @actor.user
# Time series of events
source:dbaudit | timeseries count by @severity
Sample Detection Rule
Create detection rules for database security threats.
# Datadog Security Detection Rule
# Security → Detection Rules → New Rule
Rule Name: Suspicious Database Data Exfiltration
Description: Detects queries returning large amounts of potentially sensitive data
# Query
source:dbaudit @action.type:SELECT @action.rows_affected:>10000 @classification.contains_pii:true
# Rule Cases
Case 1:
Name: High Volume PII Access
Condition: count > 0
Severity: High
Notification: @slack-security-alerts
# Group By
@actor.user
@source.database
# Tags
security:database
compliance:pii-access
tactic:collection
Troubleshooting
Authentication failed (403)
Verify the API key is correct and active. Check that you're using the correct Datadog site URL.
Logs not appearing
Check that logs are enabled for your Datadog organization. Verify the source filter in Log Explorer.
Wrong Datadog site
Ensure you're using the correct site URL. US organizations use datadoghq.com, EU uses datadoghq.eu.
Fields not parsing
Create a log pipeline with appropriate processors to extract nested fields from the JSON structure.
Ready to Integrate with Datadog?
Start forwarding database audit events to Datadog in minutes.