Datadog Integration

Forward detection events to Datadog for centralized security monitoring, alerting, and dashboards.

Prerequisites

Datadog account
API key
Application key

Getting Datadog Credentials

API Key

Log into Datadog
Go to Organization Settings → API Keys
Click New Key
Name it “WebDecoy Integration”
Copy the key

Application Key

Go to Organization Settings → Application Keys
Click New Key
Name it “WebDecoy Integration”
Copy the key

Configuring Integration

Go to Integrations → Datadog
Click Add Datadog Integration
Enter:

Field Description
API Key Datadog API key
Application Key Datadog application key
Site Your Datadog site region
Configure event forwarding:

Setting Description
Forward all detections Every detection as an event
Forward high risk Only critical detections
Include metrics Send as custom metrics
Click Connect

Field	Description
API Key	Datadog API key
Application Key	Datadog application key
Site	Your Datadog site region

Setting	Description
Forward all detections	Every detection as an event
Forward high risk	Only critical detections
Include metrics	Send as custom metrics

Datadog Sites

Site	Region	URL
US1	US (Virginia)	datadoghq.com
US3	US (Virginia)	us3.datadoghq.com
US5	US (Oregon)	us5.datadoghq.com
EU1	EU (Frankfurt)	datadoghq.eu
AP1	Asia (Tokyo)	ap1.datadoghq.com

Event Format

Detections are sent as Datadog events:

{
  "title": "WebDecoy: High-Risk Detection",
  "text": "Decoy link triggered by 192.168.1.100\n\nPath: /admin/backup.zip\nScore: 85 (CRITICAL)\nMITRE: Reconnaissance (TA0043)",
  "priority": "normal",
  "tags": [
    "source:webdecoy",
    "detection_type:decoy_link",
    "threat_level:critical",
    "mitre_tactic:reconnaissance",
    "country:US"
  ],
  "alert_type": "warning",
  "source_type_name": "webdecoy"
}

Event Tags

Tag	Description	Example
`source:webdecoy`	Always present	-
`detection_type`	Type of detection	`decoy_link`, `bot_scanner`, `endpoint`
`threat_level`	Risk level	`minimal`, `low`, `medium`, `high`, `critical`
`mitre_tactic`	MITRE ATT&CK tactic	`reconnaissance`, `initial_access`
`country`	Source country	`US`, `CN`, `RU`
`property`	Property name	`production_site`
`is_bot`	Bot detection	`true`, `false`
`is_vpn`	VPN detected	`true`, `false`

Custom Metrics

When “Include metrics” is enabled, WebDecoy sends custom metrics:

Available Metrics

Metric	Type	Description
`webdecoy.detections.count`	Count	Number of detections
`webdecoy.detections.score`	Gauge	Average threat score
`webdecoy.blocked_ips.count`	Count	IPs blocked
`webdecoy.bot_score.average`	Gauge	Average bot score

Metric Tags

All metrics include:

property - Property name
detection_type - Detection source type
threat_level - Risk level
country - Source country

Building Dashboards

Recommended Widgets

Detection Overview:

Timeseries of webdecoy.detections.count
Group by threat_level

Geographic Distribution:

Geomap using country tag
Colored by detection count

Threat Level Breakdown:

Pie chart of detections by threat_level

Top Attacking IPs:

Top list from events
Filter by high threat scores

Sample Dashboard JSON

{
  "title": "WebDecoy Security Dashboard",
  "widgets": [
    {
      "definition": {
        "title": "Detections Over Time",
        "type": "timeseries",
        "requests": [
          {
            "q": "sum:webdecoy.detections.count{*} by {threat_level}",
            "display_type": "bars"
          }
        ]
      }
    },
    {
      "definition": {
        "title": "Threat Levels",
        "type": "sunburst",
        "requests": [
          {
            "q": "sum:webdecoy.detections.count{*} by {threat_level}"
          }
        ]
      }
    }
  ]
}

Alerting

Create Datadog monitors for WebDecoy events:

High-Risk Detection Alert

Monitor Type: Event Alert
Query: events("source:webdecoy threat_level:critical").rollup("count").by("source").last("5m") > 0
Alert: Notify security team

Detection Spike Alert

Monitor Type: Metric Alert
Query: sum:webdecoy.detections.count{*}.as_count() > 100
Window: 5 minutes
Alert: Anomaly detection triggered

Bot Attack Alert

Monitor Type: Event Alert
Query: events("source:webdecoy is_bot:true").rollup("count").last("1h") > 50
Alert: Potential bot attack in progress

Log Management

WebDecoy can also send logs to Datadog:

Log Format

{
  "timestamp": "2025-01-15T10:30:00Z",
  "level": "warn",
  "message": "Detection created",
  "service": "webdecoy",
  "detection_id": "det_abc123",
  "ip_address": "192.168.1.100",
  "threat_score": 85,
  "threat_level": "critical",
  "detection_type": "decoy_link",
  "property_id": "prop_def456"
}

Log Pipeline

Create a pipeline to parse WebDecoy logs:

Go to Logs → Configuration → Pipelines
Create new pipeline for service:webdecoy
Add processors:
- Grok parser for message
- Status remapper for threat_level
- GeoIP processor for ip_address

Best Practices

Do’s

✅ Use tags for filtering and grouping
✅ Create dashboards for visibility
✅ Set up alerts for critical detections
✅ Use metrics for trend analysis
✅ Correlate with other security data

Don’ts

❌ Forward all events without filtering
❌ Ignore high-volume periods (adjust alerts)
❌ Skip dashboard setup
❌ Use API key with excessive permissions

Troubleshooting

Events Not Appearing

Verify API and Application keys
Check site region is correct
Ensure integration is enabled
Check Datadog event explorer with filter source:webdecoy

Metrics Missing

Verify “Include metrics” is enabled
Check Datadog Metrics Explorer
Metrics may take a few minutes to appear
Verify custom metrics quota

Authentication Errors

Regenerate API key
Verify Application key is correct
Check keys haven’t been revoked
Ensure correct Datadog site

Next Steps

Cloudflare - Automatic IP blocking
AWS WAF - AWS firewall integration
Overview - All integrations