This parser extracts fields from Datadog logs, performs several mutations and Grok matching to structure the data, and maps the extracted fields to the UDM. It handles different log formats within the message field, including key-value pairs and JSON objects, and converts specific fields into UDM-compliant labels and additional fields.
Before you begin
Ensure that you have the following prerequisites:
Google SecOps instance.
Privileged access to Google Cloud IAM.
Privileged access to Cloud Storage.
logs_write_archive user access to Datadog.
Option 1: Datadog log sharing through Cloud Storage configuration
Configure Datadog integration with Google Cloud Platform
On the Create a bucket page, enter your bucket information. After each of the following steps, click Continue to proceed to the next step:
In the Get started section, do the following:
Enter a unique name that meets the bucket name requirements (for example, datadog-data).
To enable hierarchical namespace, click the expander arrow to expand the Optimize for file oriented and data-intensive workloads section, and then select Enable Hierarchical namespace on this bucket.
To add a bucket label, click the expander arrow to expand the Labels section.
Click Add label, and specify a key and a value for your label.
In the Choose where to store your data section, do the following:
Select a Location type.
Use the location type drop-down to select a Location where object data within your bucket will be permanently stored.
If you select the dual-region location type, you can also choose to enable turbo replication by using the relevant checkbox.
To set up cross-bucket replication, expand the Set up cross-bucket replication section.
In the Choose a storage class for your data section, either select a default storage class for the bucket, or select Autoclass for automatic storage class management of your bucket's data.
In the Choose how to control access to objects section, select not to enforce public access prevention, and select an access control model for your bucket's objects.
In the Choose how to protect object data section, do the following:
Select any of the options under Data protection that you want to set for your bucket.
To choose how your object data will be encrypted, click the expander arrow labeled Data encryption, and select a Data encryption method.
Click Create.
Create a Google Cloud Service Account
Go to IAM & Admin>Service Accounts.
Create a new service account.
Give it a descriptive name (For example, datadog-user).
Grant the service account with Storage Object Admin role on the Cloud Storage bucket you created in the previous step.
Download a JSON key file for the service account. Keep this file secure.
Configure Datadog to send logs to Cloud Storage
Sign in to Datadog using a privileged account.
Go to Logs>Log Forwarding.
Click + Create New Archive.
Select Google Cloud Storage.
Input the required parameters and click Save.
Option 2: Datadog log sharing through Webhook configuration
Set up feeds
To configure a feed, follow these steps:
Go to SIEM Settings>Feeds.
Click Add New Feed.
On the next page, click Configure a single feed.
In the Feed name field, enter a name for the feed (for example, Datadog Logs).
Select Webhook as the Source type.
Select Datadog as the Log type.
Click Next.
Optional: Specify values for the following input parameters:
Split delimiter: the delimiter that is used to separate log lines, such as \n.
Click Next.
Review the feed configuration in the Finalize screen, and then click Submit.
Click Generate Secret Key to generate a secret key to authenticate this feed.
Copy and store the secret key. You cannot view this secret key again. If needed, you can regenerate a new secret key, but this action makes the previous secret key obsolete.
From the Details tab, copy the feed endpoint URL from the Endpoint Information field. You need to specify this endpoint URL in your client application.
Recommendation: Specify the API key as a header instead of specifying it in the URL.
If your webhook client doesn't support custom headers, you can specify the API key and secret key using query parameters in the following format:
ENDPOINT_URL?key=API_KEY&secret=SECRET
Replace the following:
ENDPOINT_URL: the feed endpoint URL.
API_KEY: the API key to authenticate to Google SecOps.
SECRET: the secret key that you generated to authenticate the feed.
Configure Datadog to send logs to webhook
Sign in to Datadog using a privileged account.
Go to Logs>Log Forwarding.
Select Custom Destinations.
Click + Create a New Destination.
Specify values for the following input parameters:
Choose a destination type: Select HTTP.
Name the destination: Provide a descriptive name for the webhook (for example, Google SecOps Webhook).
Configure the destination: Enter the ENDPOINT_URL, followed by the API_KEY and SECRET.
Configure authentication settings: Add a general header like the following, this won't malform the HTTP request and allow Datadog to complete webhook creation.
The message field is parsed, and parts of it are used to populate the summary and json_data fields. The remaining part is treated as key-value pairs and added as labels within the security_result object.
Extracted from the msg field and added as a label within the security_result object.
service
read_only_udm.metadata.product_name
Directly mapped from the service field.
status
read_only_udm.security_result.severity
The severity is determined based on the status field. "INFO", "DEBUG", "debug", and "info" map to "LOW", "WARN" maps to "MEDIUM", and other values are not explicitly mapped in the provided code snippet.
tags
read_only_udm.additional.fields
Each tag in the tags array is parsed into key-value pairs and added as additional fields.
N/A
read_only_udm.metadata.event_type
Set to "STATUS_UPDATE" if the host field is present, and "GENERIC_EVENT" otherwise.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis parser extracts data from Datadog logs, structures it through mutations and Grok matching, and maps the extracted fields to the Unified Data Model (UDM) for use in Google SecOps.\u003c/p\u003e\n"],["\u003cp\u003eDatadog logs can be shared with Google SecOps using either Google Cloud Storage or a webhook, each requiring specific configuration steps outlined in the content.\u003c/p\u003e\n"],["\u003cp\u003eWhen using Google Cloud Storage, setting up integration, creating a bucket with specific configurations, and establishing a service account with proper permissions are necessary steps.\u003c/p\u003e\n"],["\u003cp\u003eWhen using a webhook, users will configure a feed within Google SecOps, generate and store a secret key, create an API key, and configure the Datadog client with the endpoint URL, along with API key and secret key authentication.\u003c/p\u003e\n"],["\u003cp\u003eThe content thoroughly outlines the mapping of various fields from Datadog logs to the UDM, and provides specific logic on how to handle each field as it pertains to Google SecOps.\u003c/p\u003e\n"]]],[],null,["# Collect Datadog logs\n====================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nOverview\n--------\n\nThis parser extracts fields from Datadog logs, performs several mutations and Grok matching to structure the data, and maps the extracted fields to the UDM. It handles different log formats within the **message** field, including key-value pairs and JSON objects, and converts specific fields into UDM-compliant labels and additional fields.\n\nBefore you begin\n----------------\n\n| **Note:** You can share Datadog logs to Google SecOps using Google Cloud Storage or a webhook.\n\nEnsure that you have the following prerequisites:\n\n- Google SecOps instance.\n- Privileged access to Google Cloud IAM.\n- Privileged access to Cloud Storage.\n- `logs_write_archive` user access to Datadog.\n\nOption 1: Datadog log sharing through Cloud Storage configuration\n-----------------------------------------------------------------\n\n### Configure Datadog integration with Google Cloud Platform\n\n- Set up an integration for [Google Cloud Platform in Datadog](https://app.datadoghq.com/integrations/google-cloud-platform). For more information, see the [Datadog Google Cloud integration setup](https://docs.datadoghq.com/integrations/google_cloud_platform/?tab=dataflowmethodrecommended#setup).\n\n### Create a Google Cloud Storage Bucket\n\n1. Sign in to the Google Cloud console.\n2. Go to the **Cloud Storage Buckets** page.\n\n [Go to Buckets](https://console.cloud.google.com/storage/browser)\n3. Click **Create**.\n\n4. On the **Create a bucket** page, enter your bucket information. After each of the following steps, click **Continue** to proceed to the next step:\n\n 1. In the **Get started** section, do the following:\n\n 1. Enter a unique name that meets the bucket name requirements (for example, **datadog-data**).\n 2. To enable hierarchical namespace, click the expander arrow to expand the **Optimize for file oriented and data-intensive workloads** section, and then select **Enable Hierarchical namespace on this bucket**.\n\n | **Note:** You cannot enable hierarchical namespace in an existing bucket.\n 3. To add a bucket label, click the expander arrow to expand the **Labels** section.\n\n 4. Click **Add label**, and specify a key and a value for your label.\n\n 2. In the **Choose where to store your data** section, do the following:\n\n 1. Select a **Location type**.\n 2. Use the location type drop-down to select a **Location** where object data within your bucket will be permanently stored.\n - If you select the **dual-region** location type, you can also choose to enable **turbo replication** by using the relevant checkbox.\n 3. To set up cross-bucket replication, expand the **Set up cross-bucket replication** section.\n 3. In the **Choose a storage class for your data** section, either select a **default storage class** for the bucket, or select **Autoclass** for automatic storage class management of your bucket's data.\n\n 4. In the **Choose how to control access to objects** section, select **not** to enforce **public access prevention** , and select an **access control model** for your bucket's objects.\n\n | **Note:** If public access prevention is already enforced by your project's organization policy, the **Prevent public access** checkbox is locked.\n 5. In the **Choose how to protect object data** section, do the following:\n\n 1. Select any of the options under **Data protection** that you want to set for your bucket.\n 2. To choose how your object data will be encrypted, click the expander arrow labeled **Data encryption** , and select a **Data encryption method**.\n5. Click **Create**.\n\n| **Note:** Do not add a retention policy, as the latest data must be rewritten in case of a timeout.\n\n### Create a Google Cloud Service Account\n\n1. Go to **IAM \\& Admin** \\\u003e **Service Accounts**.\n2. Create a new service account.\n3. Give it a descriptive name (For example, **datadog-user**).\n4. Grant the service account with **Storage Object Admin** role on the Cloud Storage bucket you created in the previous step.\n5. Create an [SSH key](/iam/docs/keys-create-delete) for the service account.\n6. Download a JSON key file for the service account. Keep this file secure.\n\n### Configure Datadog to send logs to Cloud Storage\n\n1. Sign in to Datadog using a privileged account.\n2. Go to **Logs** \\\u003e **Log Forwarding**.\n3. Click **+ Create New Archive**.\n4. Select **Google Cloud Storage**.\n5. Input the required parameters and click **Save**.\n\nOption 2: Datadog log sharing through Webhook configuration\n-----------------------------------------------------------\n\nSet up feeds\n------------\n\nTo configure a feed, follow these steps:\n\n1. Go to **SIEM Settings** \\\u003e **Feeds**.\n2. Click **Add New Feed**.\n3. On the next page, click **Configure a single feed**.\n4. In the **Feed name** field, enter a name for the feed (for example, **Datadog Logs**).\n5. Select **Webhook** as the **Source type**.\n6. Select **Datadog** as the **Log type**.\n7. Click **Next**.\n8. Optional: Specify values for the following input parameters:\n - **Split delimiter** : the delimiter that is used to separate log lines, such as `\\n`.\n9. Click **Next**.\n10. Review the feed configuration in the **Finalize** screen, and then click **Submit**.\n11. Click **Generate Secret Key** to generate a secret key to authenticate this feed.\n12. Copy and store the secret key. You cannot view this secret key again. If needed, you can regenerate a new secret key, but this action makes the previous secret key obsolete.\n13. From the **Details** tab, copy the feed endpoint URL from the **Endpoint Information** field. You need to specify this endpoint URL in your client application.\n14. Click **Done**.\n\n### Create an API key for the webhook feed\n\n1. Go to **Google Cloud console \\\u003e Credentials**.\n\n [Go to Credentials](https://console.cloud.google.com/apis/credentials)\n2. Click **Create credentials** , and then select **API key**.\n\n3. Restrict the API key access to the **Chronicle API**.\n\n### Specify the endpoint URL\n\n1. In your client application, specify the HTTPS endpoint URL provided in the webhook feed.\n2. Enable authentication by specifying the API key and secret key as part of the custom header in the following format:\n\n X-goog-api-key = \u003cvar class=\"readonly\" translate=\"no\"\u003eAPI_KEY\u003c/var\u003e\n X-Webhook-Access-Key = \u003cvar class=\"readonly\" translate=\"no\"\u003eSECRET\u003c/var\u003e\n\n **Recommendation**: Specify the API key as a header instead of specifying it in the URL.\n3. If your webhook client doesn't support custom headers, you can specify the API key and secret key using query parameters in the following format:\n\n \u003cvar translate=\"no\"\u003eENDPOINT_URL\u003c/var\u003e?key=\u003cvar translate=\"no\"\u003eAPI_KEY\u003c/var\u003e&secret=\u003cvar translate=\"no\"\u003eSECRET\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eENDPOINT_URL\u003c/var\u003e: the feed endpoint URL.\n - \u003cvar translate=\"no\"\u003eAPI_KEY\u003c/var\u003e: the API key to authenticate to Google SecOps.\n - \u003cvar translate=\"no\"\u003eSECRET\u003c/var\u003e: the secret key that you generated to authenticate the feed.\n\n### Configure Datadog to send logs to webhook\n\n1. Sign in to Datadog using a privileged account.\n2. Go to **Logs** \\\u003e **Log Forwarding**.\n3. Select **Custom Destinations**.\n4. Click **+ Create a New Destination**.\n5. Specify values for the following input parameters:\n 1. **Choose a destination type** : Select **HTTP**.\n 2. **Name the destination** : Provide a descriptive name for the webhook (for example, **Google SecOps Webhook**).\n 3. **Configure the destination** : Enter the **ENDPOINT_URL** , followed by the **API_KEY** and **SECRET**.\n 4. **Configure authentication settings** : Add a general header like the following, this won't malform the HTTP request and allow Datadog to complete webhook creation.\n - Header name: `Accept`.\n - Header value: `application/json`.\n 5. Click **Save**.\n\nReference Links\n---------------\n\n- [Sharing Logs to Cloud Storage](https://docs.datadoghq.com/logs/log_configuration/archives/?tab=googlecloudstorage)\n- [Forwarding Logs to Webhook](https://docs.datadoghq.com/logs/log_configuration/forwarding_custom_destinations/?tab=http)\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
