Integrate Contrast Security ADR with Datadog® (Northstar)

The Contrast Security ADR integration with Datadog enables ADR to send incident details to your Security Information and Event Management (SIEM), Security for Orchestration, Automation and Response (SOAR), and Extended Detection and Response (XDR) environments, which contextualizes incidents with other threat detection and response solutions.

How it works

When configured, the Contrast Security ADR sends detected attack events from the Contrast Security platform to your Datadog instance over HTTPs.

The ContrastSecurity ADR with Datadog application enables Datadog to:

Parse and normalize the data received over HTTPs from the Datadog Logs API
Display Contrast Security ADR attack events in Datadog to populate the dedicated Contrast Security ADR Dashboard, or to use with search and correlation rules in Datadog Cloud SIEM

Before you begin

Before you start, you must have:

Admin Role permissions in Datadog
Applications instrumented with a Contrast agent

Install the Contrast Security ADR application in Datadog

In Datadog, go to the Contrast variables: Contrast Classic ADR tile and select Install Integration.
Continue to Set up the Datadog log ingestion.

Set up the Datadog log ingestion

In Datadog, go to Datadog Organization Settings > API Keys here to create a new API Key for the integration.
Once created, select Copy Key to copy it to your clipboard, since it will be needed in the following configuration step

Configure Contrast Security ADR to send events to Datadog

Configure the integration in Northstar to send attack events, observations, and incidents to the Datadog application.

For Northstar, in the left navigation, select Administration > Integrations.
Select the Datadog option under the Integrations section.
Under the Manage Credentials tab:
1. Enter the https://http-intake.logs.datadoghq.com/api/v2/logs URL
2. Enter the API Key from the API token created in Set up the Datadog log ingestion
3. Select the Integration Enabled toggle to enable the integration. This setting allows you to temporarily disable the integration without losing your configuration.
Use the Filters tab to define specific criteria for the events sent to the integration. This ensures that only relevant events matching your criteria are forwarded, significantly reducing the overall number of attack events sent to the app. Learn more about attack events.
1. Environment: allows you to select a specific environment (such as Production, Development, or QA). By applying this filter, you ensure that only events associated with the selected environments are sent to the app, improving focus and relevance.
2. Result: allows you to select specific outcomes for the event, such as Exploited, Blocked, Probed, or Suspicious. By configuring this filter, you ensure that only events where a specific result was achieved are forwarded, enabling you to quickly pinpoint the most relevant events for which a threshold has been met in the app.
3. Application: allows you to specify which applications should have their attack events sent to the integration. By using this filter, you can ensure that only events related to your selected applications are forwarded to the app, enabling targeted monitoring.
4. Filter by Application Metadata: allows you to filter which events are sent based on the application metadata defined for those applications. For example, you can choose only to include events associated with a particular business unit or other custom metadata tags. Learn more about custom metadata.
Under the Advanced tab, select from the modes of data to send to the app:
1. Select All Observations and incidents to send all attack event observations detected by agents, as well as incidents and issues associated with the incident. This is recommended for SOC practices seeking deep visibility into application runtime and are building their custom use cases.
2. Select Incidents and only incident-related observations to send incidents, associated observations, and issues to Microsoft Sentinel. This is recommended for SOC practices that want to minimize the volume of data sent to their SIEM and only receive alerts for security incidents and related observations.
Select Save.
Continue to View Contrast ADR data in Datadog.

View Contrast ADR data in the Datadog dashboard

The integration includes a Datadog Dashboard titled Contrast Security ADR.