Datadog is a monitoring and analytics tool for information technology (IT) and DevOps teams that can be used to determine performance metrics as well as event monitoring for infrastructure and cloud services. This tutorial demonstrates how to use the Nightfall API for scanning your Datadog logs/metrics/events.
This tutorial allows you to scan your Datadog instance using the Nightfall API/SDK.
You will need a few things first to use this tutorial:
A Datadog account with an API key and Application key
A Nightfall API key
An existing Nightfall Detection Rule
A Python 3 environment (version 3.7 or later)
Python Nightfall SDK
We need to install the nightfall and requests library using pip. All the other libraries we will be using are built into Python.
We will be using Python and installing/importing the following libraries:
Next we define the Detection Rule with which we wish to scan our data. The Detection Rule can be pre-made in the Nightfall web app and referenced by UUID.
Note, we are setting the Datadog authentication information as the below environment variables, and referencing the values from there:
DD_API_KEY
DD_APPLICATION_KEY
Next we abstract a nightfall class from the SDK, for our API key.
First we will set up the connection with Datadog, and get the data to be scanned from there.
The three different code sample options below are for the three different available items from Datadog to scan:
logs - Scans the 100 most recent logs from Datadog.
metrics - Scans all active metric tags from the last 24 hours.
events - Scans all events from the last 24 hours.
Each one of these options saves the data into a data_to_scan
list of tuples where the first element in the tuple is the id of the data to scan and the second element is a string of data to scan.
Please follow that same option in the next few panes:
We then run a scan on the aggregated data from using the Nightfall SDK. Since all of the examples create the same data_to_scan
list, we can use the same code to scan them all.
To review the results, we will write the findings to an output csv file:
Note
The results of the scan will be outputted to a file named nf_datadog_output-TIMESTAMP.csv.
This example will include the full finding below. As the finding might be a piece of sensitive data, we would recommend using the Redaction feature of the Nightfall API to mask your data. More information can be seen in the 'Using Redaction to Mask Findings' section below.
With the Nightfall API, you are also able to redact and mask your Datadog findings. You can add a Redaction Config, as part of your Detection Rule. For more information on how to use redaction, and its specific options, please refer to the guide here.
The example above is specific to the Nightfall Text Scanning API. To scan files, we can use a similar process as we did the text scanning endpoint. The process is broken down in the sections below, as the file scanning process is more intensive.
To utilize the File Scanning API you need the following:
An active API Key authorized for file scanning passed via the header Authorization: Bearer — see Authentication and Security
A Nightfall Detection Policy associated with a webhook URL
A web server configured to listen for file scanning results (more information below)
Retrieve data from Datadog
Similar to the process at the beginning of this tutorial for the text scanning endpoint, we will now initialize our and retrieve the data we like, from Datadog. This can be either logs/metrics/events. The below example will show logs:
Now we go through write the logs to a .csv file.
Begin the file upload process to the Scan API, with the above written .csv file, as shown here.
Once the files have been uploaded, begin using the scan endpoint mentioned here. Note: As can be seen in the documentation, a webhook server is required for the scan endpoint, to which it will send the scanning results. An example webhook server setup can be seen here.
The scanning endpoint will work asynchronously for the files uploaded, so you can monitor the webhook server to see the API responses and file scan findings as they come in.
This section consists of various documents that assist you in scanning various popular observability platforms using Nightfall APIs.
New Relic is a Software as a Service offering that focuses on performance and availability monitoring.
This tutorial allows you to scan your New Relic logs using the Nightfall API/SDK.
You will need a few things first to use this tutorial:
A New Relic account with an API key and Account ID
A Nightfall API key
An existing Nightfall Detection Rule
A Python 3 environment (version 3.6 or later)
The most recent version of Python Nightfall SDK
To accomplish this, we will install the version required of the Nightfall SDK:
We will be using Python and installing/importing the following libraries:
Note, we are setting the New Relic authentication information as the below environment variables, and referencing the values from there:
NR_API_KEY
NR_ACCOUNT_ID
Next we abstract a nightfall class from the SDK, for our API key.
First we will set up the connection with New Relic, and get the data to be scanned from there.
The code sample below will help to scan:
logs - Scans the 100 most recent logs from New Relic. (Note: This can be modified to meet your needs)
Please follow that same option in the next few panes:
We then run a scan on the aggregated data from New Relic, using the Nightfall SDK:
To review the results, we will write the findings to an output csv file:
Note:
The results of the scan will be outputted to a file named nf_newrelic_output-TIMESTAMP.csv.
This example will include the full finding above. As the finding might be a piece of sensitive data, we would recommend using the Redaction feature of the Nightfall API to mask your data. More information can be seen in the 'Using Redaction to Mask Findings' section below.
Finding the Logs in New Relic
The New Relic API does not provide a great way to get a direct URL to a log message. The simplest way to find the log message with sensitive data is to navigate to the New Relic UI and search your logs with this query messageId:"$YOUR_MESSAGE_ID". You can copy the messageId from the CSV file generated using this script.
With the Nightfall API, you are also able to redact and mask your New Relic findings. You can add a Redaction Config, as part of your Detection Rule. For more information on how to use redaction, and its specific options, please refer to the guide here.
The example above is specific to the Nightfall Text Scanning API. To scan files, we can use a similar process as we did the text scanning endpoint. The process is broken down into the sections below, as the file scanning process is more intensive.
To utilize the File Scanning API you need the following:
An active API Key authorized for file scanning passed via the header Authorization: Bearer — see Authentication and Security
A Nightfall Detection Policy associated with a webhook URL
A web server configured to listen for file scanning results (more information below)
Retrieve data from New Relic
Similar to the process in the beginning of this tutorial for the text scanning endpoint, we will now initialize our and retrieve the data we like, from New Relic. The below example will show the most recent 100 logs:
Now we go through write the logs to a .csv file.
Begin the file upload process to the Scan API, with the above written .csv file, as shown here.
The scanning endpoint will work asynchronously for the files uploaded, so you can monitor the webhook server to see the API responses and file scan findings as they come in.
Next, we define the Detection Rule with which we wish to scan our data. The Detection Rule can be and referenced by UUID.
Once the files have been uploaded, begin using the scan endpoint mentioned . Note: As can be seen in the documentation, a webhook server is required for the scan endpoint, to which it will send the scanning results. An example webhook server setup can be seen here.