Datadog Integration

Datadog Integration: Agent Security Observability

Unified observability for agent security and infrastructure

Forward Rune security events to Datadog to correlate agent threats with your infrastructure metrics. Create dashboards that show agent security posture alongside CPU, memory, and latency. Set up Datadog monitors that trigger when threat volumes spike or risk scores exceed thresholds.

Add Security in Minutes

Configure in Rune Dashboard → Settings → Notifications

// In Rune dashboard → Settings → Notifications
// Add a webhook channel pointing to Datadog's HTTP intake:

{
  "name": "Datadog Events",
  "type": "webhook",
  "url": "https://http-intake.logs.datadoghq.com/api/v2/logs",
  "headers": {
    "DD-API-KEY": "YOUR_DATADOG_API_KEY",
    "Content-Type": "application/json"
  },
  "body_template": {
    "ddsource": "rune",
    "ddtags": "env:production,service:agent-security",
    "hostname": "rune-adr",
    "message": "{{threat_type}} on {{agent_id}}: {{description}}",
    "service": "rune",
    "status": "{{severity}}"
  }
}

Full setup guide in the documentation

Why Datadog Agents Need Runtime Security

Agent security doesn't exist in isolation. A spike in blocked injection attempts might correlate with a traffic surge, a new deployment, or an infrastructure change. Datadog integration lets you see the full picture — security events in context with everything else happening in your stack.

Top Threats to Datadog Agents

highBlind Spots in Observability

Without security events in Datadog, your observability stack has a blind spot. You see latency spikes but not the prompt injection that caused them.

mediumUncorrelated Incidents

Agent security incidents and infrastructure issues often have the same root cause. Without correlation, teams investigate separately and miss the connection.

mediumNo Trend Visibility

Tracking threat volume over time reveals attack patterns — daily cycles, post-deployment spikes, or gradual escalation. Without metrics, you're flying blind.

What Rune Does for Datadog

Log Forwarding

Security events are forwarded as structured logs to Datadog. Use Log Management to search, filter, and analyze agent security events alongside your application logs.

Custom Dashboards

Build Datadog dashboards showing blocked threats per agent, risk score distributions, scan latency percentiles, and threat category breakdowns.

Monitor Alerts

Set up Datadog monitors that alert when: threat volume exceeds a threshold, a new threat type appears, or scan latency degrades.

APM Correlation

Correlate Rune security events with Datadog APM traces to see exactly which user request triggered a security incident.

Common Datadog Use Cases

Unified security and infrastructure observability
Custom dashboards for security posture reporting
Anomaly detection on threat volume trends
Compliance reporting with long-term log retention

Other Integrations

PagerDuty

Route agent security incidents to your on-call team

Splunk

Enterprise SIEM integration for agent security events

Sentry

Track blocked agent actions as Sentry errors

Secure your Datadog agents today

Add runtime security to your Datadog agents in under 5 minutes. Free tier includes 10,000 events per month.

Start Free — 10K Events/Month Integration Docs