Datadog
PowerShell Protect integration with Datadog.
This example uses the HTTP action in PowerShell Protect to send events to the Datadog API.
You'll need to create a Datadog account and API key to use this example. To create an API key, click Integrations \ APIs.
You can then create a new API key.
Once you have a Datadog API key, you can configure PowerShell protect.
To configure PowerShell Protect, you can use the configuration cmdlets. The following configuration will send events to Datadog when an administrator user executes the command Set-MpPreference to manage Windows Defender settings.
$License = "<License></License>"$DataDogApiKey = "asdfar3asfsa"$AdminCondition = New-PSPCondition -Property admin -eq -Value $true$Condition = New-PSPCondition -Property "command" -eq -Value "Set-MpPreference"$Format = @{text = '{computerName},{userName}'title = 'Set-MpPreference by admin'} | ConvertTo-Json$Http = New-PSPAction -Http -Format $Format -Address "https://api.datadoghq.com/api/v1/events" -headers @{ 'DD-API-KEY' = $DataDogApiKey }$Rule = New-PSPRule -Action $Http -Condition @($Condition, $AdminCondition) -Name "MpPreference"$Config = New-PSPConfiguration -Action $Http -Rule $Rule -License $License
Once you have PowerShell Protect configured, you can try to run Set-MpPreference. Datadog will receive events that include the computer and user name that executed the command.
Last updated 1 month ago