Datadog

PowerShell Protect integration with Datadog.

This example uses the HTTP action in PowerShell Protect to send events to the Datadog API.

Configuring Datadog

You'll need to create a Datadog account and API key to use this example. To create an API key, click Integrations \ APIs.

You can then create a new API key.

Once you have a Datadog API key, you can configure PowerShell protect.

Configuring PowerShell Protect

To configure PowerShell Protect, you can use the configuration cmdlets. The following configuration will send events to Datadog when an administrator user executes the command Set-MpPreference to manage Windows Defender settings.

$License = "<License></License>"
$DataDogApiKey = "asdfar3asfsa"
$AdminCondition = New-PSPCondition -Property admin -eq -Value $true
$Condition = New-PSPCondition -Property "command" -eq -Value "Set-MpPreference"
$Format = @{
text = '{computerName},{userName}'
title = 'Set-MpPreference by admin'
} | ConvertTo-Json
$Http = New-PSPAction -Http -Format $Format -Address "https://api.datadoghq.com/api/v1/events" -headers @{ 'DD-API-KEY' = $DataDogApiKey }
$Rule = New-PSPRule -Action $Http -Condition @($Condition, $AdminCondition) -Name "MpPreference"
$Config = New-PSPConfiguration -Action $Http -Rule $Rule -License $License

Testing it out

Once you have PowerShell Protect configured, you can try to run Set-MpPreference. Datadog will receive events that include the computer and user name that executed the command.