Add Huntress.io integration#3019
Conversation
This comment has been minimized.
This comment has been minimized.
Thanks @domalessi ! I've added the suggestions and fixed the rest of the documentation changes. The only suggestion I had to roll back was related to the en dash because the README validation rejects non-ascii characters and wouldn't pass, but it looks like everything else is clearing now. |
Co-authored-by: domalessi <111786334+domalessi@users.noreply.github.com>
- Configuration step 1: "Create" → "Copy the [example configuration file][4]…and edit it", steps collapsed from 3 → 2, "fully-annotated" hyphen removed - Multiple Huntress accounts: Moved before ### Validation, demoted to ####, conditional lead-in sentence added - Config reference table: No\* → Conditional for both conditional fields, column widths realigned, footnote \* replaced with **Note:** paragraph - Rate limits: Renamed from "Rate limit considerations" - Link references: Added [3] for service_checks.json (was broken before) and [4] for the example config file on GitHub
…mmary and KEEP guidance Bug fixes: - Truncate nanosecond-precision @timestamp values to microseconds before parsing; Python's fromisoformat() only handles up to 6 fractional digits, causing silent date_ms=None on all Huntress log events - Match organization_id flat field (actual API response shape) in addition to organization.id when resolving org enrichment tags - Cap 429 retry loop at one retry with error_type:rate_limited counting; the previous implementation retried indefinitely, blocking the check thread Observability: - Emit a self.log.info() summary after each successful run reporting logs collected and pages fetched per query, and agent count/pages when metrics.agents is enabled - Surface the same summary as the service check message so it appears in `datadog-agent status` output - Warn on the first page when log entries contain only uuid and organization_id, indicating a missing KEEP clause in the ES|QL query Docs and config: - Document the Huntress API KEEP requirement in spec.yaml, conf.yaml.example, and README; despite what the Huntress API docs state, queries without an explicit KEEP return only uuid and organization_id, not all fields - Update all example queries in README and conf.yaml.example to include a representative KEEP clause
There was a problem hiding this comment.
Thanks for the changes! A few remaining items — see inline feedback.
Structural note:
### Configuration reference and ### Rate limits currently appear after ### Validation. Both contain guidance users need before validating the setup. I suggest reordering as 4th-level subsections of the Configuration section:
### Configuration
#### Multiple Huntress accounts
#### Rate limits
#### Configuration reference
### Validation
Co-authored-by: domalessi <111786334+domalessi@users.noreply.github.com>
domalessi
left a comment
There was a problem hiding this comment.
Looking good, @kyletaylored ! A few minor fixes left but should be good to go after that (from an editorial perspective, at least).
|
|
||
| [1]: https://github.com/DataDog/integrations-extras/blob/master/huntress/metadata.csv | ||
| [2]: https://docs.datadoghq.com/help/ | ||
| [3]: https://github.com/DataDog/integrations-extras/blob/master/huntress/service_checks.json |
There was a problem hiding this comment.
I think this is the correct path?
| [3]: https://github.com/DataDog/integrations-extras/blob/master/huntress/service_checks.json | |
| [3]: https://github.com/DataDog/integrations-extras/blob/master/huntress/assets/service_checks.json |
| "configuration": "README.md#Setup", | ||
| "support": "README.md#Support", | ||
| "changelog": "CHANGELOG.md", | ||
| "description": "Collect and forward Huntress Managed SIEM logs to Datadog for security monitoring.", |
There was a problem hiding this comment.
| "description": "Collect and forward Huntress Managed SIEM logs to Datadog for security monitoring.", | |
| "description": "Collect and forward Huntress SIEM logs to Datadog for security monitoring.", |
| - Run `sudo datadog-agent check huntress` and inspect the output - the summary line reports how many logs were collected and the exact time range queried | ||
| - Verify the API key pair is valid by checking the Huntress Partner Portal | ||
| - Confirm the Managed SIEM feature is enabled on the account | ||
| - Confirm `min_collection_interval: 900` is set in your instance config - without it, the Agent uses its default 15-second interval, and each run queries only a 15-second window with no new events | ||
| - Check that each `log_queries[].esql_query` begins with `FROM logs` | ||
| - The Huntress SIEM API requires an explicit `KEEP` clause to return log fields. Without one, responses contain only `uuid` and `organization_id`. Add `| KEEP @timestamp, message, host.hostname, event.category, event.code, ...` to your query. The Agent logs will show a warning if this is detected. |
There was a problem hiding this comment.
| - Run `sudo datadog-agent check huntress` and inspect the output - the summary line reports how many logs were collected and the exact time range queried | |
| - Verify the API key pair is valid by checking the Huntress Partner Portal | |
| - Confirm the Managed SIEM feature is enabled on the account | |
| - Confirm `min_collection_interval: 900` is set in your instance config - without it, the Agent uses its default 15-second interval, and each run queries only a 15-second window with no new events | |
| - Check that each `log_queries[].esql_query` begins with `FROM logs` | |
| - The Huntress SIEM API requires an explicit `KEEP` clause to return log fields. Without one, responses contain only `uuid` and `organization_id`. Add `| KEEP @timestamp, message, host.hostname, event.category, event.code, ...` to your query. The Agent logs will show a warning if this is detected. | |
| - Run `sudo datadog-agent check huntress` and inspect the output. The summary line reports how many logs were collected and the exact time range queried. | |
| - Verify the API key pair is valid by checking the Huntress Partner Portal. | |
| - Confirm the Managed SIEM feature is enabled on the account. | |
| - Confirm `min_collection_interval: 900` is set in your instance config. Otherwise, the Agent uses its default 15-second interval, and each run queries only a 15-second window with no new events. | |
| - Check that each `log_queries[].esql_query` begins with `FROM logs`. | |
| - The Huntress SIEM API requires an explicit `KEEP` clause to return log fields. Without one, responses contain only `uuid` and `organization_id`. Add `| KEEP @timestamp, message, host.hostname, event.category, event.code, ...` to your query. The Agent logs show a warning if this is detected. |
|
|
||
| ## Overview | ||
|
|
||
| [Huntress][5] is a managed security platform providing endpoint detection and response (EDR), antivirus, security awareness training, and a Managed SIEM product that continuously collects and analyzes endpoint telemetry. |
There was a problem hiding this comment.
| [Huntress][5] is a managed security platform providing endpoint detection and response (EDR), antivirus, security awareness training, and a Managed SIEM product that continuously collects and analyzes endpoint telemetry. | |
| [Huntress][5] is a managed security platform that provides endpoint detection and response (EDR), antivirus, security awareness training, and a Managed SIEM product that continuously collects and analyzes endpoint telemetry. |
|
|
||
| #### Multiple Huntress accounts | ||
|
|
||
| If you manage multiple Huntress accounts, add an additional block under `instances:` for each one. Each block runs independently with its own checkpoint, org metadata cache, and metrics: |
There was a problem hiding this comment.
| If you manage multiple Huntress accounts, add an additional block under `instances:` for each one. Each block runs independently with its own checkpoint, org metadata cache, and metrics: | |
| If you manage multiple Huntress accounts, add an additional block under `instances:` for each account. Each block runs independently with its own checkpoint, org metadata cache, and metrics: |
|
|
||
| #### Rate limits | ||
|
|
||
| The Huntress API allows 60 requests per minute per API key pair. A typical run with 3 SIEM queries and agent metrics uses roughly 5 to 25 requests, well within this budget. For large accounts with high log volume or thousands of agents, consider splitting concerns across two instances using separate API key pairs: |
There was a problem hiding this comment.
| The Huntress API allows 60 requests per minute per API key pair. A typical run with 3 SIEM queries and agent metrics uses roughly 5 to 25 requests, well within this budget. For large accounts with high log volume or thousands of agents, consider splitting concerns across two instances using separate API key pairs: | |
| The Huntress API allows 60 requests per minute per API key pair. A typical run with 3 SIEM queries and agent metrics uses roughly 5 to 25 requests, well within the limit. For large accounts with high log volume or thousands of agents, consider distributing the load across two instances using separate API key pairs: |
| | -------------------------- | ----------- | ------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ||
| | `huntress_api_key` | Yes | - | Huntress public API key | | ||
| | `huntress_secret_key` | Yes | - | Huntress secret API key | | ||
| | `log_queries` | Conditional | - | List of query objects; each has `name` (required), `esql_query` (required, must begin with `FROM logs`), and `tags` (optional). `name` is used as the `query_name` tag on metrics. **Always include a `KEEP` clause.** Despite what the Huntress API docs state, queries without `KEEP` return only `uuid` and `organization_id`, not all fields. | |
There was a problem hiding this comment.
| | `log_queries` | Conditional | - | List of query objects; each has `name` (required), `esql_query` (required, must begin with `FROM logs`), and `tags` (optional). `name` is used as the `query_name` tag on metrics. **Always include a `KEEP` clause.** Despite what the Huntress API docs state, queries without `KEEP` return only `uuid` and `organization_id`, not all fields. | | |
| | `log_queries` | Conditional | - | List of query objects; each has `name` (required), `esql_query` (required, must begin with `FROM logs`), and `tags` (optional). `name` is used as the `query_name` tag on metrics. Always include a `KEEP` clause. Queries without `KEEP` return only `uuid` and `organization_id`. | |
|
|
||
| **`LogsSent: 0` in `datadog-agent status` even though logs are being collected** | ||
|
|
||
| This is expected. The integration sends logs directly to the Datadog Logs Intake API rather than through the Agent's internal log pipeline, so the Logs Agent counters (`LogsProcessed`, `LogsSent`) will always read 0. Use the Agent check output or Datadog Log Explorer filtered by `source:huntress` to confirm logs are arriving. |
There was a problem hiding this comment.
| This is expected. The integration sends logs directly to the Datadog Logs Intake API rather than through the Agent's internal log pipeline, so the Logs Agent counters (`LogsProcessed`, `LogsSent`) will always read 0. Use the Agent check output or Datadog Log Explorer filtered by `source:huntress` to confirm logs are arriving. | |
| This is expected. The integration sends logs directly to the Datadog Logs Intake API rather than through the Agent's internal log pipeline, so the Logs Agent counters (`LogsProcessed`, `LogsSent`) always read 0. Use the Agent check output or Datadog Log Explorer filtered by `source:huntress` to confirm logs are arriving. |
| | `error_type` | Cause | Resolution | | ||
| | ------------------ | ---------------------------------- | ------------------------------------------------------------- | | ||
| | `auth_failure` | Invalid or rotated API credentials | Update `huntress_api_key` or `huntress_secret_key` | | ||
| | `timeout` | ES\|QL query too broad | Add a `KEEP` or `WHERE` clause to the query | |
There was a problem hiding this comment.
Doesn't seem to be rendering properly in the preview. Let's try this.
| | `timeout` | ES\|QL query too broad | Add a `KEEP` or `WHERE` clause to the query | | |
| | `timeout` | ES|QL query too broad | Add a `KEEP` or `WHERE` clause to the query | |
| | ------------------ | ---------------------------------- | ------------------------------------------------------------- | | ||
| | `auth_failure` | Invalid or rotated API credentials | Update `huntress_api_key` or `huntress_secret_key` | | ||
| | `timeout` | ES\|QL query too broad | Add a `KEEP` or `WHERE` clause to the query | | ||
| | `invalid_query` | Malformed ES\|QL | Fix the `esql_query` value in the failing `log_queries` entry | |
There was a problem hiding this comment.
| | `invalid_query` | Malformed ES\|QL | Fix the `esql_query` value in the failing `log_queries` entry | | |
| | `invalid_query` | Malformed ES|QL | Fix the `esql_query` value in the failing `log_queries` entry | |
What does this PR do?
Adds a new community integration for Huntress, a managed security platform offering EDR and Managed SIEM. The integration polls the Huntress SIEM API using ES|QL queries and forwards security events to Datadog as logs.
Each collection run:
max_pages_per_run)The integration also tracks Huntress API rate limit consumption via response headers (
x-huntress-api-call-limit,x-huntress-api-call-remaining) and emits them as gauges so teams can monitor headroom and alert before hitting the 60 req/min cap.Assets included:
metadata.csvwith 6 metricsassets/service_checks.jsonandassets/configuration/spec.yamlMotivation
MSP partners and enterprise security teams using Huntress Managed SIEM want to correlate endpoint threat detections alongside infrastructure, application, and cloud telemetry already in Datadog. This integration enables that without requiring any custom scripting or log shipper configuration on the customer side.
Review checklist
ddev test huntress/ddev test huntress -- -m integration)README.mdddsource: huntress, which will trigger automatic pipeline processing once a Huntress log pipeline is configured in the Datadog backend. No custom pipeline is bundled with this PR; ECS field names are preserved as-is on the log payload.Additional Notes
instances:runs fully independently with its own checkpoint, org cache, and metrics — MSPs can configure one instance per Huntress account.esql_querythat does not begin withFROM logsat startup to catchmisconfiguration early.
org_cache_ttl_seconds: 0forces a refresh on every run, which the integration test uses to validate the full fetch path against the mock.source_type_id: 10350inmanifest.jsonis a placeholder — please assign a real ID before merging.huntress_mockoon.json) contained a missing comma in thev1/accountroute template, which was fixed to a static response for the test harness. The fix is scoped to our copy of the file.