Overview
The Datadog integration runs in two directions. A Datadog detection can assign a RansomLeak exercise to the people involved, so the response includes coaching. And training and human-risk events stream into Datadog, so awareness data sits alongside the signals you already watch.
The two halves are independent. Run either on its own, or both together:
- A detection assigns a lesson, via a Workflow action
- Training events stream in as logs and metrics
- Failures and overdue training as high-signal events
- Coaching assigned within about a minute
Turn a detection into coaching
When a detection fires on risky user activity, a Datadog Workflow action calls RansomLeak and assigns the matching exercise to the person involved. It uses the assignment API, so it fits the detection rules and playbooks you already maintain. No agent on your side does the work; the coaching is a downstream step in the workflow.
-
In RansomLeak, go to Admin → Integrations and generate an API token for the assignment API.
-
In Datadog, add a Workflow Automation with an HTTP Send POST request action that calls RansomLeak's assignment endpoint, with the token as a Bearer header.
-
Map the request body to the signal: the exercise to assign and the affected user's email. RansomLeak resolves the person and assigns the module within about a minute.
The same assignment endpoint powers our service-desk and SOAR integrations, so a Datadog detection, a Jira ticket, or a SOAR playbook can all end the same way: a short lesson for the person involved, and a completion you can act on.
Stream training events to Datadog
Connect Datadog once with an API key, and RansomLeak emits training and human-risk events to your Datadog account. They arrive as logs, metrics, and events, tagged so you can slice them by team or category.
-
In Datadog, create an API key and note your region (US1, US3, US5, EU, AP1, or Gov).
-
In RansomLeak, go to Admin → Integrations → Datadog, choose your region, paste the API key, and select Save and connect.
| Event | Signal |
|---|---|
| Training completed | Log and metric, for completion-rate dashboards. |
| Training failed | High-signal event, so you can alert on a spike. |
| Training overdue | High-signal event, for the people who never started. |
How it fits together
The two directions close a loop. A detection in Datadog can trigger coaching, and the result of that coaching streams back into Datadog as data you can watch and alert on.
- Detection fires on a named user
- A lesson is assigned to that user
- Completion streams back to Datadog
Training and human-risk events also reach any SIEM through the same export and webhooks, so the awareness data is not locked to Datadog. See the integrations overview for the full set of destinations.
Permissions and data handling
The event stream authenticates with the Datadog API key you provide, and the detection-to-coaching loop uses a RansomLeak API token your Workflow holds. Both are stored encrypted.
- API keys and tokens encrypted at rest
- Events carry identity and outcome, not training content
- Disconnect forgets the key on our side
Your Datadog API key stays yours: disconnecting removes it from RansomLeak, and you control it in Datadog. For how RansomLeak handles data, see the privacy policy and the security and compliance page.
Frequently asked questions
Does RansomLeak integrate with Datadog?
Yes, both ways. A Datadog detection can assign a RansomLeak exercise to the people involved through a Workflow action, and training and human-risk events stream into Datadog so they sit in the dashboards and monitors your SOC already watches.
How does a Datadog detection assign training?
You add a Datadog Workflow Automation with an HTTP "Send POST request" action that calls RansomLeak's assignment API with an API token. The action passes the exercise and the user, by email, from the signal, and RansomLeak assigns the matching module within about a minute. You build it on the detection rules and playbooks you already run.
What training data streams into Datadog?
Completed, failed, and overdue training events flow in as logs, metrics, and events, tagged by tenant and category. You can chart them, alert on a spike in failures, or correlate them with the other signals already in Datadog.
What do I need to set this up?
For the event stream, a Datadog API key and your Datadog region, pasted into RansomLeak. For the detection-to-coaching loop, a RansomLeak API token that your Datadog Workflow action uses to call the assignment API. The two are independent, so you can run either or both.
Does completion write back to Datadog?
Training and human-risk events stream into Datadog continuously, so a completion shows up there on its own. If your Workflow passes a callback, RansomLeak also posts the result back when the exercise finishes, so the playbook can act on it.
Is the detection-to-coaching loop a one-click feature?
No, and that is deliberate. The outbound event stream is a one-click connection with an API key. The detection-to-coaching loop is a Datadog Workflow you configure against RansomLeak's assignment API, the same open endpoint our service-desk and SOAR integrations use, so it fits the playbooks you already maintain.
Need a hand?
Email support@ransomleak.com and we will help you connect Datadog to your tenant.