Creating a Jamf Protect Action Configuration for Datadog

Jamf Protect Documentation
Solution
Application
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US

In the macOS Security portal, use your intake URL from Datadog as data endpoints for each macOS Security data type you want to collect.

Requirements

You need the following information from your Datadog instance:

  • Your Datadog intake URL

  • Your Datadog API key and application key

    For more information, see API and Application Keys from the Datadog Docs.

  1. In Jamf Protect, click Actions.
  2. Click Edit on an existing action configuration or click Create Action to create a new one.
  3. For each macOS Security data type, add a new data endpoint:
    1. In Data Endpoints, click + Add.
    2. Select HTTP.
    3. In the URL field, enter one of the following using your Datadog intake URL:
      Each URL corresponds to a macOS Security data type.
      Alerts
      https://${DATADOG_INTAKE_URL}/api/v2/logs?ddsource=jamfprotect&service=alerts
      Unified Logs
      https://${DATADOG_INTAKE_URL}/api/v2/logs?ddsource=jamfprotect&service=unifiedlogs
      Telemetry
      https://${DATADOG_INTAKE_URL}/api/v2/logs?ddsource=jamfprotect&service=telemetry
    4. Click + Add HTTP Header twice enter the following HTTP headers:
      Name
      DD-API-KEY
      Value
      <YOUR_DATADOG_ API_KEY>
      Name
      DD-APPLICATION-KEY
      Value
      <YOUR_DATADOG_APPLICATION_KEY>
    5. From Alerts, select the level of alerts want to collect.
    6. From Logs, select the data types you want to collect.
  4. (Optional) Repeat the previous step to add additional data endpoints for each macOS Security data type you want to collect.
  5. Click Save.

The action configuration is updated and available to add to Jamf Protect plans in the macOS Security portal.