Skip to content

Datadog and Splunk

Kaizen has no separate Datadog or Splunk connector and does not need one. Both ingest JSON over HTTP, so you send verdicts with a normal webhook and your own key. Kaizen stores that key encrypted at rest and attaches it only at delivery; nothing of yours is held centrally.

Every block and behavioral anomaly is delivered as JSON:

{
  "event": "anomaly",
  "data": {
    "agent": "support-bot",
    "reason": "a tool it has never used (export_file)...",
    "action": { "kind": "connect", "tool": "export_file", "target": "45.9.148.108" }
  }
}

Datadog

  1. In Datadog, create an API key (Organization Settings → API Keys).
  2. In the Kaizen console, open Webhooks and add the logs intake URL for your site: https://http-intake.logs.datadoghq.com/api/v2/logs (use your site's host, for example http-intake.logs.datadoghq.eu for EU).
  3. Expand Add an auth header, set the header name to DD-API-KEY and paste your key.
  4. Save.

Each verdict arrives as a log. Filter on @event:verdict.block or @event:anomaly, pivot by @data.agent or @data.action.tool, and build a monitor on the count.

Splunk

  1. In Splunk, enable an HTTP Event Collector (HEC) token (Settings → Data inputs → HTTP Event Collector).
  2. In the Kaizen console, open Webhooks and add the HEC raw endpoint: https://<your-splunk-host>:8088/services/collector/raw The raw endpoint captures the full JSON payload as the event.
  3. Expand Add an auth header, set the header name to Authorization and the value to Splunk <your-HEC-token>.
  4. Save.

Verdicts land as events. Search event=anomaly or event=verdict.block, and break down by data.agent or data.action.tool.

Notes

  • Kaizen also signs generic deliveries with X-Kaizen-Signature; Datadog and Splunk ignore it, which is harmless.
  • The same pattern works for any HTTP destination that authenticates with a header. See Webhooks.