Observability Digest 2026-04-12

Integrate Recorded Future threat intelligence with Datadog Cloud SIEM

Datadog Blog

Recorded Future's integration with Datadog Cloud SIEM addresses a common pain point in security operations: the gap between raw log data and actionable threat context. Most SIEM deployments generate thousands of alerts daily, but without external threat intelligence, security teams waste hours manually investigating indicators that are already known threats or false positives. This integration attempts to close that gap by feeding Recorded Future's threat data directly into Datadog's detection and enrichment pipeline.

The integration works through two primary mechanisms. First, it enriches your existing log data by matching observables like IP addresses, domains, and file hashes against Recorded Future's threat intelligence database. When a match occurs, Datadog automatically appends risk scores and threat context directly to the log event. This means an authentication failure from a random IP becomes an authentication failure from an IP with a risk score of 89 associated with credential stuffing campaigns observed in the last 48 hours. The difference in triage time is substantial.

Second, the Content Pack includes pre-built detection rules that leverage this enriched data. Rather than writing custom rules to flag every suspicious IP, you can use rules that trigger only when Recorded Future marks an indicator above a specific risk threshold. This reduces noise significantly. In practice, you might set a rule to generate high-severity alerts only for IPs with risk scores above 75 that also show multiple failed authentication attempts within a five-minute window.

The real value becomes apparent when you consider alert prioritization. Without threat intelligence, a SIEM treats all anomalies equally. An unusual login from an unknown IP generates the same alert priority whether that IP is a coffee shop in Berlin or a known command-and-control server. With Recorded Future data flowing in, Datadog can automatically elevate alerts involving confirmed malicious infrastructure while deprioritizing events from benign sources.

There are tradeoffs to consider. The enrichment process adds latency to log processing, typically 50-200ms per lookup depending on your volume and API rate limits. For high-throughput environments processing millions of logs per minute, you'll need to be selective about which log types get enriched. Enriching every DNS query is probably overkill; enriching firewall denies and authentication events makes more sense.

API costs matter too. Recorded Future charges based on API calls, and naive implementations can rack up bills quickly. You'll want to implement local caching for frequently seen indicators and set reasonable TTLs. A 24-hour cache for IP reputation data strikes a good balance between freshness and cost for most use cases.

The integration also requires careful tuning of risk score thresholds. Recorded Future's scoring is nuanced, and a score of 65 might be actionable for one indicator type but routine for another. Expect to spend a few weeks adjusting thresholds based on your environment's baseline and false positive rates.

For teams already running Datadog Cloud SIEM, this integration is worth implementing if you're drowning in alerts and lack dedicated threat intelligence analysts. The automation it provides won't replace human judgment, but it will help your security team focus on the alerts that actually matter.

Read original source →

Related Articles

Datadog released a Code Security MCP that integrates vulnerability scanning for AI-generated code, secrets detection, and dependency risk assessment directly into development workflows. This enables real-time security scanning at the point of code generation rather than post-deployment.

Datadog Blog

Apply detection-based threat modeling to GitHub CI/CD by mapping critical inputs, identities, and their associated attack vectors to identify and mitigate security risks in your pipeline. This approach enables proactive threat identification rather than reactive patching.

Datadog Blog

The article provides a framework for identifying and mitigating CI/CD pipeline vulnerabilities by applying MITRE-style threat modeling to anticipate attack vectors. This approach helps organizations systematically secure their CI/CD infrastructure, which is frequently neglected as a critical security boundary.

Datadog Blog

This article describes how to instrument Dell Boomi integration flows using OpenTelemetry to export telemetry data to Datadog, enabling correlated visibility across processes, JVM metrics, and database performance. The approach provides a practical method for observing integration platform behavior through standardized telemetry collection.

Datadog Blog

NTT DATA demonstrates how to operationalize agentic AI systems by combining Amazon Bedrock AgentCore for workflow execution with Datadog LLM Observability for tracing, evaluation, and continuous improvement of agent behavior. The integration provides end-to-end visibility into agent decision-making and performance metrics critical for production agentic systems.

Datadog Blog