Add Huntress.io integration#3019
Open
kyletaylored wants to merge 44 commits into
Open
Conversation
This comment has been minimized.
This comment has been minimized.
domalessi
requested changes
Jun 3, 2026
domalessi
reviewed
Jun 3, 2026
domalessi
reviewed
Jun 3, 2026
domalessi
reviewed
Jun 3, 2026
domalessi
reviewed
Jun 3, 2026
domalessi
reviewed
Jun 3, 2026
domalessi
reviewed
Jun 3, 2026
domalessi
reviewed
Jun 3, 2026
domalessi
reviewed
Jun 3, 2026
domalessi
reviewed
Jun 3, 2026
domalessi
reviewed
Jun 3, 2026
domalessi
reviewed
Jun 3, 2026
Co-authored-by: domalessi <111786334+domalessi@users.noreply.github.com>
- Configuration step 1: "Create" → "Copy the [example configuration file][4]…and edit it", steps collapsed from 3 → 2, "fully-annotated" hyphen removed - Multiple Huntress accounts: Moved before ### Validation, demoted to ####, conditional lead-in sentence added - Config reference table: No\* → Conditional for both conditional fields, column widths realigned, footnote \* replaced with **Note:** paragraph - Rate limits: Renamed from "Rate limit considerations" - Link references: Added [3] for service_checks.json (was broken before) and [4] for the example config file on GitHub
…mmary and KEEP guidance Bug fixes: - Truncate nanosecond-precision @timestamp values to microseconds before parsing; Python's fromisoformat() only handles up to 6 fractional digits, causing silent date_ms=None on all Huntress log events - Match organization_id flat field (actual API response shape) in addition to organization.id when resolving org enrichment tags - Cap 429 retry loop at one retry with error_type:rate_limited counting; the previous implementation retried indefinitely, blocking the check thread Observability: - Emit a self.log.info() summary after each successful run reporting logs collected and pages fetched per query, and agent count/pages when metrics.agents is enabled - Surface the same summary as the service check message so it appears in `datadog-agent status` output - Warn on the first page when log entries contain only uuid and organization_id, indicating a missing KEEP clause in the ES|QL query Docs and config: - Document the Huntress API KEEP requirement in spec.yaml, conf.yaml.example, and README; despite what the Huntress API docs state, queries without an explicit KEEP return only uuid and organization_id, not all fields - Update all example queries in README and conf.yaml.example to include a representative KEEP clause
domalessi
reviewed
Jun 9, 2026
Contributor
There was a problem hiding this comment.
Thanks for the changes! A few remaining items — see inline feedback.
Structural note:
### Configuration reference and ### Rate limits currently appear after ### Validation. Both contain guidance users need before validating the setup. I suggest reordering as 4th-level subsections of the Configuration section:
### Configuration
#### Multiple Huntress accounts
#### Rate limits
#### Configuration reference
### Validation
Co-authored-by: domalessi <111786334+domalessi@users.noreply.github.com>
domalessi
reviewed
Jun 23, 2026
domalessi
left a comment
Contributor
There was a problem hiding this comment.
Looking good, @kyletaylored ! A few minor fixes left but should be good to go after that (from an editorial perspective, at least).
Co-authored-by: domalessi <111786334+domalessi@users.noreply.github.com>
domalessi
approved these changes
Jul 6, 2026
domalessi
left a comment
Contributor
There was a problem hiding this comment.
Committed some changes to clean up a few editorial nits. All looks good from an editorial perspective!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Adds a new community integration for Huntress, a managed security platform offering EDR and Managed SIEM. The integration polls the Huntress SIEM API using ES|QL queries and forwards security events to Datadog as logs.
Each collection run:
max_pages_per_run)The integration also tracks Huntress API rate limit consumption via response headers (
x-huntress-api-call-limit,x-huntress-api-call-remaining) and emits them as gauges so teams can monitor headroom and alert before hitting the 60 req/min cap.Assets included:
metadata.csvwith 6 metricsassets/service_checks.jsonandassets/configuration/spec.yamlMotivation
MSP partners and enterprise security teams using Huntress Managed SIEM want to correlate endpoint threat detections alongside infrastructure, application, and cloud telemetry already in Datadog. This integration enables that without requiring any custom scripting or log shipper configuration on the customer side.
Review checklist
ddev test huntress/ddev test huntress -- -m integration)README.mdddsource: huntress, which will trigger automatic pipeline processing once a Huntress log pipeline is configured in the Datadog backend. No custom pipeline is bundled with this PR; ECS field names are preserved as-is on the log payload.Additional Notes
instances:runs fully independently with its own checkpoint, org cache, and metrics — MSPs can configure one instance per Huntress account.esql_querythat does not begin withFROM logsat startup to catchmisconfiguration early.
org_cache_ttl_seconds: 0forces a refresh on every run, which the integration test uses to validate the full fetch path against the mock.source_type_id: 10350inmanifest.jsonis a placeholder — please assign a real ID before merging.huntress_mockoon.json) contained a missing comma in thev1/accountroute template, which was fixed to a static response for the test harness. The fix is scoped to our copy of the file.