Datadog

Name: QuantaSeal
Brand: QuantaSeal
Price: 69 AUD

Monitoring

system_type: "datadog"

Forward QuantaSeal metrics, audit events, and security alerts to your Datadog account.

Overview#

QuantaSeal natively integrates with Datadog via the SIEM push module (core/siem_push.py). Encryption metrics, vault operation counts, compliance scores, and security events are forwarded to Datadog using the Events API and custom metrics. API and application keys are sealed in QuantaVault.

Base URL: https://api.quantaseal.io/api/v2/proxy/outbound
Auth header: X-API-Key: qs_live_…

Prerequisites#

1A Datadog account
2A Datadog API key (for sending data) and Application key (for reading data)
3Your Datadog site (e.g. datadoghq.com or datadoghq.eu)

Configuration#

Follow these steps to connect Datadog to QuantaSeal. You can configure integrations via the Admin Console or directly via the API.

1
In Datadog, create an API Key (Organization Settings → API Keys).
2
Seal: POST /api/v2/vault/seal with credential_type: api_key.
3
Create integration with system_type: datadog, config: {site: 'datadoghq.com'}.
4
Alternatively, configure SIEM push in Dashboard → Security → SIEM Webhooks → Add Datadog.

Authentication Types#

Seal the Datadog API key as api_key. For the Application key, add it to the vault credential values as {api_key, app_key}.

API Key

All credential types are sealed in QuantaVault with ML-KEM-768 + AES-256-GCM and wrapped by your tenant AWS KMS CMK before storage. See the Vault API reference for the full list of credential types and seal/unseal endpoints.

Available Operations#

QuantaSeal enforces a default-deny operation policy. Only operations listed in your integration's allowed_operations array will be permitted. Add operations when creating or updating the integration.

Operation	Description
`send_event`	Send a security or audit event to Datadog.
`send_metric`	Send custom encryption metrics to Datadog.
`send_log`	Forward audit log entries to Datadog Logs.

Code Example#

Every proxy call returns a HybridCryptoEnvelope - the response is ML-KEM-768 key-encapsulated, AES-256-GCM encrypted, and signed with ML-DSA-65 + HMAC-SHA-512. Verify both signatures before trusting the decrypted payload.

bashCopy

curl -X POST https://api.quantaseal.io/api/v2/proxy/outbound \
  -H "X-API-Key: qs_live_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{"integration_id":"int_DD001","operation":"send_event","payload":{"title":"Credential rotated","text":"Vault entry rotated by admin@acme.com","tags":["env:production","quantaseal:vault"]}}'

Decrypt the response using the QuantaSeal SDK: client.encryption.decrypt(envelope). Both the ML-DSA-65 signature and the HMAC-SHA-512 signature must pass - QuantaSeal uses a bitwise & check, not short-circuit and.

Troubleshooting#

403 - API key invalid

Datadog API keys are scoped to the organisation. Ensure you are using the key from the same Datadog organisation as your site URL.

Still stuck? Check the Security Events page in the Admin Console for detailed proxy error logs, or open a support ticket at quantaseal.io/support.

All Connectors API Reference