Menu
Datadog Blog·July 17, 2026

Building Agentic Workflows for Cloud SIEM with Datadog MCP Server

This article discusses the architectural considerations and implementation details behind bringing agentic workflows to Datadog's Cloud SIEM, focusing on the Multi-Cloud Protection (MCP) Server. It highlights the challenges of building reliable, multi-team agentic toolsets in a distributed environment, including data ingestion, rule evaluation, and user interaction within a Security Information and Event Management (SIEM) context.

Read original on Datadog Blog

Introduction to Agentic Workflows in SIEM

The article details the evolution of Datadog's Cloud SIEM to incorporate "agentic workflows," which involve automated, intelligent tools that can act on security data. This requires a robust backend system capable of ingesting diverse data, applying complex evaluation logic, and integrating with user interfaces for actionable insights. The Multi-Cloud Protection (MCP) Server serves as the core infrastructure for these workflows, enabling flexible rule creation and execution across various cloud environments.

Architectural Challenges for a Multi-Team Toolset

  • Reliable Data Ingestion and Processing: Handling high-volume, real-time security events from multiple cloud providers requires scalable ingestion pipelines and robust data normalization.
  • Customizable Rule Evaluation: The system needs a flexible framework for defining and evaluating security rules, potentially involving custom logic and integrations.
  • Progressive Disclosure of Complexity: Presenting complex agentic capabilities to users without overwhelming them requires careful UI/UX design and backend support for dynamic feature exposure.
  • Ensuring Reliability and Maintainability: As a critical security tool, the MCP Server must maintain high availability and be easy for multiple teams to contribute to and maintain.

The Datadog MCP Server Architecture

The MCP Server is designed to orchestrate agentic tooling within the Cloud SIEM. It leverages usage data to inform feature development and employs a custom evaluation framework to ensure the correctness and efficiency of security rule processing. This often involves a distributed architecture where event data is streamed, processed by various services, and then evaluated against a set of dynamically configured rules. The architecture must support idempotent operations and fault tolerance to handle transient failures inherent in distributed systems.

💡

System Design Insight: Agentic Systems

Designing agentic systems, especially in security, requires robust data pipelines, flexible rule engines, and careful consideration of state management and concurrency. The ability to dynamically update and deploy agents, along with mechanisms for monitoring their performance and reliability, are crucial. Think about how to isolate agent failures and ensure the overall system remains stable.

Evaluation Framework and Reliability

A significant part of the design involves the custom evaluation framework, which is essential for reliably executing security logic. This framework likely involves: a Domain Specific Language (DSL) for rule definition, a rule engine for execution, and a mechanism for deploying and updating these rules without downtime. Reliability is further enhanced through comprehensive monitoring, alerting, and observability of agent performance and SIEM event processing pipelines.

SIEMAgentic AICloud SecurityDistributed ArchitectureRule EngineData PipelinesObservabilityDatadog

Comments

Loading comments...