This article discusses the architectural considerations and implementation details behind bringing agentic workflows to Datadog's Cloud SIEM, focusing on the Multi-Cloud Protection (MCP) Server. It highlights the challenges of building reliable, multi-team agentic toolsets in a distributed environment, including data ingestion, rule evaluation, and user interaction within a Security Information and Event Management (SIEM) context.
Read original on Datadog BlogThe article details the evolution of Datadog's Cloud SIEM to incorporate "agentic workflows," which involve automated, intelligent tools that can act on security data. This requires a robust backend system capable of ingesting diverse data, applying complex evaluation logic, and integrating with user interfaces for actionable insights. The Multi-Cloud Protection (MCP) Server serves as the core infrastructure for these workflows, enabling flexible rule creation and execution across various cloud environments.
The MCP Server is designed to orchestrate agentic tooling within the Cloud SIEM. It leverages usage data to inform feature development and employs a custom evaluation framework to ensure the correctness and efficiency of security rule processing. This often involves a distributed architecture where event data is streamed, processed by various services, and then evaluated against a set of dynamically configured rules. The architecture must support idempotent operations and fault tolerance to handle transient failures inherent in distributed systems.
System Design Insight: Agentic Systems
Designing agentic systems, especially in security, requires robust data pipelines, flexible rule engines, and careful consideration of state management and concurrency. The ability to dynamically update and deploy agents, along with mechanisms for monitoring their performance and reliability, are crucial. Think about how to isolate agent failures and ensure the overall system remains stable.
A significant part of the design involves the custom evaluation framework, which is essential for reliably executing security logic. This framework likely involves: a Domain Specific Language (DSL) for rule definition, a rule engine for execution, and a mechanism for deploying and updating these rules without downtime. Reliability is further enhanced through comprehensive monitoring, alerting, and observability of agent performance and SIEM event processing pipelines.