Worklet: Datadog Configuration Set in Windows

This worklet takes two configurations that you upload to the worklet - eventlogs.yaml & default_agent_config.yaml - and copies them to the Datadog folders they belong to as conf.yaml and datadog.yaml respectively. It also takes an existing conf.yaml.default configuration and makes a copy of it as the conf.yaml file in its’ same directory.

A log is created in the Automox activity log, but it also creates a log locally on the machine in C:\vSOC_Tools.

Evaluation:

Exit 0

Remediation:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

$datadogConfDir = 'C:\ProgramData\Datadog\'
$win32ConfDir = 'C:\ProgramData\Datadog\conf.d\win32_event_log.d\'
$diskConfDir = 'C:\ProgramData\Datadog\conf.d\disk.d'
$eventLogs = 'eventlogs.yaml'  #Uploaded File
$defaultAgent = 'default_agent_config.yaml'  #Uploaded File
$service = Get-Service -Name "Datadog Agent" -ErrorAction SilentlyContinue

Start-Transcript -Path C:\vSOC_Tools\test.log

# Create directories if they don't exist
If (-not (Test-Path ($datadogConfDir))) { 
    Write-Output "Creating Win32 Conf Directory"
    New-Item  -Path $datadogConfDir -ItemType "directory" 
}

If (-not (Test-Path ($win32ConfDir))) { 
    Write-Output "Creating Win32 Conf Directory"
    New-Item  -Path $win32ConfDir -ItemType "directory" 
}

If (-not (Test-Path ($diskConfDir))) { 
    Write-Output "Creating Win32 Conf Directory"
    New-Item  -Path $diskConfDir -ItemType "directory" 
}

# Fix configs and restart agent
Write-Output "Copying Win32 Conf"
Copy-Item $eventLogs -Destination "$win32ConfDir\conf.yaml" -Force

Write-Output "Copying Datadog Conf"
Copy-Item $defaultAgent -Destination "$datadogConfDir\datadog.yaml" -Force

If (Test-Path "$diskConfDir\conf.yaml.default") {
    Write-Output "Copying Disk Conf"
    Copy-Item "$diskConfDir\conf.yaml.default" -Destination "$diskConfDir\conf.yaml" -Force
}
else
{ Write-Output "$diskConfDir\conf.yaml.default does not exist" }

If ($service.length -gt 0) {
    Write-Output "Restarting Agent"
    Restart-Service $service -Force
}
else
{ Write-Output "$service does not exist" }

Stop-Transcript
2 Likes