Overview
Klaudia is Komodor's AI SRE agent. The Datadog integration lets Klaudia pull observability context from your Datadog account during an investigation. As part of a chat or RCA session, Klaudia can trigger a dedicated Datadog agent that queries Datadog for the traces, metrics, logs, monitors, service dependencies, hosts, and incident context relevant to the issue, so its root cause analysis reflects your APM data alongside the Kubernetes and Komodor signals it already uses.
The integration connects to Datadog through Datadog's MCP server. Because of this, the Datadog Application key used by the integration needs a specific set of read scopes, including the mcp_read scope. See Required permission scopes below.
Note:
- Komodor AI SRE agent ('Klaudia') uses a large language model (LLM) to generate responses. LLMs have the potential to produce inaccurate responses. Always verify critical information before acting on it.
- The Datadog integration is read-only. Klaudia reads context from Datadog to inform its investigation. It does not modify your Datadog configuration.
How it works
- Connect Datadog to Komodor using a Datadog API key and an Application key that carries the required scopes (steps below).
- Klaudia investigates an issue as usual, from the Komodor UI, from Slack, or triggered automatically.
- Klaudia triggers a dedicated Datadog agent when APM context would help the investigation. This happens as part of the chat or RCA session, alongside Klaudia's other specialized agents.
- The Datadog agent queries your Datadog account through Datadog's MCP server for the relevant signals: APM traces and spans, metrics and timeseries, logs, monitors, the service catalog and service dependencies, hosts, and incidents.
- Klaudia folds that context into its root cause analysis, so the conclusions and remediation guidance reflect what Datadog is seeing in addition to Komodor's own data.
What Klaudia can do with Datadog
| Capability | Status |
|---|---|
| Trigger a dedicated Datadog agent during chat and RCA sessions | ✅ Available |
| Query APM traces and spans | ✅ Available |
| Query metrics and timeseries | ✅ Available |
| Query logs | ✅ Available |
| Read monitors | ✅ Available |
| Read the service catalog and service dependencies | ✅ Available |
| Read hosts and infrastructure | ✅ Available |
| Read incidents | ✅ Available |
How Klaudia uses Datadog during an investigation
The Datadog agent is context-gathering, not action-taking. During an investigation Klaudia uses it to answer questions that its Kubernetes and Komodor data alone cannot, for example whether latency traces back to a specific downstream service, what a service's spans show around the time of an incident, or which monitors and incidents were active. Queries are scoped to the services and time window relevant to the investigation, and everything the agent does is read-only.
Prerequisites
- A Komodor account with the Datadog integration installed.
- A Datadog API key and an Application key for the account you want Klaudia to investigate against.
- The required read scopes granted on the Application key, including
mcp_read. See below.
The Datadog connection (MCP server)
Klaudia communicates with Datadog through Datadog's MCP server, not only through the plain Datadog REST data APIs. The MCP server exposes the tools the Datadog agent uses, and it enforces a broader set of permission scopes than the REST APIs alone.
One consequence is worth understanding, because it is the most common source of setup issues: an Application key can test successfully against Datadog's data APIs and still be rejected by the MCP server for certain tools if it is missing scopes. The usual symptom is an integration that works intermittently, where some requests succeed and others fail or time out with no obvious pattern. This almost always means the Application key is missing one or more required scopes, most importantly mcp_read.
Required permission scopes
Grant the following read scopes on the Datadog Application key tied to the Komodor integration. In Datadog, go to Organization Settings > Application Keys, select the key, and choose Edit scopes (or set them on that key's role).
| Scope | What it enables |
|---|---|
mcp_read | Required to use the Datadog MCP server at all. This is the key addition. Without it the integration fails intermittently. |
| Logs Read Data | Reading log data |
| Logs Read Index Data | Reading indexed log data |
| Timeseries | Logs analytics, events, metrics, and hosts timeseries |
| APM Read | APM traces and spans |
| Metrics | Metrics |
| Monitors Read | Reading monitors |
| APM Service Catalog Read | Services and service dependencies |
| Teams Read | Service dependencies |
| Events | Events |
| Hosts Read | Infrastructure and hosts |
| Incidents Read | Incidents |
Important note about Application key scopes: an Application key can only carry scopes that the user who created it holds in their own role. If a scope cannot be added to the key, the key needs to be created (or scoped) by a user or admin who holds those permissions.
Once the scopes are updated, nothing needs to be re-entered in Komodor. Let the Komodor team know and the integration will be re-verified on the Komodor side.
Installation and connecting Datadog
In the Komodor platform, go to Integrations.
- Locate Datadog under Available Integrations and click Connect Integration.
- Enter your Datadog API key and Application key.
- Save the integration. Komodor verifies the connection and scopes.
Permission model
- Klaudia's actions are scoped to the invoking user's Komodor RBAC. Data the user is not authorized to see in Komodor is not surfaced.
- The Datadog integration is read-only. Klaudia can query your Datadog account for context but cannot modify Datadog configuration, monitors, or data.
Audit log
Klaudia's Datadog actions are recorded in the Komodor audit log, including:
- Action taken (for example "queried Datadog for APM context")
- The user whose investigation triggered the action
- Timestamp
- Triggered by: Klaudia or User
FAQ
The integration works, but only intermittently. Some requests succeed and others time out. Why? This is almost always a missing permission scope on the Datadog Application key. Klaudia talks to Datadog through Datadog's MCP server, which requires a broader set of scopes than the plain REST data APIs. A key can test fine against the data APIs while the MCP server rejects certain tools. Confirm all the scopes under Required permission scopes are granted, especially mcp_read.
Do I need to re-enter anything in Komodor after updating the scopes? No. Once the scopes are updated on the Datadog side, nothing needs re-entering in Komodor. Let the Komodor team know and the integration will be re-verified.
Does Klaudia change anything in my Datadog account? No. The integration is read-only. Klaudia reads context to inform its investigation and does not modify Datadog.
Why does the integration use Datadog's MCP server instead of the REST APIs? The MCP server exposes the tools the Datadog agent uses to gather context during an investigation. It enforces its own set of read scopes, which is why the Application key needs the full scope list above rather than only the data-API scopes.
I can't add a required scope to the Application key. What do I do? An Application key can only carry scopes that the user who created it holds in their own role. Ask a user or admin who holds the required permissions to create or scope the key.
Comments
0 comments
Please sign in to leave a comment.