|
| 1 | +# IDE Shepherd |
| 2 | + |
| 3 | +## Overview |
| 4 | + |
| 5 | +[IDE Shepherd][1] is a real-time security monitoring and protection tool for IDE environments. It monitors extension and workspace task activities in VS Code and Cursor, actively blocking malicious behaviors to protect developer endpoints from supply chain attacks and compromised extensions. IDE Shepherd hence enables security teams to detect and respond to threats in real-time by providing observability into security and extension lifecycle events (installation, updates, and uninstallation). |
| 6 | + |
| 7 | +Integrate IDE Shepherd with Datadog's pre-built dashboard visualizations to gain insights into security alerts, extension activities, and workspace task monitoring. With Datadog's built-in log pipelines, you can parse and enrich these logs to facilitate easy search and detailed insights. The integration includes ready-to-use dashboards for monitoring security events, extension lifecycle, and activity patterns by IDE type and host. |
| 8 | + |
| 9 | +## Setup |
| 10 | + |
| 11 | +### Configuration |
| 12 | + |
| 13 | +**1. Install and Start Datadog Agent** |
| 14 | + |
| 15 | +First, ensure the Datadog Agent is installed and running on your system with your organization API key configured. See [Datadog Agent Installation Guide](https://docs.datadoghq.com/agent/) for installation instructions. |
| 16 | + |
| 17 | +**2. Install IDE Shepherd Extension** |
| 18 | + |
| 19 | +Install the IDE Shepherd extension in VS Code or Cursor from the [IDE Shepherd repository][1]. |
| 20 | + |
| 21 | +**3. Enable Telemetry in IDE Shepherd** |
| 22 | + |
| 23 | +IDE Shepherd **automatically configures the Datadog Agent** when you enable telemetry for the first time: |
| 24 | + |
| 25 | +1. Open the IDE Shepherd sidebar in VS Code or Cursor |
| 26 | +2. Navigate to **Settings > Datadog Telemetry** |
| 27 | +3. Click on **Telemetry: Disabled** to enable it |
| 28 | +4. IDE Shepherd will automatically: |
| 29 | + - Create the configuration directory: `/opt/datadog-agent/etc/conf.d/ide-shepherd.d/` |
| 30 | + - Write the configuration file: `conf.yaml` with the appropriate settings |
| 31 | + - Configure the agent to listen on the default port |
| 32 | + |
| 33 | + |
| 34 | +*We recommend keeping the default port configuration. The extension will handle all the setup automatically.* |
| 35 | + |
| 36 | +**4. Restart Datadog Agent** |
| 37 | + |
| 38 | +After the automatic configuration, IDE Shepherd will request permission to restart the Datadog Agent. If it fails, you can restart it manually with the following commands: |
| 39 | + |
| 40 | +```bash |
| 41 | +# Linux |
| 42 | +sudo systemctl restart datadog-agent |
| 43 | + |
| 44 | +# macOS |
| 45 | +launchctl stop com.datadoghq.agent |
| 46 | +launchctl start com.datadoghq.agent |
| 47 | +``` |
| 48 | + |
| 49 | +See [Datadog Agent Commands][2] for more details. |
| 50 | + |
| 51 | +**5. Verify Telemetry Status** |
| 52 | + |
| 53 | +Telemetry is now **sent automatically** in real-time: |
| 54 | + |
| 55 | +- Extension installed/updated/uninstalled -> OCSF event sent immediately |
| 56 | +- Security threat detected -> OCSF event sent immediately |
| 57 | + |
| 58 | +You can verify the connection from the IDE Shepherd sidebar: |
| 59 | + |
| 60 | +- **Agent Status**: Shows if the Datadog Agent is up and running |
| 61 | +- **Agent Port**: Shows the port on which the agent is listening |
| 62 | + |
| 63 | +### Validation |
| 64 | + |
| 65 | +[Run the Agent's status subcommand][2] and look for `ide-shepherd` under the Logs Agent section. You can also verify in the IDE Shepherd sidebar that the **Agent Status** shows as connected. |
| 66 | + |
| 67 | +To view your logs in Datadog: |
| 68 | + |
| 69 | +1. Go to the [Datadog Logs Explorer](https://app.datadoghq.com/logs) |
| 70 | +2. Filter by: `source:ide-shepherd service:ide-shepherd-telemetry` |
| 71 | +3. Explore security events, extension lifecycle events, and workspace task activities |
| 72 | + |
| 73 | +## Data Collected |
| 74 | + |
| 75 | +### Logs |
| 76 | + |
| 77 | +The IDE Shepherd integration collects and forwards IDE security and activity logs to Datadog, including: |
| 78 | + |
| 79 | +- **Security Events**: Real-time alerts for malicious extension activities and blocked threats |
| 80 | +- **Extension Lifecycle Events**: Installation, update, and uninstallation events |
| 81 | +- **Extension Metadata**: Name, version, publisher information along with a risk estimate based on hardcoded heuristics. |
| 82 | +- **OCSF (Open Cybersecurity Schema Framework) classified events**: Standardized security event formats |
| 83 | + |
| 84 | +The logs are automatically enriched with: |
| 85 | +- OCSF class UIDs (Application Security Posture Finding, Detection Finding) |
| 86 | +- IDE type (VS Code, Cursor) and its version |
| 87 | +- Host information |
| 88 | +- Security technique information for flagged behaviors |
| 89 | +- Observable threat indicators |
| 90 | + |
| 91 | +### Metrics |
| 92 | + |
| 93 | +The IDE Shepherd integration does not include any metrics. |
| 94 | + |
| 95 | +### Events |
| 96 | + |
| 97 | +The IDE Shepherd integration does not include any events. |
| 98 | + |
| 99 | +## Troubleshooting |
| 100 | + |
| 101 | +Need help? Contact [Datadog support][4]. |
| 102 | + |
| 103 | +[1]: https://github.com/DataDog/IDE-SHEPHERD-extension |
| 104 | +[2]: https://docs.datadoghq.com/agent/guide/agent-commands/#agent-status-and-information |
| 105 | +[3]: https://docs.datadoghq.com/getting_started/site/#access-the-datadog-site |
| 106 | +[4]: https://docs.datadoghq.com/help/ |
| 107 | +[5]: https://docs.datadoghq.com/agent/guide/agent-configuration-files/#agent-configuration-directory |
0 commit comments