From b0fa98260530171ebc252a75dcece4248f0be773 Mon Sep 17 00:00:00 2001
From: Anna Pauxberger <anna.pauxberger@datadoghq.com>
Date: Wed, 1 Dec 2021 16:08:39 -0500
Subject: [PATCH] add Datadog to README

---
 tools/README.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/tools/README.md b/tools/README.md
index 3b79e6dd5..379186e05 100644
--- a/tools/README.md
+++ b/tools/README.md
@@ -362,4 +362,21 @@ For example, in order to translate a windows-related Sigma rule, one would use:
 
 ```bash
 tools/sigmac -t devo -c tools/config/devo-windows.yml rules/windows/sysmon/sysmon_wmi_susp_scripting.yml
+```
+
+### Datadog
+The Datadog backend currently supports converting Sigma files to the [Log Search Syntax](https://docs.datadoghq.com/logs/explorer/search_syntax/) 
+with the identifier `datadog-logs`.
+
+#### Config file
+This backend does not require a config file though it is possible to add a config file for fieldmapping and defining facets as a list. 
+While attributes will be queried with `@my-attribute:my-attribute` facets will be queried with `my-facet:my-facet`.
+For an example, see `tools/config/datadog.yml`.
+
+#### Backend options
+The backend options support `index` and `service` fields, as they are built-in facets and widely used.
+
+Example
+```
+tools/sigmac -t datadog-logs /rules/cloud/aws/aws_attached_malicious_lambda_layer.yml --backend-option index=my_index
 ```
\ No newline at end of file