From c2b91c58d9b7dd4ac40f119307bbb95afde1945f Mon Sep 17 00:00:00 2001
From: Anna Pauxberger <anna.pauxberger@datadoghq.com>
Date: Tue, 23 Nov 2021 11:08:27 -0500
Subject: [PATCH] add datadog backend structure

---
 tools/sigma/backends/datadog.py | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 tools/sigma/backends/datadog.py

diff --git a/tools/sigma/backends/datadog.py b/tools/sigma/backends/datadog.py
new file mode 100644
index 000000000..51e051ddd
--- /dev/null
+++ b/tools/sigma/backends/datadog.py
@@ -0,0 +1,13 @@
+from sigma.backends.base import SingleTextQueryBackend
+
+
+class DatadogBackend(SingleTextQueryBackend):
+    identifier = "datadog"  # TODO: more specific?
+    active = True
+    config_required = False
+
+    andToken = " AND "
+    orToken = " OR "
+    notToken = "-"
+    subExpression = "(%s)"
+    mapExpression = "%s:%s"