Add Huntress.io integration

[kyletaylored]

What does this PR do?

Adds a new community integration for Huntress, a managed security platform offering EDR and Managed SIEM. The integration polls the Huntress SIEM API using ES|QL queries and forwards security events to Datadog as logs.

Each collection run:

• Loads a checkpoint (timestamp of last successful collection) from persistent cache and queries only the elapsed window, avoiding duplicates across Agent restarts
• Paginates through all result pages up to a configurable cap (max_pages_per_run)
• Optionally enriches each log with Huntress organization metadata (org name, key, account ID) via a TTL-cached lookup, useful for MSPs managing multiple client accounts
• Forwards logs to Datadog preserving all Elastic Common Schema (ECS) field names as top-level attributes
• Advances the checkpoint only after all pages are successfully sent

The integration also tracks Huntress API rate limit consumption via response headers (x-huntress-api-call-limit, x-huntress-api-call-remaining) and emits them as gauges so teams can monitor headroom and alert before hitting the 60 req/min cap.

Assets included:

• Prebuilt dashboard: Huntress SIEM Overview (log volume, pages fetched, run duration, rate limit gauges)
• 3 monitor templates: collection run failed (service check), error rate spike, no logs collected in 2h
• metadata.csv with 6 metrics
• assets/service_checks.json and assets/configuration/spec.yaml
• Mockoon-based Docker test harness with the Huntress-provided mock dataset

Motivation

MSP partners and enterprise security teams using Huntress Managed SIEM want to correlate endpoint threat detections alongside infrastructure, application, and cloud telemetry already in Datadog. This integration enables that without requiring any custom scripting or log shipper configuration on the customer side.

Review checklist

• PR has a meaningful title
• Feature has tests — 31 unit tests covering all PRD scenarios (auth failures, retries, pagination, checkpoint persistence, org enrichment, batching, rate limit parsing, multi-instance isolation) plus 3 Docker integration tests against a live Mockoon mock server (ddev test huntress / ddev test huntress -- -m integration)
• Git history is clean
• Docs — README covers installation, full configuration reference, collected data, and a troubleshooting table; no separate documentation repo issue needed as the tile content is self-contained in README.md
• Log pipeline — logs are forwarded with ddsource: huntress, which will trigger automatic pipeline processing once a Huntress log pipeline is configured in the Datadog backend. No custom pipeline is bundled with this PR; ECS field names are preserved as-is on the log payload.

Additional Notes

• Multi-account support: each entry under instances: runs fully independently with its own checkpoint, org cache, and metrics — MSPs can configure one instance per Huntress account.
• ES|QL query validation: the check rejects any esql_query that does not begin with FROM logs at startup to catch
  misconfiguration early.
• Org enrichment caching: the org metadata cache is stored in persistent cache keyed by a hash of the instance config, with a configurable TTL (default 1 hour). Setting org_cache_ttl_seconds: 0 forces a refresh on every run, which the integration test uses to validate the full fetch path against the mock.
• source_type_id: 10350 in manifest.json is a placeholder — please assign a real ID before merging.
• The Huntress-provided Mockoon dataset (huntress_mockoon.json) contained a missing comma in the v1/account route template, which was fixed to a static response for the test harness. The fix is scoped to our copy of the file.

[datadog-prod-us1-5]

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 1 Pipeline job failed

Validate repository | run / Validate     

🔧 Fix in code (Fix with Cursor).

File `conf.yaml.example` is not in sync. Expected 'min_collection_interval' to be 900 but found 15.

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: c31bf35 | Docs | Datadog PR Page | Give us feedback!}