Datadog has implemented a robust, largely serverless security monitoring and alerting pipeline to monitor its extensive AWS operations. The pipeline uses CloudTrail to log all AWS API calls on every account, but focuses on specific relevant calls and divides them into three severities: log, notify, and alert. It integrates with Slack, Duo, and PagerDuty to notify, authenticate, and alert potential security-relevant API calls. The pipeline sends data to a dedicated security-oriented AWS account while data collection is deployed to every Datadog AWS account via Terraform. A Cloudwatch Event Rule triggers an SNS Topic, which sends the call cross-account to an SQS queue within the security account. A lambda function processes the API call data and sends it to a security orchestration layer for further processing. Komand is used to create a workflow consisting of multiple individual plugins, decision points, and branches to parse the API call and its parameters, apply logic, and interact with multiple systems and APIs. The pipeline provides meaningful data and actionable intelligence to the security team, allowing efficient protection of the company and customers.