Class SecurityMonitoringApi

Cancel a threat hunting job.

Convert an existing rule from JSON to Terraform for datadog provider resource datadog_security_monitoring_rule.

Convert a job result to a signal.

Convert a rule that doesn't (yet) exist from JSON to Terraform for datadog provider resource datadog_security_monitoring_rule.

Create a custom framework.

Create a security filter.

See the security filter guide for more examples.

Create a detection rule.

Create a new suppression rule.

Create a new notification rule for security signals and return the created rule.

Create a new notification rule for security vulnerabilities and return the created rule.

Delete a custom framework.

Delete a specific security filter.

Delete an existing rule. Default rules cannot be deleted.

Delete a specific suppression rule.

Delete a notification rule for security signals.

Delete an existing job.

Delete a notification rule for security vulnerabilities.

Modify the triage assignee of a security signal.

Change the related incidents for a security signal.

Change the triage state of a security signal.

Get a custom framework.

Returns a single finding with message and resource configuration.

List resource filters.

Get a rule's version history.

Get a single SBOM related to an asset by its type and name.

Returns list of Secrets rules with ID, Pattern, Description, Priority, and SDS ID

Get the details of a specific security filter.

See the security filter guide for more examples.

Get a hist signal's details.

Get a job's hist signals.

Get a rule's details.

Get a signal's details.

Get the details of a specific suppression rule.

Get the details of a notification rule for security signals.

Returns the list of notification rules for security signals.

Get the list of suppressions that would affect a rule.

Get the list of suppressions that affect a specific existing rule by its ID.

Get a job's details.

Get the details of a notification rule for security vulnerabilities.

Returns the list of notification rules for security vulnerabilities.

Get a list of assets SBOMs for an organization.

Please review the Pagination section for the "List Vulnerabilities" endpoint.

Please review the Filtering section for the "List Vulnerabilities" endpoint.

Please review the Metadata section for the "List Vulnerabilities" endpoint.

Get a list of findings. These include both misconfigurations and identity risks.

Note: To filter and return only identity risks, add the following query parameter: ?filter[tags]=dd_rule_type:ciem

Filters can be applied by appending query parameters to the URL.

• Using a single filter: ?filter[attribute_key]=attribute_value
• Chaining filters: ?filter[attribute_key]=attribute_value&filter[attribute_key]=attribute_value...
• Filtering on tags: ?filter[tags]=tag_key:tag_value&filter[tags]=tag_key_2:tag_value_2

Here, attribute_key can be any of the filter keys described further below.

Query parameters of type integer support comparison operators (>, >=, <, <=). This is particularly useful when filtering by evaluation_changed_at or resource_discovery_timestamp. For example: ?filter[evaluation_changed_at]=>20123123121.

You can also use the negation operator on strings. For example, use filter[resource_type]=-aws* to filter for any non-AWS resources.

The operator must come after the equal sign. For example, to filter with the >= operator, add the operator after the equal sign: filter[evaluation_changed_at]=>=1678809373257.

Query parameters must be only among the documented ones and with values of correct types. Duplicated query parameters (e.g. filter[status]=low&filter[status]=info) are not allowed.

Additional extension fields are available for some findings.

The data is available when you include the query parameter ?detailed_findings=true in the request.

The following fields are available for findings:

• external_id: The resource external ID related to the finding.
• description: The description and remediation steps for the finding.
• datadog_link: The Datadog relative link for the finding.
• ip_addresses: The list of private IP addresses for the resource related to the finding.

The response includes an array of finding objects, pagination metadata, and a count of items that match the query.

Each finding object contains the following:

• The finding ID that can be used in a GetFinding request to retrieve the full finding details.
• Core attributes, including status, evaluation, high-level resource details, muted state, and rule details.
• evaluation_changed_at and resource_discovery_date time stamps.
• An array of associated tags.

Provide a paginated version of listFindings returning a generator with all the items.

Get rules for multiple rulesets in batch.

Get a list of security scanned assets metadata for an organization.

For the "List Vulnerabilities" endpoint, see the Pagination section.

For the "List Vulnerabilities" endpoint, see the Filtering section.

For the "List Vulnerabilities" endpoint, see the Metadata section.

This endpoint returns additional metadata for cloud resources that is not available from the standard resource endpoints. To access a richer dataset, call this endpoint together with the relevant resource endpoint(s) and merge (join) their results using the resource identifier.

Hosts

To enrich host data, join the response from the Hosts endpoint with the response from the scanned-assets-metadata endpoint on the following key fields:

Host Images

To enrich host image data, join the response from the Hosts endpoint with the response from the scanned-assets-metadata endpoint on the following key fields:

Container Images

To enrich container image data, join the response from the Container Images endpoint with the response from the scanned-assets-metadata endpoint on the following key fields:

Get the list of configured security filters with their definitions.

List hist signals.

List rules.

The list endpoint returns security signals that match a search query. Both this endpoint and the POST endpoint can be used interchangeably when listing security signals.

Provide a paginated version of listSecurityMonitoringSignals returning a generator with all the items.

Get the list of all suppression rules.

List threat hunting jobs.

Get a list of vulnerabilities.

Pagination is enabled by default in both vulnerabilities and assets. The size of the page varies depending on the endpoint and cannot be modified. To automate the request of the next page, you can use the links section in the response.

This endpoint will return paginated responses. The pages are stored in the links section of the response:

{
  "data": [...],
  "meta": {...},
  "links": {
    "self": "https://.../api/v2/security/vulnerabilities",
    "first": "https://.../api/v2/security/vulnerabilities?page[number]=1&page[token]=abc",
    "last": "https://.../api/v2/security/vulnerabilities?page[number]=43&page[token]=abc",
    "next": "https://.../api/v2/security/vulnerabilities?page[number]=2&page[token]=abc"
  }
}

• links.previous is empty if the first page is requested.
• links.next is empty if the last page is requested.

Vulnerabilities can be created, updated or deleted at any point in time.

Upon the first request, a token is created to ensure consistency across subsequent paginated requests.

A token is valid only for 24 hours.

We consider a request to be the first request when there is no page[token] parameter.

The response of this first request contains the newly created token in the links section.

This token can then be used in the subsequent paginated requests.

Note: The first request may take longer to complete than subsequent requests.

Any request containing valid page[token] and page[number] parameters will be considered a subsequent request.

If the token is invalid, a 404 response will be returned.

If the page number is invalid, a 400 response will be returned.

The returned token is valid for all requests in the pagination sequence. To send paginated requests in parallel, reuse the same token and change only the page[number] parameter.

The request can include some filter parameters to filter the data to be retrieved. The format of the filter parameters follows the JSON:API format: filter[$prop_name], where prop_name is the property name in the entity being filtered by.

All filters can include multiple values, where data will be filtered with an OR clause: filter[title]=Title1,Title2 will filter all vulnerabilities where title is equal to Title1 OR Title2.

String filters are case sensitive.

Boolean filters accept true or false as values.

Number filters must include an operator as a second filter input: filter[$prop_name][$operator]. For example, for the vulnerabilities endpoint: filter[cvss.base.score][lte]=8.

Available operators are: eq (==), lt (<), lte (<=), gt (>) and gte (>=).

Following JSON:API format, object including non-standard meta-information.

This endpoint includes the meta member in the response. For more details on each of the properties included in this section, check the endpoints response tables.

{
  "data": [...],
  "meta": {
    "total": 1500,
    "count": 18732,
    "token": "some_token"
  },
  "links": {...}
}

Requests may include extensions to modify the behavior of the requested endpoint. The filter parameters follow the JSON:API format format: ext:$extension_name, where extension_name is the name of the modifier that is being applied.

Extensions can only include one value: ext:modifier=value.

Get a list of vulnerable assets.

Please review the Pagination section for the "List Vulnerabilities" endpoint.

Please review the Filtering section for the "List Vulnerabilities" endpoint.

Please review the Metadata section for the "List Vulnerabilities" endpoint.

Mute or unmute findings.

Partially update the notification rule. All fields are optional; if a field is not provided, it is not updated.

Partially update the notification rule. All fields are optional; if a field is not provided, it is not updated.

Run a threat hunting job.

Search hist signals.

Returns security signals that match a search query. Both this endpoint and the GET endpoint can be used interchangeably for listing security signals.

Provide a paginated version of searchSecurityMonitoringSignals returning a generator with all the items.

Test an existing rule.

Test a rule.

Update a custom framework.

Update resource filters.

Update a specific security filter. Returns the security filter object when the request is successful.

Update an existing rule. When updating cases, queries or options, the whole field must be included. For example, when modifying a query all queries must be included. Default rules can only be updated to be enabled, to change notifications, or to update the tags (default tags cannot be removed).

Update a specific suppression rule.

Validate a detection rule.

Validate a suppression rule.