--- title: Bulk subscribe to sample log generation description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > API Reference > Security Monitoring --- # Bulk subscribe to sample log generation{% #bulk-subscribe-to-sample-log-generation %} Copy pageCopied {% tab title="v2" %} **Note**: This endpoint is in preview and is subject to change. If you have any feedback, contact [Datadog support](https://docs.datadoghq.com/help/). | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------------------------------------ | | ap1.datadoghq.com | POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/sample_log_generation/subscriptions/bulk | | ap2.datadoghq.com | POST https://api.ap2.datadoghq.com/api/v2/security_monitoring/sample_log_generation/subscriptions/bulk | | app.datadoghq.eu | POST https://api.datadoghq.eu/api/v2/security_monitoring/sample_log_generation/subscriptions/bulk | | app.ddog-gov.com | POST https://api.ddog-gov.com/api/v2/security_monitoring/sample_log_generation/subscriptions/bulk | | us2.ddog-gov.com | POST https://api.us2.ddog-gov.com/api/v2/security_monitoring/sample_log_generation/subscriptions/bulk | | app.datadoghq.com | POST https://api.datadoghq.com/api/v2/security_monitoring/sample_log_generation/subscriptions/bulk | | us3.datadoghq.com | POST https://api.us3.datadoghq.com/api/v2/security_monitoring/sample_log_generation/subscriptions/bulk | | us5.datadoghq.com | POST https://api.us5.datadoghq.com/api/v2/security_monitoring/sample_log_generation/subscriptions/bulk | ### Overview Subscribe to sample log generation for multiple Cloud SIEM content packs in a single call. Each requested content pack is processed independently; the response includes a per-item status so partial successes can be inspected. **Availability**: this endpoint is restricted to Cloud SIEM trial organizations on an eligible pricing model. Non-trial orgs receive `403 Forbidden`, the feature flag may also reject requests with `400 Bad Request`, and legacy pricing tiers receive per-item responses with `status: not_available`. This endpoint requires any of the following permissions:`security_monitoring_filters_write``logs_modify_indexes` OAuth apps require the `security_monitoring_filters_write, logs_modify_indexes` authorization [scope](https://docs.datadoghq.com/api/latest/scopes.md#security-monitoring) to access this endpoint. ### Request #### Body Data (required) The content packs to subscribe to and the desired duration of the subscriptions. {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------ | ---------------------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------ | | | data [*required*] | object | The bulk subscription request body. | | data | attributes [*required*] | object | The attributes for creating sample log generation subscriptions for multiple content packs. | | attributes | content_pack_ids [*required*] | [string] | The identifiers of the Cloud SIEM content packs to subscribe to. At most five content packs can be requested in a single call. | | attributes | duration | enum | How long the subscription should remain active before expiring. Allowed enum values: `1h,1d,3d,7d` | | data | type [*required*] | enum | The type of the resource. The value should always be `bulk_subscription_requests`. Allowed enum values: `bulk_subscription_requests` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "content_pack_ids": [ "aws-cloudtrail" ], "duration": "3d" }, "type": "bulk_subscription_requests" } } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} Response containing the per-content-pack results of a bulk subscription request. | Parent field | Field | Type | Description | | ------------ | --------------------------------- | --------- | ------------------------------------------------------------------------------------------------------------------------------------------ | | | data [*required*] | [object] | The list of bulk subscription results, one per requested content pack. | | data | attributes [*required*] | object | The attributes describing a sample log generation subscription. | | attributes | content_pack_id [*required*] | string | The identifier of the Cloud SIEM content pack the subscription targets. | | attributes | created_at [*required*] | date-time | The time at which the subscription was created. | | attributes | expires_at [*required*] | date-time | The time at which the subscription expires and stops generating logs. | | attributes | is_active [*required*] | boolean | Whether the subscription is currently active and generating logs. | | attributes | status [*required*] | enum | The status of the subscription. Allowed enum values: `subscribed,renewed,unsubscribed,no_active_subscription,not_available,active,expired` | | data | id [*required*] | string | The unique identifier of the subscription, when one was created. | | data | meta [*required*] | object | Per-item status returned for a bulk subscription request. | | meta | error | string | A description of the error encountered for this content pack, if the subscription could not be created. | | meta | status [*required*] | int32 | The HTTP status code that resulted from creating the subscription for this content pack. | | data | type [*required*] | enum | The type of the resource. The value should always be `subscriptions`. Allowed enum values: `subscriptions` | {% /tab %} {% tab title="Example" %} ```json { "data": [ { "attributes": { "content_pack_id": "aws-cloudtrail", "created_at": "2026-05-08T20:02:13.77481Z", "expires_at": "2026-05-11T20:02:13.77481Z", "is_active": true, "status": "subscribed" }, "id": "123", "meta": { "error": "content pack does not exist", "status": 200 }, "type": "subscriptions" } ] } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \## default # \# Curl command curl -X POST "https://api.datadoghq.com/api/v2/security_monitoring/sample_log_generation/subscriptions/bulk" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "attributes": { "content_pack_ids": [ "aws-cloudtrail" ], "duration": "3d" }, "type": "bulk_subscription_requests" } } EOF {% /tab %}