---
title: Bulk update triage state of security signals
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > API Reference > Security Monitoring
---

# Bulk update triage state of security signals{% #bulk-update-triage-state-of-security-signals %}
Copy pageCopied
{% tab title="v2" %}

| Datadog site      | API endpoint                                                                      |
| ----------------- | --------------------------------------------------------------------------------- |
| ap1.datadoghq.com | PATCH https://api.ap1.datadoghq.com/api/v2/security_monitoring/signals/bulk/state |
| ap2.datadoghq.com | PATCH https://api.ap2.datadoghq.com/api/v2/security_monitoring/signals/bulk/state |
| app.datadoghq.eu  | PATCH https://api.datadoghq.eu/api/v2/security_monitoring/signals/bulk/state      |
| app.ddog-gov.com  | PATCH https://api.ddog-gov.com/api/v2/security_monitoring/signals/bulk/state      |
| us2.ddog-gov.com  | PATCH https://api.us2.ddog-gov.com/api/v2/security_monitoring/signals/bulk/state  |
| app.datadoghq.com | PATCH https://api.datadoghq.com/api/v2/security_monitoring/signals/bulk/state     |
| us3.datadoghq.com | PATCH https://api.us3.datadoghq.com/api/v2/security_monitoring/signals/bulk/state |
| us5.datadoghq.com | PATCH https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/bulk/state |

### Overview

Change the triage states of multiple security signals at once. The maximum number of signals that can be updated in a single request is 199. This endpoint requires the `security_monitoring_signals_write` permission.

### Request

#### Body Data (required)

Attributes describing the signal state updates.

{% tab title="Model" %}

| Parent field | Field                        | Type     | Description                                                                                                                                                                           |
| ------------ | ---------------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|              | data [*required*]       | [object] | An array of signal state updates.                                                                                                                                                     |
| data         | attributes [*required*] | object   | Attributes describing the change of state of a security signal.                                                                                                                       |
| attributes   | archive_comment              | string   | Optional comment to display on archived signals.                                                                                                                                      |
| attributes   | archive_reason               | enum     | Reason a signal is archived. Allowed enum values: `none,false_positive,testing_or_maintenance,remediated,investigated_case_opened,true_positive_benign,true_positive_malicious,other` |
| attributes   | state [*required*]      | enum     | The new triage state of the signal. Allowed enum values: `open,archived,under_review`                                                                                                 |
| attributes   | version                      | int64    | Version of the updated signal. If server side version is higher, update will be rejected.                                                                                             |
| data         | id [*required*]         | string   | The unique ID of the security signal.                                                                                                                                                 |
| data         | type                         | enum     | The type of event. Allowed enum values: `signal`                                                                                                                                      |

{% /tab %}

{% tab title="Example" %}

```json
{
  "data": [
    {
      "attributes": {
        "archive_comment": "string",
        "archive_reason": "string",
        "state": "open",
        "version": "integer"
      },
      "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA",
      "type": "signal"
    }
  ]
}
```

{% /tab %}

### Response

{% tab title="200" %}
OK
{% tab title="Model" %}
Response for a bulk triage update of security signals.

| Parent field         | Field                          | Type      | Description                                                                                                                                                                           |
| -------------------- | ------------------------------ | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|                      | result [*required*]       | object    | The result payload of a bulk signal triage update.                                                                                                                                    |
| result               | count [*required*]        | int64     | The number of signals updated.                                                                                                                                                        |
| result               | events [*required*]       | [object]  | The list of updated signals.                                                                                                                                                          |
| events               | event [*required*]        | object    | Triage attributes of a security signal returned in a bulk update response.                                                                                                            |
| event                | archive_comment                | string    | Optional comment to display on archived signals.                                                                                                                                      |
| event                | archive_comment_timestamp      | int64     | Timestamp of the last edit to the archive comment.                                                                                                                                    |
| event                | archive_comment_user           | object    | Object representing a given user entity.                                                                                                                                              |
| archive_comment_user | handle                         | string    | The handle for this user account.                                                                                                                                                     |
| archive_comment_user | icon                           | string    | Gravatar icon associated to the user.                                                                                                                                                 |
| archive_comment_user | id                             | int64     | Numerical ID assigned by Datadog to this user account.                                                                                                                                |
| archive_comment_user | name                           | string    | The name for this user account.                                                                                                                                                       |
| archive_comment_user | uuid [*required*]         | string    | UUID assigned by Datadog to this user account.                                                                                                                                        |
| event                | archive_reason                 | enum      | Reason a signal is archived. Allowed enum values: `none,false_positive,testing_or_maintenance,remediated,investigated_case_opened,true_positive_benign,true_positive_malicious,other` |
| event                | assignee [*required*]     | object    | Object representing a given user entity.                                                                                                                                              |
| assignee             | handle                         | string    | The handle for this user account.                                                                                                                                                     |
| assignee             | icon                           | string    | Gravatar icon associated to the user.                                                                                                                                                 |
| assignee             | id                             | int64     | Numerical ID assigned by Datadog to this user account.                                                                                                                                |
| assignee             | name                           | string    | The name for this user account.                                                                                                                                                       |
| assignee             | uuid [*required*]         | string    | UUID assigned by Datadog to this user account.                                                                                                                                        |
| event                | id [*required*]           | string    | The unique ID of the security signal.                                                                                                                                                 |
| event                | incident_ids [*required*] | [integer] | Array of incidents that are associated with this signal.                                                                                                                              |
| event                | state [*required*]        | enum      | The new triage state of the signal. Allowed enum values: `open,archived,under_review`                                                                                                 |
| event                | state_update_timestamp         | int64     | Timestamp of the last state update.                                                                                                                                                   |
| event                | state_update_user              | object    | Object representing a given user entity.                                                                                                                                              |
| state_update_user    | handle                         | string    | The handle for this user account.                                                                                                                                                     |
| state_update_user    | icon                           | string    | Gravatar icon associated to the user.                                                                                                                                                 |
| state_update_user    | id                             | int64     | Numerical ID assigned by Datadog to this user account.                                                                                                                                |
| state_update_user    | name                           | string    | The name for this user account.                                                                                                                                                       |
| state_update_user    | uuid [*required*]         | string    | UUID assigned by Datadog to this user account.                                                                                                                                        |
| events               | id [*required*]           | string    | The unique ID of the security signal.                                                                                                                                                 |
|                      | status [*required*]       | string    | The status of the bulk operation.                                                                                                                                                     |
|                      | type [*required*]         | string    | The type of the response.                                                                                                                                                             |

{% /tab %}

{% tab title="Example" %}

```json
{
  "result": {
    "count": 2,
    "events": [
      {
        "event": {
          "archive_comment": "string",
          "archive_comment_timestamp": "integer",
          "archive_comment_user": {
            "handle": "string",
            "icon": "/path/to/matching/gravatar/icon",
            "id": "integer",
            "name": "string",
            "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
          },
          "archive_reason": "string",
          "assignee": {
            "handle": "string",
            "icon": "/path/to/matching/gravatar/icon",
            "id": "integer",
            "name": "string",
            "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
          },
          "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA",
          "incident_ids": [
            2066
          ],
          "state": "open",
          "state_update_timestamp": "integer",
          "state_update_user": {
            "handle": "string",
            "icon": "/path/to/matching/gravatar/icon",
            "id": "integer",
            "name": "string",
            "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
          }
        },
        "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA"
      }
    ]
  },
  "status": "done",
  "type": "status"
}
```

{% /tab %}

{% /tab %}

{% tab title="400" %}
Bad Request
{% tab title="Model" %}
API error response.

| Parent field | Field                    | Type     | Description                                                                     |
| ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- |
|              | errors [*required*] | [object] | A list of errors.                                                               |
| errors       | detail                   | string   | A human-readable explanation specific to this occurrence of the error.          |
| errors       | meta                     | object   | Non-standard meta-information about the error                                   |
| errors       | source                   | object   | References to the source of the error.                                          |
| source       | header                   | string   | A string indicating the name of a single request header which caused the error. |
| source       | parameter                | string   | A string indicating which URI query parameter caused the error.                 |
| source       | pointer                  | string   | A JSON pointer to the value in the request document that caused the error.      |
| errors       | status                   | string   | Status code of the response.                                                    |
| errors       | title                    | string   | Short human-readable summary of the error.                                      |

{% /tab %}

{% tab title="Example" %}

```json
{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}
```

{% /tab %}

{% /tab %}

{% tab title="403" %}
Forbidden
{% tab title="Model" %}
API error response.

| Parent field | Field                    | Type     | Description                                                                     |
| ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- |
|              | errors [*required*] | [object] | A list of errors.                                                               |
| errors       | detail                   | string   | A human-readable explanation specific to this occurrence of the error.          |
| errors       | meta                     | object   | Non-standard meta-information about the error                                   |
| errors       | source                   | object   | References to the source of the error.                                          |
| source       | header                   | string   | A string indicating the name of a single request header which caused the error. |
| source       | parameter                | string   | A string indicating which URI query parameter caused the error.                 |
| source       | pointer                  | string   | A JSON pointer to the value in the request document that caused the error.      |
| errors       | status                   | string   | Status code of the response.                                                    |
| errors       | title                    | string   | Short human-readable summary of the error.                                      |

{% /tab %}

{% tab title="Example" %}

```json
{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}
```

{% /tab %}

{% /tab %}

{% tab title="429" %}
Too many requests
{% tab title="Model" %}
API error response.

| Field                    | Type     | Description       |
| ------------------------ | -------- | ----------------- |
| errors [*required*] | [string] | A list of errors. |

{% /tab %}

{% tab title="Example" %}

```json
{
  "errors": [
    "Bad Request"
  ]
}
```

{% /tab %}

{% /tab %}

### Code Example

##### 
                  \## default
# 
 \# Curl command curl -X PATCH "https://api.datadoghq.com/api/v2/security_monitoring/signals/bulk/state" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": [
    {
      "attributes": {
        "archive_reason": "none",
        "state": "archived"
      },
      "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA",
      "type": "signal"
    }
  ]
}
EOF 
                
##### 

```python
"""
Bulk update triage state of security signals returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_signal_archive_reason import SecurityMonitoringSignalArchiveReason
from datadog_api_client.v2.model.security_monitoring_signal_state import SecurityMonitoringSignalState
from datadog_api_client.v2.model.security_monitoring_signal_state_update_attributes import (
    SecurityMonitoringSignalStateUpdateAttributes,
)
from datadog_api_client.v2.model.security_monitoring_signal_type import SecurityMonitoringSignalType
from datadog_api_client.v2.model.security_monitoring_signals_bulk_state_update_data import (
    SecurityMonitoringSignalsBulkStateUpdateData,
)
from datadog_api_client.v2.model.security_monitoring_signals_bulk_state_update_request import (
    SecurityMonitoringSignalsBulkStateUpdateRequest,
)

body = SecurityMonitoringSignalsBulkStateUpdateRequest(
    data=[
        SecurityMonitoringSignalsBulkStateUpdateData(
            attributes=SecurityMonitoringSignalStateUpdateAttributes(
                archive_reason=SecurityMonitoringSignalArchiveReason.NONE,
                state=SecurityMonitoringSignalState.OPEN,
            ),
            id="AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA",
            type=SecurityMonitoringSignalType.SIGNAL,
        ),
    ],
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.bulk_edit_security_monitoring_signals_state(body=body)

    print(response)
```

#### Instructions

First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=python) and then save the example to `example.py` and run following commands:
    DD_SITE="datadoghq.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"
##### 

```ruby
# Bulk update triage state of security signals returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringSignalsBulkStateUpdateRequest.new({
  data: [
    DatadogAPIClient::V2::SecurityMonitoringSignalsBulkStateUpdateData.new({
      attributes: DatadogAPIClient::V2::SecurityMonitoringSignalStateUpdateAttributes.new({
        archive_reason: DatadogAPIClient::V2::SecurityMonitoringSignalArchiveReason::NONE,
        state: DatadogAPIClient::V2::SecurityMonitoringSignalState::OPEN,
      }),
      id: "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA",
      type: DatadogAPIClient::V2::SecurityMonitoringSignalType::SIGNAL,
    }),
  ],
})
p api_instance.bulk_edit_security_monitoring_signals_state(body)
```

#### Instructions

First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=ruby) and then save the example to `example.rb` and run following commands:
    DD_SITE="datadoghq.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"
##### 

```go
// Bulk update triage state of security signals returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringSignalsBulkStateUpdateRequest{
		Data: []datadogV2.SecurityMonitoringSignalsBulkStateUpdateData{
			{
				Attributes: datadogV2.SecurityMonitoringSignalStateUpdateAttributes{
					ArchiveReason: datadogV2.SECURITYMONITORINGSIGNALARCHIVEREASON_NONE.Ptr(),
					State:         datadogV2.SECURITYMONITORINGSIGNALSTATE_OPEN,
				},
				Id:   "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA",
				Type: datadogV2.SECURITYMONITORINGSIGNALTYPE_SIGNAL.Ptr(),
			},
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.BulkEditSecurityMonitoringSignalsState(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.BulkEditSecurityMonitoringSignalsState`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.BulkEditSecurityMonitoringSignalsState`:\n%s\n", responseContent)
}
```

#### Instructions

First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=go) and then save the example to `main.go` and run following commands:
    DD_SITE="datadoghq.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"
##### 

```java
// Bulk update triage state of security signals returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalArchiveReason;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalState;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalStateUpdateAttributes;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalType;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalsBulkStateUpdateData;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalsBulkStateUpdateRequest;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalsBulkTriageUpdateResponse;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringSignalsBulkStateUpdateRequest body =
        new SecurityMonitoringSignalsBulkStateUpdateRequest()
            .data(
                Collections.singletonList(
                    new SecurityMonitoringSignalsBulkStateUpdateData()
                        .attributes(
                            new SecurityMonitoringSignalStateUpdateAttributes()
                                .archiveReason(SecurityMonitoringSignalArchiveReason.NONE)
                                .state(SecurityMonitoringSignalState.OPEN))
                        .id("AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA")
                        .type(SecurityMonitoringSignalType.SIGNAL)));

    try {
      SecurityMonitoringSignalsBulkTriageUpdateResponse result =
          apiInstance.bulkEditSecurityMonitoringSignalsState(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#bulkEditSecurityMonitoringSignalsState");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}
```

#### Instructions

First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=java) and then save the example to `Example.java` and run following commands:
    DD_SITE="datadoghq.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"
##### 

```rust
// Bulk update triage state of security signals returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalArchiveReason;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalState;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalStateUpdateAttributes;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalType;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalsBulkStateUpdateData;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalsBulkStateUpdateRequest;

#[tokio::main]
async fn main() {
    let body = SecurityMonitoringSignalsBulkStateUpdateRequest::new(vec![
        SecurityMonitoringSignalsBulkStateUpdateData::new(
            SecurityMonitoringSignalStateUpdateAttributes::new(SecurityMonitoringSignalState::OPEN)
                .archive_reason(SecurityMonitoringSignalArchiveReason::NONE),
            "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA".to_string(),
        )
        .type_(SecurityMonitoringSignalType::SIGNAL),
    ]);
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.bulk_edit_security_monitoring_signals_state(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}
```

#### Instructions

First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=rust) and then save the example to `src/main.rs` and run following commands:
    DD_SITE="datadoghq.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" cargo run
##### 

```typescript
/**
 * Bulk update triage state of security signals returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiBulkEditSecurityMonitoringSignalsStateRequest =
  {
    body: {
      data: [
        {
          attributes: {
            archiveReason: "none",
            state: "open",
          },
          id: "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA",
          type: "signal",
        },
      ],
    },
  };

apiInstance
  .bulkEditSecurityMonitoringSignalsState(params)
  .then((data: v2.SecurityMonitoringSignalsBulkTriageUpdateResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));
```

#### Instructions

First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=typescript) and then save the example to `example.ts` and run following commands:
    DD_SITE="datadoghq.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"
{% /tab %}