Language

English Français 日本語 한국어 Español

Datadog Site

Site help
US1 US3 US5 EU AP1 AP2 US1-FED US2-FED

Create a dataset

copy Copy pageCopied

Note: This endpoint is in preview and is subject to change. If you have any feedback, contact Datadog support.

POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/datasetshttps://api.ap2.datadoghq.com/api/v2/security_monitoring/datasetshttps://api.datadoghq.eu/api/v2/security_monitoring/datasetshttps://api.ddog-gov.com/api/v2/security_monitoring/datasetshttps://api.us2.ddog-gov.com/api/v2/security_monitoring/datasetshttps://api.datadoghq.com/api/v2/security_monitoring/datasetshttps://api.us3.datadoghq.com/api/v2/security_monitoring/datasetshttps://api.us5.datadoghq.com/api/v2/security_monitoring/datasets

Overview

Create a new Cloud SIEM dataset. A dataset bundles a data source, a set of indexes, and a search query that can be referenced from detection rules. This endpoint requires any of the following permissions:

  • security_monitoring_rules_write
  • security_monitoring_dataset_write

    • OAuth apps require the security_monitoring_rules_write authorization scope to access this endpoint.

    Request

    Body Data (required)

    Expand All

    Field

    Type

    Description

    data [required]

    object

    The data wrapper of a dataset create request.

    attributes [required]

    object

    The attributes of a dataset create or update request.

    definition [required]

    object

    The definition of the dataset. The shape depends on the value of data_source. Use reference_table or managed_resource for a referential dataset, or one of the event platform sources (for example logs, audit, events, spans, rum) for an event platform dataset.

    columns

    [object]

    For event platform datasets, the list of columns exposed by the dataset.

    column [required]

    string

    The name of the column.

    type [required]

    string

    The type of the column value.

    data_source [required]

    string

    The data source backing this dataset definition.

    indexes

    [string]

    For event platform datasets, the list of indexes to query.

    name [required]

    string

    The unique name of the dataset. Must start with a lowercase letter and contain only lowercase letters, digits, and underscores (max 255 characters).

    query_filter

    string

    For referential datasets, an optional filter expression applied to the table.

    search

    object

    The search clause applied to an event platform dataset.

    query [required]

    string

    The search query expression.

    storage

    string

    Storage tier the dataset reads from. Applies to event platform datasets.

    table_name

    string

    For referential datasets, the name of the underlying table.

    time_window

    object

    An optional time window that overrides the default query time range.

    from

    int64

    Inclusive start of the time window, in milliseconds since the Unix epoch.

    to

    int64

    Exclusive end of the time window, in milliseconds since the Unix epoch.

    description

    string

    The description of the dataset. Maximum 255 characters.

    version

    int64

    The expected current version of the dataset for optimistic concurrency control on updates. If the dataset's current version does not match, the request is rejected with a 409 Conflict.

    type [required]

    enum

    The type of resource for a dataset create request. Allowed enum values: datasetCreate

    {
  "data": {
    "attributes": {
      "definition": {
        "columns": [
          {
            "column": "message",
            "type": "string"
          }
        ],
        "data_source": "logs",
        "indexes": [],
        "name": "sample_dataset",
        "query_filter": "status = 'active'",
        "search": {
          "query": "*"
        },
        "storage": "hot",
        "table_name": "my_reference_table",
        "time_window": {
          "from": 1700000000000,
          "to": 1700003600000
        }
      },
      "description": "A sample dataset used for detection rules.",
      "version": 1
    },
    "type": "datasetCreate"
  }
}

    Response

    Created

    Response returned after creating a dataset.

    Expand All

    Field

    Type

    Description

    data [required]

    object

    The data wrapper of a dataset create response.

    id [required]

    string

    The UUID of the newly created dataset.

    type [required]

    enum

    The type of resource for a dataset response. Allowed enum values: dataset

    {
  "data": {
    "id": "123e4567-e89b-12d3-a456-426614174000",
    "type": "dataset"
  }
}

    Bad Request

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [object]

    A list of errors.

    detail

    string

    A human-readable explanation specific to this occurrence of the error.

    meta

    object

    Non-standard meta-information about the error

    source

    object

    References to the source of the error.

    header

    string

    A string indicating the name of a single request header which caused the error.

    parameter

    string

    A string indicating which URI query parameter caused the error.

    pointer

    string

    A JSON pointer to the value in the request document that caused the error.

    status

    string

    Status code of the response.

    title

    string

    Short human-readable summary of the error.

    {
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

    Forbidden

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [object]

    A list of errors.

    detail

    string

    A human-readable explanation specific to this occurrence of the error.

    meta

    object

    Non-standard meta-information about the error

    source

    object

    References to the source of the error.

    header

    string

    A string indicating the name of a single request header which caused the error.

    parameter

    string

    A string indicating which URI query parameter caused the error.

    pointer

    string

    A JSON pointer to the value in the request document that caused the error.

    status

    string

    Status code of the response.

    title

    string

    Short human-readable summary of the error.

    {
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

    Conflict

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [object]

    A list of errors.

    detail

    string

    A human-readable explanation specific to this occurrence of the error.

    meta

    object

    Non-standard meta-information about the error

    source

    object

    References to the source of the error.

    header

    string

    A string indicating the name of a single request header which caused the error.

    parameter

    string

    A string indicating which URI query parameter caused the error.

    pointer

    string

    A JSON pointer to the value in the request document that caused the error.

    status

    string

    Status code of the response.

    title

    string

    Short human-readable summary of the error.

    {
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

    Too many requests

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Code Example

                      ## default
# 

    # Curl command
    curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.us2.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/datasets" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "definition": {
        "columns": [
          {
            "column": "message",
            "type": "string"
          }
        ],
        "data_source": "logs",
        "indexes": [
          "main"
        ],
        "name": "sample_dataset",
        "search": {
          "query": "*"
        }
      },
      "description": "A sample dataset used for detection rules."
    },
    "type": "datasetCreate"
  }
}
EOF