--- title: Create a new signal-based notification rule description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > API Reference > Security Monitoring --- # Create a new signal-based notification rule{% #create-a-new-signal-based-notification-rule %} Copy pageCopied {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ----------------------------------------------------------------------------- | | ap1.datadoghq.com | POST https://api.ap1.datadoghq.com/api/v2/security/signals/notification_rules | | ap2.datadoghq.com | POST https://api.ap2.datadoghq.com/api/v2/security/signals/notification_rules | | app.datadoghq.eu | POST https://api.datadoghq.eu/api/v2/security/signals/notification_rules | | app.ddog-gov.com | POST https://api.ddog-gov.com/api/v2/security/signals/notification_rules | | us2.ddog-gov.com | POST https://api.us2.ddog-gov.com/api/v2/security/signals/notification_rules | | app.datadoghq.com | POST https://api.datadoghq.com/api/v2/security/signals/notification_rules | | us3.datadoghq.com | POST https://api.us3.datadoghq.com/api/v2/security/signals/notification_rules | | us5.datadoghq.com | POST https://api.us5.datadoghq.com/api/v2/security/signals/notification_rules | ### Overview Create a new notification rule for security signals and return the created rule. This endpoint requires the `security_monitoring_notification_profiles_write` permission. ### Request #### Body Data (required) The body of the create notification rule request is composed of the rule type and the rule attributes: the rule name, the selectors, the notification targets, and the rule enabled status. {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------ | -------------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data | object | Data of the notification rule create request: the rule type, and the rule attributes. All fields are required. | | data | attributes [*required*] | object | Attributes of the notification rule create request. | | attributes | enabled | boolean | Field used to enable or disable the rule. | | attributes | name [*required*] | string | Name of the notification rule. | | attributes | routing | object | Routing configuration for the notification rule. | | routing | mode [*required*] | enum | The routing mode for the notification rule. `manual` sends notifications to the configured targets. Allowed enum values: `manual` | | attributes | selectors [*required*] | object | Selectors are used to filter security issues for which notifications should be generated. Users can specify rule severities, rule types, a query to filter security issues on tags and attributes, and the trigger source. Only the trigger_source field is required. | | selectors | query | string | The query is composed of one or several key:value pairs, which can be used to filter security issues on tags and attributes. | | selectors | rule_types | [string] | Security rule types used as filters in security rules. | | selectors | severities | [string] | The security rules severities to consider. | | selectors | trigger_source [*required*] | enum | The type of security issues on which the rule applies. Notification rules based on security signals need to use the trigger source "security_signals", while notification rules based on security vulnerabilities need to use the trigger source "security_findings". Allowed enum values: `security_findings,security_signals` | | attributes | targets [*required*] | [string] | List of recipients to notify when a notification rule is triggered. Many different target types are supported, such as email addresses, Slack channels, and PagerDuty services. The appropriate integrations need to be properly configured to send notifications to the specified targets. | | attributes | time_aggregation | int64 | Time aggregation period (in seconds) is used to aggregate the results of the notification rule evaluation. Results are aggregated over a selected time frame using a rolling window, which updates with each new evaluation. Notifications are only sent for new issues discovered during the window. Time aggregation is only available for vulnerability-based notification rules. When omitted or set to 0, no aggregation is done. | | data | type [*required*] | enum | The rule type associated to notification rules. Allowed enum values: `notification_rules` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "enabled": true, "name": "Rule 1", "selectors": { "query": "(source:production_service OR env:prod)", "rule_types": [ "misconfiguration", "attack_path" ], "severities": [ "critical" ], "trigger_source": "security_findings" }, "targets": [ "@john.doe@email.com" ], "time_aggregation": 86400 }, "type": "notification_rules" } } ``` {% /tab %} ### Response {% tab title="201" %} Successfully created the notification rule. {% tab title="Model" %} Response object which includes a notification rule. | Parent field | Field | Type | Description | | ------------ | -------------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data | object | Notification rules allow full control over notifications generated by the various Datadog security products. They allow users to define the conditions under which a notification should be generated (based on rule severities, rule types, rule tags, and so on), and the targets to notify. A notification rule is composed of a rule ID, a rule type, and the rule attributes. All fields are required. | | data | attributes [*required*] | object | Attributes of the notification rule. | | attributes | created_at [*required*] | int64 | Date as Unix timestamp in milliseconds. | | attributes | created_by [*required*] | object | User creating or modifying a rule. | | created_by | handle | string | The user handle. | | created_by | name | string | The user name. | | attributes | enabled [*required*] | boolean | Field used to enable or disable the rule. | | attributes | modified_at [*required*] | int64 | Date as Unix timestamp in milliseconds. | | attributes | modified_by [*required*] | object | User creating or modifying a rule. | | modified_by | handle | string | The user handle. | | modified_by | name | string | The user name. | | attributes | name [*required*] | string | Name of the notification rule. | | attributes | selectors [*required*] | object | Selectors are used to filter security issues for which notifications should be generated. Users can specify rule severities, rule types, a query to filter security issues on tags and attributes, and the trigger source. Only the trigger_source field is required. | | selectors | query | string | The query is composed of one or several key:value pairs, which can be used to filter security issues on tags and attributes. | | selectors | rule_types | [string] | Security rule types used as filters in security rules. | | selectors | severities | [string] | The security rules severities to consider. | | selectors | trigger_source [*required*] | enum | The type of security issues on which the rule applies. Notification rules based on security signals need to use the trigger source "security_signals", while notification rules based on security vulnerabilities need to use the trigger source "security_findings". Allowed enum values: `security_findings,security_signals` | | attributes | targets [*required*] | [string] | List of recipients to notify when a notification rule is triggered. Many different target types are supported, such as email addresses, Slack channels, and PagerDuty services. The appropriate integrations need to be properly configured to send notifications to the specified targets. | | attributes | time_aggregation | int64 | Time aggregation period (in seconds) is used to aggregate the results of the notification rule evaluation. Results are aggregated over a selected time frame using a rolling window, which updates with each new evaluation. Notifications are only sent for new issues discovered during the window. Time aggregation is only available for vulnerability-based notification rules. When omitted or set to 0, no aggregation is done. | | attributes | version [*required*] | int64 | Version of the notification rule. It is updated when the rule is modified. | | data | id [*required*] | string | The ID of a notification rule. | | data | type [*required*] | enum | The rule type associated to notification rules. Allowed enum values: `notification_rules` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "created_at": 1722439510282, "created_by": { "handle": "john.doe@domain.com", "name": "John Doe" }, "enabled": true, "modified_at": 1722439510282, "modified_by": { "handle": "john.doe@domain.com", "name": "John Doe" }, "name": "Rule 1", "selectors": { "query": "(source:production_service OR env:prod)", "rule_types": [ "misconfiguration", "attack_path" ], "severities": [ "critical" ], "trigger_source": "security_findings" }, "targets": [ "@john.doe@email.com" ], "time_aggregation": 86400, "version": 1 }, "id": "aaa-bbb-ccc", "type": "notification_rules" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Forbidden {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \## default # \# Curl command curl -X POST "https://api.datadoghq.com/api/v2/security/signals/notification_rules" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "attributes": { "enabled": true, "name": "Rule 1", "selectors": { "query": "(source:production_service OR env:prod)", "rule_types": [ "misconfiguration", "attack_path" ], "severities": [ "critical" ], "trigger_source": "security_findings" }, "targets": [ "@john.doe@email.com" ], "time_aggregation": 86400 }, "type": "notification_rules" } } EOF ##### ```go // Create a new signal-based notification rule returns "Successfully created the notification rule." response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.CreateNotificationRuleParameters{ Data: &datadogV2.CreateNotificationRuleParametersData{ Attributes: datadogV2.CreateNotificationRuleParametersDataAttributes{ Enabled: datadog.PtrBool(true), Name: "Rule 1", Selectors: datadogV2.Selectors{ Query: datadog.PtrString("(source:production_service OR env:prod)"), RuleTypes: []datadogV2.RuleTypesItems{ datadogV2.RULETYPESITEMS_MISCONFIGURATION, datadogV2.RULETYPESITEMS_ATTACK_PATH, }, Severities: []datadogV2.RuleSeverity{ datadogV2.RULESEVERITY_CRITICAL, }, TriggerSource: datadogV2.TRIGGERSOURCE_SECURITY_FINDINGS, }, Targets: []string{ "@john.doe@email.com", }, TimeAggregation: datadog.PtrInt64(86400), }, Type: datadogV2.NOTIFICATIONRULESTYPE_NOTIFICATION_RULES, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.CreateSignalNotificationRule(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSignalNotificationRule`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSignalNotificationRule`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Create a new signal-based notification rule returns "Successfully created the notification rule." // response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.CreateNotificationRuleParameters; import com.datadog.api.client.v2.model.CreateNotificationRuleParametersData; import com.datadog.api.client.v2.model.CreateNotificationRuleParametersDataAttributes; import com.datadog.api.client.v2.model.NotificationRuleResponse; import com.datadog.api.client.v2.model.NotificationRulesType; import com.datadog.api.client.v2.model.RuleSeverity; import com.datadog.api.client.v2.model.RuleTypesItems; import com.datadog.api.client.v2.model.Selectors; import com.datadog.api.client.v2.model.TriggerSource; import java.util.Arrays; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); CreateNotificationRuleParameters body = new CreateNotificationRuleParameters() .data( new CreateNotificationRuleParametersData() .attributes( new CreateNotificationRuleParametersDataAttributes() .enabled(true) .name("Rule 1") .selectors( new Selectors() .query("(source:production_service OR env:prod)") .ruleTypes( Arrays.asList( RuleTypesItems.MISCONFIGURATION, RuleTypesItems.ATTACK_PATH)) .severities(Collections.singletonList(RuleSeverity.CRITICAL)) .triggerSource(TriggerSource.SECURITY_FINDINGS)) .targets(Collections.singletonList("@john.doe@email.com")) .timeAggregation(86400L)) .type(NotificationRulesType.NOTIFICATION_RULES)); try { NotificationRuleResponse result = apiInstance.createSignalNotificationRule(body); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#createSignalNotificationRule"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Create a new signal-based notification rule returns "Successfully created the notification rule." response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.create_notification_rule_parameters import CreateNotificationRuleParameters from datadog_api_client.v2.model.create_notification_rule_parameters_data import CreateNotificationRuleParametersData from datadog_api_client.v2.model.create_notification_rule_parameters_data_attributes import ( CreateNotificationRuleParametersDataAttributes, ) from datadog_api_client.v2.model.notification_rules_type import NotificationRulesType from datadog_api_client.v2.model.rule_severity import RuleSeverity from datadog_api_client.v2.model.rule_types_items import RuleTypesItems from datadog_api_client.v2.model.selectors import Selectors from datadog_api_client.v2.model.trigger_source import TriggerSource body = CreateNotificationRuleParameters( data=CreateNotificationRuleParametersData( attributes=CreateNotificationRuleParametersDataAttributes( enabled=True, name="Rule 1", selectors=Selectors( query="(source:production_service OR env:prod)", rule_types=[ RuleTypesItems.MISCONFIGURATION, RuleTypesItems.ATTACK_PATH, ], severities=[ RuleSeverity.CRITICAL, ], trigger_source=TriggerSource.SECURITY_FINDINGS, ), targets=[ "@john.doe@email.com", ], time_aggregation=86400, ), type=NotificationRulesType.NOTIFICATION_RULES, ), ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.create_signal_notification_rule(body=body) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Create a new signal-based notification rule returns "Successfully created the notification rule." response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::CreateNotificationRuleParameters.new({ data: DatadogAPIClient::V2::CreateNotificationRuleParametersData.new({ attributes: DatadogAPIClient::V2::CreateNotificationRuleParametersDataAttributes.new({ enabled: true, name: "Rule 1", selectors: DatadogAPIClient::V2::Selectors.new({ query: "(source:production_service OR env:prod)", rule_types: [ DatadogAPIClient::V2::RuleTypesItems::MISCONFIGURATION, DatadogAPIClient::V2::RuleTypesItems::ATTACK_PATH, ], severities: [ DatadogAPIClient::V2::RuleSeverity::CRITICAL, ], trigger_source: DatadogAPIClient::V2::TriggerSource::SECURITY_FINDINGS, }), targets: [ "@john.doe@email.com", ], time_aggregation: 86400, }), type: DatadogAPIClient::V2::NotificationRulesType::NOTIFICATION_RULES, }), }) p api_instance.create_signal_notification_rule(body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Create a new signal-based notification rule returns "Successfully created the // notification rule." response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::CreateNotificationRuleParameters; use datadog_api_client::datadogV2::model::CreateNotificationRuleParametersData; use datadog_api_client::datadogV2::model::CreateNotificationRuleParametersDataAttributes; use datadog_api_client::datadogV2::model::NotificationRulesType; use datadog_api_client::datadogV2::model::RuleSeverity; use datadog_api_client::datadogV2::model::RuleTypesItems; use datadog_api_client::datadogV2::model::Selectors; use datadog_api_client::datadogV2::model::TriggerSource; #[tokio::main] async fn main() { let body = CreateNotificationRuleParameters::new().data(CreateNotificationRuleParametersData::new( CreateNotificationRuleParametersDataAttributes::new( "Rule 1".to_string(), Selectors::new(TriggerSource::SECURITY_FINDINGS) .query("(source:production_service OR env:prod)".to_string()) .rule_types(vec![ RuleTypesItems::MISCONFIGURATION, RuleTypesItems::ATTACK_PATH, ]) .severities(vec![RuleSeverity::CRITICAL]), vec!["@john.doe@email.com".to_string()], ) .enabled(true) .time_aggregation(86400), NotificationRulesType::NOTIFICATION_RULES, )); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.create_signal_notification_rule(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Create a new signal-based notification rule returns "Successfully created the notification rule." response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiCreateSignalNotificationRuleRequest = { body: { data: { attributes: { enabled: true, name: "Rule 1", selectors: { query: "(source:production_service OR env:prod)", ruleTypes: ["misconfiguration", "attack_path"], severities: ["critical"], triggerSource: "security_findings", }, targets: ["@john.doe@email.com"], timeAggregation: 86400, }, type: "notification_rules", }, }, }; apiInstance .createSignalNotificationRule(params) .then((data: v2.NotificationRuleResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %}