--- title: Get investigation queries for a signal description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > API Reference > Security Monitoring --- # Get investigation queries for a signal{% #get-investigation-queries-for-a-signal %} Copy pageCopied {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------------------------------------ | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/investigation_queries | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/investigation_queries | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/security_monitoring/signals/{signal_id}/investigation_queries | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/security_monitoring/signals/{signal_id}/investigation_queries | | us2.ddog-gov.com | GET https://api.us2.ddog-gov.com/api/v2/security_monitoring/signals/{signal_id}/investigation_queries | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/investigation_queries | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/investigation_queries | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/investigation_queries | ### Overview Get the list of investigation log queries available for a given security signal. This endpoint requires all of the following permissions: `security_monitoring_rules_read``security_monitoring_signals_read` OAuth apps require the `security_monitoring_rules_read, security_monitoring_signals_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes.md#security-monitoring) to access this endpoint. ### Arguments #### Path Parameters | Name | Type | Description | | --------------------------- | ------ | --------------------- | | signal_id [*required*] | string | The ID of the signal. | ### Response {% tab title="200" %} OK {% tab title="Model" %} | Parent field | Field | Type | Description | | -------------------- | ---------------------------- | -------- | ----------------------------------------------------------------------------------------------------------------------- | | | data [*required*] | [object] | List of suggested actions for a security signal. | | data | attributes [*required*] | object | Attributes of a suggested action for a security signal. The available fields depend on the action type. | | attributes | name | string | The name of the investigation log query. | | attributes | query_filter | string | The log query filter for the investigation. | | attributes | template_variables | object | Template variables applied to the investigation log query, mapping attribute paths to values extracted from the signal. | | additionalProperties | | [string] | | attributes | title | string | The title of the recommended blog post. | | attributes | url | string | The URL of the suggested action. | | data | id [*required*] | string | The unique ID of the suggested action. | | data | type [*required*] | enum | The type of the suggested action resource. Allowed enum values: `investigation_log_queries,recommended_blog_posts` | {% /tab %} {% tab title="Example" %} ```json { "data": [ { "attributes": { "name": "Cloudtrail events for user ARN", "query_filter": "source:cloudtrail @userIdentity.arn:\"foo\"", "template_variables": { "": [] }, "title": "Monitor Okta logs to track system access and unusual activity", "url": "/logs?query=source%3Acloudtrail+%40userIdentity.arn%3A%22foo%22" }, "id": "w00-t10-992", "type": "investigation_log_queries" } ] } ``` {% /tab %} {% tab title="Model" %} Response with suggested actions for a security signal. | Parent field | Field | Type | Description | | -------------------- | ---------------------------- | -------- | ----------------------------------------------------------------------------------------------------------------------- | | | data [*required*] | [object] | List of suggested actions for a security signal. | | data | attributes [*required*] | object | Attributes of a suggested action for a security signal. The available fields depend on the action type. | | attributes | name | string | The name of the investigation log query. | | attributes | query_filter | string | The log query filter for the investigation. | | attributes | template_variables | object | Template variables applied to the investigation log query, mapping attribute paths to values extracted from the signal. | | additionalProperties | | [string] | | attributes | title | string | The title of the recommended blog post. | | attributes | url | string | The URL of the suggested action. | | data | id [*required*] | string | The unique ID of the suggested action. | | data | type [*required*] | enum | The type of the suggested action resource. Allowed enum values: `investigation_log_queries,recommended_blog_posts` | {% /tab %} {% tab title="Example" %} ```json { "data": [ { "attributes": { "name": "Cloudtrail events for user ARN", "query_filter": "source:cloudtrail @userIdentity.arn:\"foo\"", "template_variables": { "": [] }, "title": "Monitor Okta logs to track system access and unusual activity", "url": "/logs?query=source%3Acloudtrail+%40userIdentity.arn%3A%22foo%22" }, "id": "w00-t10-992", "type": "investigation_log_queries" } ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parameters export signal_id="CHANGE_ME" \# Curl command curl -X GET "https://api.datadoghq.com/api/v2/security_monitoring/signals/${signal_id}/investigation_queries" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Get investigation queries for a signal returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.get_investigation_log_queries_matching_signal( signal_id="AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Get investigation queries for a signal returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new p api_instance.get_investigation_log_queries_matching_signal("AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE") ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Get investigation queries for a signal returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.GetInvestigationLogQueriesMatchingSignal(ctx, "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE") if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetInvestigationLogQueriesMatchingSignal`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetInvestigationLogQueriesMatchingSignal`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Get investigation queries for a signal returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringSignalSuggestedActionsResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { SecurityMonitoringSignalSuggestedActionsResponse result = apiInstance.getInvestigationLogQueriesMatchingSignal( "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE"); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#getInvestigationLogQueriesMatchingSignal"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Get investigation queries for a signal returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .get_investigation_log_queries_matching_signal( "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE".to_string(), ) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Get investigation queries for a signal returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiGetInvestigationLogQueriesMatchingSignalRequest = { signalId: "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", }; apiInstance .getInvestigationLogQueriesMatchingSignal(params) .then((data: v2.SecurityMonitoringSignalSuggestedActionsResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %}