Language

English Français 日本語 한국어 Español

Datadog Site

Site help
US1 US3 US5 EU AP1 AP2 US1-FED US2-FED

Get sample log generation subscriptions

Note: This endpoint is in preview and is subject to change. If you have any feedback, contact Datadog support.

GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/sample_log_generation/subscriptionshttps://api.ap2.datadoghq.com/api/v2/security_monitoring/sample_log_generation/subscriptionshttps://api.datadoghq.eu/api/v2/security_monitoring/sample_log_generation/subscriptionshttps://api.ddog-gov.com/api/v2/security_monitoring/sample_log_generation/subscriptionshttps://api.us2.ddog-gov.com/api/v2/security_monitoring/sample_log_generation/subscriptionshttps://api.datadoghq.com/api/v2/security_monitoring/sample_log_generation/subscriptionshttps://api.us3.datadoghq.com/api/v2/security_monitoring/sample_log_generation/subscriptionshttps://api.us5.datadoghq.com/api/v2/security_monitoring/sample_log_generation/subscriptions

Overview

Get the sample log generation subscriptions for the organization. Sample log generation injects representative example logs for a given Cloud SIEM content pack into the Logs platform, which can be used to test detection rules without onboarding the underlying integration first.

Availability: this endpoint is restricted to Cloud SIEM trial organizations on an eligible pricing model. Other organizations receive a 403 Forbidden (non-trial orgs) or a 400 Bad Request (feature disabled), and legacy pricing tiers receive a response with status: not_available.

This endpoint requires any of the following permissions:
  • security_monitoring_filters_read
  • logs_read_index_data

    • OAuth apps require the security_monitoring_filters_read, logs_read_index_data authorization scope to access this endpoint.

    Arguments

    Query Strings

    Name

    Type

    Description

    status

    enum

    Filter the subscriptions by status. Use active to return only currently active subscriptions, or all to return every subscription including expired ones. Ignored when start_timestamp is provided. Defaults to active.
    Allowed enum values: active, all

    start_timestamp

    string

    The start of the time range, as an RFC3339 timestamp. When provided, the response includes every subscription that was active at any point in [start_timestamp, end_timestamp], and the status filter is ignored.

    end_timestamp

    string

    The end of the time range, as an RFC3339 timestamp. Ignored unless start_timestamp is set. Defaults to the current time when start_timestamp is provided.

    Response

    OK

    Response containing a list of sample log generation subscriptions.

    Expand All

    Field

    Type

    Description

    data [required]

    [object]

    The list of sample log generation subscriptions.

    attributes [required]

    object

    The attributes describing a sample log generation subscription.

    content_pack_id [required]

    string

    The identifier of the Cloud SIEM content pack the subscription targets.

    created_at [required]

    date-time

    The time at which the subscription was created.

    expires_at [required]

    date-time

    The time at which the subscription expires and stops generating logs.

    is_active [required]

    boolean

    Whether the subscription is currently active and generating logs.

    status [required]

    enum

    The status of the subscription. Allowed enum values: subscribed,renewed,unsubscribed,no_active_subscription,not_available,active,expired

    id [required]

    string

    The unique identifier of the subscription.

    type [required]

    enum

    The type of the resource. The value should always be subscriptions. Allowed enum values: subscriptions

    default: subscriptions

    meta [required]

    object

    Metadata returned alongside a list of sample log generation subscriptions.

    total_subscriptions [required]

    int32

    The total number of subscriptions matching the request, irrespective of pagination.

    {
  "data": [
    {
      "attributes": {
        "content_pack_id": "aws-cloudtrail",
        "created_at": "2026-05-08T20:02:13.77481Z",
        "expires_at": "2026-05-11T20:02:13.77481Z",
        "is_active": true,
        "status": "subscribed"
      },
      "id": "789",
      "type": "subscriptions"
    }
  ],
  "meta": {
    "total_subscriptions": 1
  }
}

    Bad Request

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Not Authorized

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Too many requests

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Code Example

                      # Curl command
    curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.us2.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/sample_log_generation/subscriptions" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"