Language

English Français 日本語 한국어 Español

Datadog Site

Site help
US1 US3 US5 EU AP1 AP2 US1-FED US2-FED

Patch a signal-based notification rule

PATCH https://api.ap1.datadoghq.com/api/v2/security/signals/notification_rules/{id}https://api.ap2.datadoghq.com/api/v2/security/signals/notification_rules/{id}https://api.datadoghq.eu/api/v2/security/signals/notification_rules/{id}https://api.ddog-gov.com/api/v2/security/signals/notification_rules/{id}https://api.us2.ddog-gov.com/api/v2/security/signals/notification_rules/{id}https://api.datadoghq.com/api/v2/security/signals/notification_rules/{id}https://api.us3.datadoghq.com/api/v2/security/signals/notification_rules/{id}https://api.us5.datadoghq.com/api/v2/security/signals/notification_rules/{id}

Overview

Partially update the notification rule. All fields are optional; if a field is not provided, it is not updated. This endpoint requires the security_monitoring_notification_profiles_write permission.

Arguments

Path Parameters

Name

Type

Description

id [required]

string

ID of the notification rule.

Request

Body Data (required)

Expand All

Field

Type

Description

data

object

Data of the notification rule patch request: the rule ID, the rule type, and the rule attributes. All fields are required.

attributes [required]

object

Attributes of the notification rule patch request. It is required to update the version of the rule when patching it.

enabled

boolean

Field used to enable or disable the rule.

name

string

Name of the notification rule.

selectors

object

Selectors are used to filter security issues for which notifications should be generated. Users can specify rule severities, rule types, a query to filter security issues on tags and attributes, and the trigger source. Only the trigger_source field is required.

query

string

The query is composed of one or several key:value pairs, which can be used to filter security issues on tags and attributes.

rule_types

[string]

Security rule types used as filters in security rules.

severities

[string]

The security rules severities to consider.

trigger_source [required]

enum

The type of security issues on which the rule applies. Notification rules based on security signals need to use the trigger source "security_signals", while notification rules based on security vulnerabilities need to use the trigger source "security_findings". Allowed enum values: security_findings,security_signals

targets

[string]

List of recipients to notify when a notification rule is triggered. Many different target types are supported, such as email addresses, Slack channels, and PagerDuty services. The appropriate integrations need to be properly configured to send notifications to the specified targets.

time_aggregation

int64

Time aggregation period (in seconds) is used to aggregate the results of the notification rule evaluation. Results are aggregated over a selected time frame using a rolling window, which updates with each new evaluation. Notifications are only sent for new issues discovered during the window. Time aggregation is only available for vulnerability-based notification rules. When omitted or set to 0, no aggregation is done.

version

int64

Version of the notification rule. It is updated when the rule is modified.

id [required]

string

The ID of a notification rule.

type [required]

enum

The rule type associated to notification rules. Allowed enum values: notification_rules

{
  "data": {
    "attributes": {
      "enabled": true,
      "name": "Rule 1",
      "selectors": {
        "query": "(source:production_service OR env:prod)",
        "rule_types": [
          "misconfiguration",
          "attack_path"
        ],
        "severities": [
          "critical"
        ],
        "trigger_source": "security_findings"
      },
      "targets": [
        "@john.doe@email.com"
      ],
      "time_aggregation": 86400,
      "version": 1
    },
    "id": "aaa-bbb-ccc",
    "type": "notification_rules"
  }
}

Response

Notification rule successfully patched.

Response object which includes a notification rule.

Expand All

Field

Type

Description

data

object

Notification rules allow full control over notifications generated by the various Datadog security products. They allow users to define the conditions under which a notification should be generated (based on rule severities, rule types, rule tags, and so on), and the targets to notify. A notification rule is composed of a rule ID, a rule type, and the rule attributes. All fields are required.

attributes [required]

object

Attributes of the notification rule.

created_at [required]

int64

Date as Unix timestamp in milliseconds.

created_by [required]

object

User creating or modifying a rule.

handle

string

The user handle.

name

string

The user name.

enabled [required]

boolean

Field used to enable or disable the rule.

modified_at [required]

int64

Date as Unix timestamp in milliseconds.

modified_by [required]

object

User creating or modifying a rule.

handle

string

The user handle.

name

string

The user name.

name [required]

string

Name of the notification rule.

selectors [required]

object

Selectors are used to filter security issues for which notifications should be generated. Users can specify rule severities, rule types, a query to filter security issues on tags and attributes, and the trigger source. Only the trigger_source field is required.

query

string

The query is composed of one or several key:value pairs, which can be used to filter security issues on tags and attributes.

rule_types

[string]

Security rule types used as filters in security rules.

severities

[string]

The security rules severities to consider.

trigger_source [required]

enum

The type of security issues on which the rule applies. Notification rules based on security signals need to use the trigger source "security_signals", while notification rules based on security vulnerabilities need to use the trigger source "security_findings". Allowed enum values: security_findings,security_signals

targets [required]

[string]

List of recipients to notify when a notification rule is triggered. Many different target types are supported, such as email addresses, Slack channels, and PagerDuty services. The appropriate integrations need to be properly configured to send notifications to the specified targets.

time_aggregation

int64

Time aggregation period (in seconds) is used to aggregate the results of the notification rule evaluation. Results are aggregated over a selected time frame using a rolling window, which updates with each new evaluation. Notifications are only sent for new issues discovered during the window. Time aggregation is only available for vulnerability-based notification rules. When omitted or set to 0, no aggregation is done.

version [required]

int64

Version of the notification rule. It is updated when the rule is modified.

id [required]

string

The ID of a notification rule.

type [required]

enum

The rule type associated to notification rules. Allowed enum values: notification_rules

{
  "data": {
    "attributes": {
      "created_at": 1722439510282,
      "created_by": {
        "handle": "john.doe@domain.com",
        "name": "John Doe"
      },
      "enabled": true,
      "modified_at": 1722439510282,
      "modified_by": {
        "handle": "john.doe@domain.com",
        "name": "John Doe"
      },
      "name": "Rule 1",
      "selectors": {
        "query": "(source:production_service OR env:prod)",
        "rule_types": [
          "misconfiguration",
          "attack_path"
        ],
        "severities": [
          "critical"
        ],
        "trigger_source": "security_findings"
      },
      "targets": [
        "@john.doe@email.com"
      ],
      "time_aggregation": 86400,
      "version": 1
    },
    "id": "aaa-bbb-ccc",
    "type": "notification_rules"
  }
}

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Forbidden

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

The server cannot process the request because it contains invalid data.

API error response.

Expand All

Field

Type

Description

errors [required]

[object]

A list of errors.

detail

string

A human-readable explanation specific to this occurrence of the error.

meta

object

Non-standard meta-information about the error

source

object

References to the source of the error.

header

string

A string indicating the name of a single request header which caused the error.

parameter

string

A string indicating which URI query parameter caused the error.

pointer

string

A JSON pointer to the value in the request document that caused the error.

status

string

Status code of the response.

title

string

Short human-readable summary of the error.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                          ## default
# 

# Path parameters
export id="CHANGE_ME"
# Curl command
curl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.us2.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/signals/notification_rules/${id}" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "enabled": true,
      "name": "Rule 1",
      "selectors": {
        "query": "(source:production_service OR env:prod)",
        "rule_types": [
          "misconfiguration",
          "attack_path"
        ],
        "severities": [
          "critical"
        ],
        "trigger_source": "security_findings"
      },
      "targets": [
        "@john.doe@email.com"
      ],
      "time_aggregation": 86400,
      "version": 1
    },
    "id": "aaa-bbb-ccc",
    "type": "notification_rules"
  }
}
EOF

                        
// Patch a signal-based notification rule returns "Notification rule successfully patched." response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	// there is a valid "valid_signal_notification_rule" in the system
	ValidSignalNotificationRuleDataID := os.Getenv("VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID")

	body := datadogV2.PatchNotificationRuleParameters{
		Data: &datadogV2.PatchNotificationRuleParametersData{
			Attributes: datadogV2.PatchNotificationRuleParametersDataAttributes{
				Enabled: datadog.PtrBool(true),
				Name:    datadog.PtrString("Rule 1"),
				Selectors: &datadogV2.Selectors{
					Query: datadog.PtrString("(source:production_service OR env:prod)"),
					RuleTypes: []datadogV2.RuleTypesItems{
						datadogV2.RULETYPESITEMS_MISCONFIGURATION,
						datadogV2.RULETYPESITEMS_ATTACK_PATH,
					},
					Severities: []datadogV2.RuleSeverity{
						datadogV2.RULESEVERITY_CRITICAL,
					},
					TriggerSource: datadogV2.TRIGGERSOURCE_SECURITY_FINDINGS,
				},
				Targets: []string{
					"@john.doe@email.com",
				},
				TimeAggregation: datadog.PtrInt64(86400),
				Version:         datadog.PtrInt64(1),
			},
			Id:   ValidSignalNotificationRuleDataID,
			Type: datadogV2.NOTIFICATIONRULESTYPE_NOTIFICATION_RULES,
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.PatchSignalNotificationRule(ctx, ValidSignalNotificationRuleDataID, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.PatchSignalNotificationRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.PatchSignalNotificationRule`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Patch a signal-based notification rule returns "Notification rule successfully patched." response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.NotificationRuleResponse;
import com.datadog.api.client.v2.model.NotificationRulesType;
import com.datadog.api.client.v2.model.PatchNotificationRuleParameters;
import com.datadog.api.client.v2.model.PatchNotificationRuleParametersData;
import com.datadog.api.client.v2.model.PatchNotificationRuleParametersDataAttributes;
import com.datadog.api.client.v2.model.RuleSeverity;
import com.datadog.api.client.v2.model.RuleTypesItems;
import com.datadog.api.client.v2.model.Selectors;
import com.datadog.api.client.v2.model.TriggerSource;
import java.util.Arrays;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    // there is a valid "valid_signal_notification_rule" in the system
    String VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID =
        System.getenv("VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID");

    PatchNotificationRuleParameters body =
        new PatchNotificationRuleParameters()
            .data(
                new PatchNotificationRuleParametersData()
                    .attributes(
                        new PatchNotificationRuleParametersDataAttributes()
                            .enabled(true)
                            .name("Rule 1")
                            .selectors(
                                new Selectors()
                                    .query("(source:production_service OR env:prod)")
                                    .ruleTypes(
                                        Arrays.asList(
                                            RuleTypesItems.MISCONFIGURATION,
                                            RuleTypesItems.ATTACK_PATH))
                                    .severities(Collections.singletonList(RuleSeverity.CRITICAL))
                                    .triggerSource(TriggerSource.SECURITY_FINDINGS))
                            .targets(Collections.singletonList("@john.doe@email.com"))
                            .timeAggregation(86400L)
                            .version(1L))
                    .id(VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID)
                    .type(NotificationRulesType.NOTIFICATION_RULES));

    try {
      NotificationRuleResponse result =
          apiInstance.patchSignalNotificationRule(VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID, body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#patchSignalNotificationRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
"""
Patch a signal-based notification rule returns "Notification rule successfully patched." response
"""

from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.notification_rules_type import NotificationRulesType
from datadog_api_client.v2.model.patch_notification_rule_parameters import PatchNotificationRuleParameters
from datadog_api_client.v2.model.patch_notification_rule_parameters_data import PatchNotificationRuleParametersData
from datadog_api_client.v2.model.patch_notification_rule_parameters_data_attributes import (
    PatchNotificationRuleParametersDataAttributes,
)
from datadog_api_client.v2.model.rule_severity import RuleSeverity
from datadog_api_client.v2.model.rule_types_items import RuleTypesItems
from datadog_api_client.v2.model.selectors import Selectors
from datadog_api_client.v2.model.trigger_source import TriggerSource

# there is a valid "valid_signal_notification_rule" in the system
VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID = environ["VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID"]

body = PatchNotificationRuleParameters(
    data=PatchNotificationRuleParametersData(
        attributes=PatchNotificationRuleParametersDataAttributes(
            enabled=True,
            name="Rule 1",
            selectors=Selectors(
                query="(source:production_service OR env:prod)",
                rule_types=[
                    RuleTypesItems.MISCONFIGURATION,
                    RuleTypesItems.ATTACK_PATH,
                ],
                severities=[
                    RuleSeverity.CRITICAL,
                ],
                trigger_source=TriggerSource.SECURITY_FINDINGS,
            ),
            targets=[
                "@john.doe@email.com",
            ],
            time_aggregation=86400,
            version=1,
        ),
        id=VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID,
        type=NotificationRulesType.NOTIFICATION_RULES,
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.patch_signal_notification_rule(id=VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID, body=body)

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Patch a signal-based notification rule returns "Notification rule successfully patched." response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

# there is a valid "valid_signal_notification_rule" in the system
VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID = ENV["VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID"]

body = DatadogAPIClient::V2::PatchNotificationRuleParameters.new({
  data: DatadogAPIClient::V2::PatchNotificationRuleParametersData.new({
    attributes: DatadogAPIClient::V2::PatchNotificationRuleParametersDataAttributes.new({
      enabled: true,
      name: "Rule 1",
      selectors: DatadogAPIClient::V2::Selectors.new({
        query: "(source:production_service OR env:prod)",
        rule_types: [
          DatadogAPIClient::V2::RuleTypesItems::MISCONFIGURATION,
          DatadogAPIClient::V2::RuleTypesItems::ATTACK_PATH,
        ],
        severities: [
          DatadogAPIClient::V2::RuleSeverity::CRITICAL,
        ],
        trigger_source: DatadogAPIClient::V2::TriggerSource::SECURITY_FINDINGS,
      }),
      targets: [
        "@john.doe@email.com",
      ],
      time_aggregation: 86400,
      version: 1,
    }),
    id: VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID,
    type: DatadogAPIClient::V2::NotificationRulesType::NOTIFICATION_RULES,
  }),
})
p api_instance.patch_signal_notification_rule(VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID, body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Patch a signal-based notification rule returns "Notification rule successfully
// patched." response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::NotificationRulesType;
use datadog_api_client::datadogV2::model::PatchNotificationRuleParameters;
use datadog_api_client::datadogV2::model::PatchNotificationRuleParametersData;
use datadog_api_client::datadogV2::model::PatchNotificationRuleParametersDataAttributes;
use datadog_api_client::datadogV2::model::RuleSeverity;
use datadog_api_client::datadogV2::model::RuleTypesItems;
use datadog_api_client::datadogV2::model::Selectors;
use datadog_api_client::datadogV2::model::TriggerSource;

#[tokio::main]
async fn main() {
    // there is a valid "valid_signal_notification_rule" in the system
    let valid_signal_notification_rule_data_id =
        std::env::var("VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID").unwrap();
    let body =
        PatchNotificationRuleParameters::new().data(PatchNotificationRuleParametersData::new(
            PatchNotificationRuleParametersDataAttributes::new()
                .enabled(true)
                .name("Rule 1".to_string())
                .selectors(
                    Selectors::new(TriggerSource::SECURITY_FINDINGS)
                        .query("(source:production_service OR env:prod)".to_string())
                        .rule_types(vec![
                            RuleTypesItems::MISCONFIGURATION,
                            RuleTypesItems::ATTACK_PATH,
                        ])
                        .severities(vec![RuleSeverity::CRITICAL]),
                )
                .targets(vec!["@john.doe@email.com".to_string()])
                .time_aggregation(86400)
                .version(1),
            valid_signal_notification_rule_data_id.clone(),
            NotificationRulesType::NOTIFICATION_RULES,
        ));
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .patch_signal_notification_rule(valid_signal_notification_rule_data_id.clone(), body)
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
 * Patch a signal-based notification rule returns "Notification rule successfully patched." response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

// there is a valid "valid_signal_notification_rule" in the system
const VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID = process.env
  .VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID as string;

const params: v2.SecurityMonitoringApiPatchSignalNotificationRuleRequest = {
  body: {
    data: {
      attributes: {
        enabled: true,
        name: "Rule 1",
        selectors: {
          query: "(source:production_service OR env:prod)",
          ruleTypes: ["misconfiguration", "attack_path"],
          severities: ["critical"],
          triggerSource: "security_findings",
        },
        targets: ["@john.doe@email.com"],
        timeAggregation: 86400,
        version: 1,
      },
      id: VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID,
      type: "notification_rules",
    },
  },
  id: VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID,
};

apiInstance
  .patchSignalNotificationRule(params)
  .then((data: v2.NotificationRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"