Language

English Français 日本語 한국어 Español

Datadog Site

Site help
US1 US3 US5 EU AP1 AP2 US1-FED US2-FED

Search hist signals

Note: This endpoint is in beta and may be subject to changes. Please check the documentation regularly for updates.

POST https://api.ap1.datadoghq.com/api/v2/siem-historical-detections/histsignals/searchhttps://api.ap2.datadoghq.com/api/v2/siem-historical-detections/histsignals/searchhttps://api.datadoghq.eu/api/v2/siem-historical-detections/histsignals/searchhttps://api.ddog-gov.com/api/v2/siem-historical-detections/histsignals/searchhttps://api.us2.ddog-gov.com/api/v2/siem-historical-detections/histsignals/searchhttps://api.datadoghq.com/api/v2/siem-historical-detections/histsignals/searchhttps://api.us3.datadoghq.com/api/v2/siem-historical-detections/histsignals/searchhttps://api.us5.datadoghq.com/api/v2/siem-historical-detections/histsignals/search

Overview

Search hist signals. This endpoint requires the security_monitoring_signals_read permission.

OAuth apps require the security_monitoring_signals_read authorization scope to access this endpoint.

Request

Body Data

Expand All

Field

Type

Description

filter

object

Search filters for listing security signals.

from

date-time

The minimum timestamp for requested security signals.

query

string

Search query for listing security signals.

to

date-time

The maximum timestamp for requested security signals.

page

object

The paging attributes for listing security signals.

cursor

string

A list of results using the cursor provided in the previous query.

limit

int32

The maximum number of security signals in the response.

default: 10

sort

enum

The sort parameters used for querying security signals. Allowed enum values: timestamp,-timestamp

{
  "filter": {
    "from": "2019-01-02T09:42:36.320Z",
    "query": "security:attack status:high",
    "to": "2019-01-03T09:42:36.320Z"
  },
  "page": {
    "cursor": "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==",
    "limit": 25
  },
  "sort": "string"
}

Response

OK

The response object with all security signals matching the request and pagination information.

Expand All

Field

Type

Description

data

[object]

An array of security signals matching the request.

attributes

object

The object containing all signal attributes and their associated values.

custom

object

A JSON object of attributes in the security signal.

message

string

The message in the security signal defined by the rule that generated the signal.

tags

[string]

An array of tags associated with the security signal.

timestamp

date-time

The timestamp of the security signal.

id

string

The unique ID of the security signal.

type

enum

The type of event. Allowed enum values: signal

default: signal

links

object

Links attributes.

next

string

The link for the next set of results. Note: The request can also be made using the POST endpoint.

meta

object

Meta attributes.

page

object

Paging attributes.

after

string

The cursor used to get the next results, if any. To make the next request, use the same parameters with the addition of the page[cursor].

{
  "data": [
    {
      "attributes": {
        "custom": {
          "workflow": {
            "first_seen": "2020-06-23T14:46:01.000Z",
            "last_seen": "2020-06-23T14:46:49.000Z",
            "rule": {
              "id": "0f5-e0c-805",
              "name": "Brute Force Attack Grouped By User",
              "version": 12
            }
          }
        },
        "message": "Detect Account Take Over (ATO) through brute force attempts",
        "tags": [
          "security:attack",
          "technique:T1110-brute-force"
        ],
        "timestamp": "2019-01-02T09:42:36.320Z"
      },
      "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA",
      "type": "signal"
    }
  ],
  "links": {
    "next": "https://app.datadoghq.com/api/v2/security_monitoring/signals?filter[query]=foo\u0026page[cursor]=eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="
  },
  "meta": {
    "page": {
      "after": "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="
    }
  }
}

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                  ## default
# 

# Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.us2.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/siem-historical-detections/histsignals/search" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "filter": {
    "from": "2019-01-02T09:42:36.320Z",
    "query": "security:attack status:high",
    "to": "2019-01-03T09:42:36.320Z"
  },
  "page": {
    "limit": 25
  },
  "sort": "timestamp"
}
EOF

                
"""
Search hist signals returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_signal_list_request import SecurityMonitoringSignalListRequest
from datadog_api_client.v2.model.security_monitoring_signal_list_request_filter import (
    SecurityMonitoringSignalListRequestFilter,
)
from datadog_api_client.v2.model.security_monitoring_signal_list_request_page import (
    SecurityMonitoringSignalListRequestPage,
)
from datadog_api_client.v2.model.security_monitoring_signals_sort import SecurityMonitoringSignalsSort
from datetime import datetime
from dateutil.tz import tzutc

body = SecurityMonitoringSignalListRequest(
    filter=SecurityMonitoringSignalListRequestFilter(
        _from=datetime(2019, 1, 2, 9, 42, 36, 320000, tzinfo=tzutc()),
        query="security:attack status:high",
        to=datetime(2019, 1, 3, 9, 42, 36, 320000, tzinfo=tzutc()),
    ),
    page=SecurityMonitoringSignalListRequestPage(
        cursor="eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==",
        limit=25,
    ),
    sort=SecurityMonitoringSignalsSort.TIMESTAMP_ASCENDING,
)

configuration = Configuration()
configuration.unstable_operations["search_security_monitoring_histsignals"] = True
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.search_security_monitoring_histsignals(body=body)

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Search hist signals returns "OK" response

require "datadog_api_client"
DatadogAPIClient.configure do |config|
  config.unstable_operations["v2.search_security_monitoring_histsignals".to_sym] = true
end
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringSignalListRequest.new({
  filter: DatadogAPIClient::V2::SecurityMonitoringSignalListRequestFilter.new({
    from: "2019-01-02T09:42:36.320Z",
    query: "security:attack status:high",
    to: "2019-01-03T09:42:36.320Z",
  }),
  page: DatadogAPIClient::V2::SecurityMonitoringSignalListRequestPage.new({
    cursor: "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==",
    limit: 25,
  }),
  sort: DatadogAPIClient::V2::SecurityMonitoringSignalsSort::TIMESTAMP_ASCENDING,
})
opts = {
  body: body,
}
p api_instance.search_security_monitoring_histsignals(opts)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Search hist signals returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"
	"time"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringSignalListRequest{
		Filter: &datadogV2.SecurityMonitoringSignalListRequestFilter{
			From:  datadog.PtrTime(time.Date(2019, 1, 2, 9, 42, 36, 320000, time.UTC)),
			Query: datadog.PtrString("security:attack status:high"),
			To:    datadog.PtrTime(time.Date(2019, 1, 3, 9, 42, 36, 320000, time.UTC)),
		},
		Page: &datadogV2.SecurityMonitoringSignalListRequestPage{
			Cursor: datadog.PtrString("eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="),
			Limit:  datadog.PtrInt32(25),
		},
		Sort: datadogV2.SECURITYMONITORINGSIGNALSSORT_TIMESTAMP_ASCENDING.Ptr(),
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	configuration.SetUnstableOperationEnabled("v2.SearchSecurityMonitoringHistsignals", true)
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.SearchSecurityMonitoringHistsignals(ctx, *datadogV2.NewSearchSecurityMonitoringHistsignalsOptionalParameters().WithBody(body))

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.SearchSecurityMonitoringHistsignals`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.SearchSecurityMonitoringHistsignals`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Search hist signals returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.api.SecurityMonitoringApi.SearchSecurityMonitoringHistsignalsOptionalParameters;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalListRequest;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalListRequestFilter;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalListRequestPage;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalsListResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalsSort;
import java.time.OffsetDateTime;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    defaultClient.setUnstableOperationEnabled("v2.searchSecurityMonitoringHistsignals", true);
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringSignalListRequest body =
        new SecurityMonitoringSignalListRequest()
            .filter(
                new SecurityMonitoringSignalListRequestFilter()
                    .from(OffsetDateTime.parse("2019-01-02T09:42:36.320Z"))
                    .query("security:attack status:high")
                    .to(OffsetDateTime.parse("2019-01-03T09:42:36.320Z")))
            .page(
                new SecurityMonitoringSignalListRequestPage()
                    .cursor(
                        "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==")
                    .limit(25))
            .sort(SecurityMonitoringSignalsSort.TIMESTAMP_ASCENDING);

    try {
      SecurityMonitoringSignalsListResponse result =
          apiInstance.searchSecurityMonitoringHistsignals(
              new SearchSecurityMonitoringHistsignalsOptionalParameters().body(body));
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#searchSecurityMonitoringHistsignals");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
// Search hist signals returns "OK" response
use chrono::{DateTime, Utc};
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SearchSecurityMonitoringHistsignalsOptionalParams;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalListRequest;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalListRequestFilter;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalListRequestPage;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalsSort;

#[tokio::main]
async fn main() {
    let body =
        SecurityMonitoringSignalListRequest::new()
            .filter(
                SecurityMonitoringSignalListRequestFilter::new()
                    .from(
                        DateTime::parse_from_rfc3339("2019-01-02T09:42:36.320000+00:00")
                            .expect("Failed to parse datetime")
                            .with_timezone(&Utc),
                    )
                    .query("security:attack status:high".to_string())
                    .to(
                        DateTime::parse_from_rfc3339("2019-01-03T09:42:36.320000+00:00")
                            .expect("Failed to parse datetime")
                            .with_timezone(&Utc),
                    ),
            )
            .page(
                SecurityMonitoringSignalListRequestPage::new()
                    .cursor(
                        "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==".to_string(),
                    )
                    .limit(25),
            )
            .sort(SecurityMonitoringSignalsSort::TIMESTAMP_ASCENDING);
    let mut configuration = datadog::Configuration::new();
    configuration.set_unstable_operation_enabled("v2.SearchSecurityMonitoringHistsignals", true);
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .search_security_monitoring_histsignals(
            SearchSecurityMonitoringHistsignalsOptionalParams::default().body(body),
        )
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
 * Search hist signals returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
configuration.unstableOperations["v2.searchSecurityMonitoringHistsignals"] =
  true;
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiSearchSecurityMonitoringHistsignalsRequest =
  {
    body: {
      filter: {
        from: new Date(2019, 1, 2, 9, 42, 36, 320000),
        query: "security:attack status:high",
        to: new Date(2019, 1, 3, 9, 42, 36, 320000),
      },
      page: {
        cursor:
          "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==",
        limit: 25,
      },
      sort: "timestamp",
    },
  };

apiInstance
  .searchSecurityMonitoringHistsignals(params)
  .then((data: v2.SecurityMonitoringSignalsListResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"