---
title: Test a notification rule
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > API Reference > Security Monitoring
---

# Test a notification rule{% #test-a-notification-rule %}
Copy pageCopied
{% tab title="v2" %}

| Datadog site      | API endpoint                                                                                                             |
| ----------------- | ------------------------------------------------------------------------------------------------------------------------ |
| ap1.datadoghq.com | POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/notification_rules/send_notification_preview |
| ap2.datadoghq.com | POST https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/notification_rules/send_notification_preview |
| app.datadoghq.eu  | POST https://api.datadoghq.eu/api/v2/security_monitoring/configuration/notification_rules/send_notification_preview      |
| app.ddog-gov.com  | POST https://api.ddog-gov.com/api/v2/security_monitoring/configuration/notification_rules/send_notification_preview      |
| us2.ddog-gov.com  | POST https://api.us2.ddog-gov.com/api/v2/security_monitoring/configuration/notification_rules/send_notification_preview  |
| app.datadoghq.com | POST https://api.datadoghq.com/api/v2/security_monitoring/configuration/notification_rules/send_notification_preview     |
| us3.datadoghq.com | POST https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/notification_rules/send_notification_preview |
| us5.datadoghq.com | POST https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/notification_rules/send_notification_preview |

### Overview

Send a notification preview to test that a notification rule's targets are properly configured. This endpoint requires the `security_monitoring_notification_profiles_write` permission.

OAuth apps require the `security_monitoring_notification_profiles_write` authorization [scope](https://docs.datadoghq.com/api/latest/scopes.md#security-monitoring) to access this endpoint.



### Request

#### Body Data (required)



{% tab title="Model" %}

| Parent field | Field                            | Type     | Description                                                                                                                                                                                                                                                                                                                                                                                                                            |
| ------------ | -------------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|              | data                             | object   | Data of the notification rule create request: the rule type, and the rule attributes. All fields are required.                                                                                                                                                                                                                                                                                                                         |
| data         | attributes [*required*]     | object   | Attributes of the notification rule create request.                                                                                                                                                                                                                                                                                                                                                                                    |
| attributes   | enabled                          | boolean  | Field used to enable or disable the rule.                                                                                                                                                                                                                                                                                                                                                                                              |
| attributes   | name [*required*]           | string   | Name of the notification rule.                                                                                                                                                                                                                                                                                                                                                                                                         |
| attributes   | routing                          | object   | Routing configuration for the notification rule.                                                                                                                                                                                                                                                                                                                                                                                       |
| routing      | mode [*required*]           | enum     | The routing mode for the notification rule. `manual` sends notifications to the configured targets. Allowed enum values: `manual`                                                                                                                                                                                                                                                                                                      |
| attributes   | selectors [*required*]      | object   | Selectors are used to filter security issues for which notifications should be generated. Users can specify rule severities, rule types, a query to filter security issues on tags and attributes, and the trigger source. Only the trigger_source field is required.                                                                                                                                                                  |
| selectors    | query                            | string   | The query is composed of one or several key:value pairs, which can be used to filter security issues on tags and attributes.                                                                                                                                                                                                                                                                                                           |
| selectors    | rule_types                       | [string] | Security rule types used as filters in security rules.                                                                                                                                                                                                                                                                                                                                                                                 |
| selectors    | severities                       | [string] | The security rules severities to consider.                                                                                                                                                                                                                                                                                                                                                                                             |
| selectors    | trigger_source [*required*] | enum     | The type of security issues on which the rule applies. Notification rules based on security signals need to use the trigger source "security_signals", while notification rules based on security vulnerabilities need to use the trigger source "security_findings". Allowed enum values: `security_findings,security_signals`                                                                                                        |
| attributes   | targets [*required*]        | [string] | List of recipients to notify when a notification rule is triggered. Many different target types are supported, such as email addresses, Slack channels, and PagerDuty services. The appropriate integrations need to be properly configured to send notifications to the specified targets.                                                                                                                                            |
| attributes   | time_aggregation                 | int64    | Time aggregation period (in seconds) is used to aggregate the results of the notification rule evaluation. Results are aggregated over a selected time frame using a rolling window, which updates with each new evaluation. Notifications are only sent for new issues discovered during the window. Time aggregation is only available for vulnerability-based notification rules. When omitted or set to 0, no aggregation is done. |
| data         | type [*required*]           | enum     | The rule type associated to notification rules. Allowed enum values: `notification_rules`                                                                                                                                                                                                                                                                                                                                              |

{% /tab %}

{% tab title="Example" %}

```json
{
  "data": {
    "attributes": {
      "enabled": true,
      "name": "Rule 1",
      "selectors": {
        "query": "env:prod",
        "rule_types": [
          "log_detection"
        ],
        "severities": [
          "critical"
        ],
        "trigger_source": "security_signals"
      },
      "targets": [
        "@john.doe@email.com"
      ]
    },
    "type": "notification_rules"
  }
}
```

{% /tab %}

### Response

{% tab title="200" %}
OK
{% tab title="Model" %}
Response from the notification preview request.

| Parent field    | Field                                 | Type     | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| --------------- | ------------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|                 | data [*required*]                | object   | The notification preview response data.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| data            | attributes [*required*]          | object   | Attributes of the notification preview response.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| attributes      | preview_results [*required*]     | [object] | List of preview results for each rule type matched by the notification rule.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| preview_results | notification_status [*required*] | enum     | The notification status for the given rule type. `SUCCESS` means a matching event was found and the notification was sent successfully. `DEFAULT` means no matching event was found and a default placeholder notification was sent instead. `ERROR` means an error occurred while sending the notification. Allowed enum values: `SUCCESS,DEFAULT,ERROR`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| preview_results | rule_type [*required*]           | enum     | Security rule type which can be used in security rules. Signal-based notification rules can filter signals based on rule types application_security, log_detection, workload_security, signal_correlation, cloud_configuration and infrastructure_configuration. Vulnerability-based notification rules can filter vulnerabilities based on rule types application_code_vulnerability, application_library_vulnerability, attack_path, container_image_vulnerability, identity_risk, misconfiguration, api_security, host_vulnerability, iac_misconfiguration, sast_vulnerability and secret_vulnerability. Allowed enum values: `application_security,log_detection,workload_security,signal_correlation,cloud_configuration,infrastructure_configuration,application_code_vulnerability,application_library_vulnerability,attack_path,container_image_vulnerability` |
| data            | id                                    | string   | The ID of the notification preview response.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| data            | type [*required*]                | enum     | The type of the notification preview response. Allowed enum values: `notification_preview_response`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |

{% /tab %}

{% tab title="Example" %}

```json
{
  "data": {
    "attributes": {
      "preview_results": [
        {
          "notification_status": "SUCCESS",
          "rule_type": "log_detection"
        }
      ]
    },
    "id": "rka-loa-zwu",
    "type": "notification_preview_response"
  }
}
```

{% /tab %}

{% /tab %}

{% tab title="400" %}
Bad Request
{% tab title="Model" %}
API error response.

| Parent field | Field                    | Type     | Description                                                                     |
| ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- |
|              | errors [*required*] | [object] | A list of errors.                                                               |
| errors       | detail                   | string   | A human-readable explanation specific to this occurrence of the error.          |
| errors       | meta                     | object   | Non-standard meta-information about the error                                   |
| errors       | source                   | object   | References to the source of the error.                                          |
| source       | header                   | string   | A string indicating the name of a single request header which caused the error. |
| source       | parameter                | string   | A string indicating which URI query parameter caused the error.                 |
| source       | pointer                  | string   | A JSON pointer to the value in the request document that caused the error.      |
| errors       | status                   | string   | Status code of the response.                                                    |
| errors       | title                    | string   | Short human-readable summary of the error.                                      |

{% /tab %}

{% tab title="Example" %}

```json
{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}
```

{% /tab %}

{% /tab %}

{% tab title="403" %}
Not Authorized
{% tab title="Model" %}
API error response.

| Field                    | Type     | Description       |
| ------------------------ | -------- | ----------------- |
| errors [*required*] | [string] | A list of errors. |

{% /tab %}

{% tab title="Example" %}

```json
{
  "errors": [
    "Bad Request"
  ]
}
```

{% /tab %}

{% /tab %}

{% tab title="429" %}
Too many requests
{% tab title="Model" %}
API error response.

| Field                    | Type     | Description       |
| ------------------------ | -------- | ----------------- |
| errors [*required*] | [string] | A list of errors. |

{% /tab %}

{% tab title="Example" %}

```json
{
  "errors": [
    "Bad Request"
  ]
}
```

{% /tab %}

{% /tab %}

### Code Example

##### 
                          \## default
# 
 \# Curl command curl -X POST "https://api.datadoghq.com/api/v2/security_monitoring/configuration/notification_rules/send_notification_preview" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "enabled": true,
      "name": "Rule 1",
      "selectors": {
        "query": "env:prod",
        "rule_types": [
          "log_detection"
        ],
        "severities": [
          "critical"
        ],
        "trigger_source": "security_signals"
      },
      "targets": [
        "@john.doe@email.com"
      ]
    },
    "type": "notification_rules"
  }
}
EOF 
                        
##### 

```go
// Test a notification rule returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.CreateNotificationRuleParameters{
		Data: &datadogV2.CreateNotificationRuleParametersData{
			Attributes: datadogV2.CreateNotificationRuleParametersDataAttributes{
				Enabled: datadog.PtrBool(true),
				Name:    "Rule 1",
				Selectors: datadogV2.Selectors{
					Query: datadog.PtrString("env:prod"),
					RuleTypes: []datadogV2.RuleTypesItems{
						datadogV2.RULETYPESITEMS_LOG_DETECTION,
					},
					Severities: []datadogV2.RuleSeverity{
						datadogV2.RULESEVERITY_CRITICAL,
					},
					TriggerSource: datadogV2.TRIGGERSOURCE_SECURITY_SIGNALS,
				},
				Targets: []string{
					"@john.doe@email.com",
				},
			},
			Type: datadogV2.NOTIFICATIONRULESTYPE_NOTIFICATION_RULES,
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.SendSecurityMonitoringNotificationPreview(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.SendSecurityMonitoringNotificationPreview`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.SendSecurityMonitoringNotificationPreview`:\n%s\n", responseContent)
}
```

#### Instructions

First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=go) and then save the example to `main.go` and run following commands:
    DD_SITE="datadoghq.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
##### 

```java
// Test a notification rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.CreateNotificationRuleParameters;
import com.datadog.api.client.v2.model.CreateNotificationRuleParametersData;
import com.datadog.api.client.v2.model.CreateNotificationRuleParametersDataAttributes;
import com.datadog.api.client.v2.model.NotificationRulePreviewResponse;
import com.datadog.api.client.v2.model.NotificationRulesType;
import com.datadog.api.client.v2.model.RuleSeverity;
import com.datadog.api.client.v2.model.RuleTypesItems;
import com.datadog.api.client.v2.model.Selectors;
import com.datadog.api.client.v2.model.TriggerSource;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    CreateNotificationRuleParameters body =
        new CreateNotificationRuleParameters()
            .data(
                new CreateNotificationRuleParametersData()
                    .attributes(
                        new CreateNotificationRuleParametersDataAttributes()
                            .enabled(true)
                            .name("Rule 1")
                            .selectors(
                                new Selectors()
                                    .query("env:prod")
                                    .ruleTypes(
                                        Collections.singletonList(RuleTypesItems.LOG_DETECTION))
                                    .severities(Collections.singletonList(RuleSeverity.CRITICAL))
                                    .triggerSource(TriggerSource.SECURITY_SIGNALS))
                            .targets(Collections.singletonList("@john.doe@email.com")))
                    .type(NotificationRulesType.NOTIFICATION_RULES));

    try {
      NotificationRulePreviewResponse result =
          apiInstance.sendSecurityMonitoringNotificationPreview(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#sendSecurityMonitoringNotificationPreview");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}
```

#### Instructions

First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=java) and then save the example to `Example.java` and run following commands:
    DD_SITE="datadoghq.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
##### 

```python
"""
Test a notification rule returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.create_notification_rule_parameters import CreateNotificationRuleParameters
from datadog_api_client.v2.model.create_notification_rule_parameters_data import CreateNotificationRuleParametersData
from datadog_api_client.v2.model.create_notification_rule_parameters_data_attributes import (
    CreateNotificationRuleParametersDataAttributes,
)
from datadog_api_client.v2.model.notification_rules_type import NotificationRulesType
from datadog_api_client.v2.model.rule_severity import RuleSeverity
from datadog_api_client.v2.model.rule_types_items import RuleTypesItems
from datadog_api_client.v2.model.selectors import Selectors
from datadog_api_client.v2.model.trigger_source import TriggerSource

body = CreateNotificationRuleParameters(
    data=CreateNotificationRuleParametersData(
        attributes=CreateNotificationRuleParametersDataAttributes(
            enabled=True,
            name="Rule 1",
            selectors=Selectors(
                query="env:prod",
                rule_types=[
                    RuleTypesItems.LOG_DETECTION,
                ],
                severities=[
                    RuleSeverity.CRITICAL,
                ],
                trigger_source=TriggerSource.SECURITY_SIGNALS,
            ),
            targets=[
                "@john.doe@email.com",
            ],
        ),
        type=NotificationRulesType.NOTIFICATION_RULES,
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.send_security_monitoring_notification_preview(body=body)

    print(response)
```

#### Instructions

First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=python) and then save the example to `example.py` and run following commands:
    DD_SITE="datadoghq.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
##### 

```ruby
# Test a notification rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::CreateNotificationRuleParameters.new({
  data: DatadogAPIClient::V2::CreateNotificationRuleParametersData.new({
    attributes: DatadogAPIClient::V2::CreateNotificationRuleParametersDataAttributes.new({
      enabled: true,
      name: "Rule 1",
      selectors: DatadogAPIClient::V2::Selectors.new({
        query: "env:prod",
        rule_types: [
          DatadogAPIClient::V2::RuleTypesItems::LOG_DETECTION,
        ],
        severities: [
          DatadogAPIClient::V2::RuleSeverity::CRITICAL,
        ],
        trigger_source: DatadogAPIClient::V2::TriggerSource::SECURITY_SIGNALS,
      }),
      targets: [
        "@john.doe@email.com",
      ],
    }),
    type: DatadogAPIClient::V2::NotificationRulesType::NOTIFICATION_RULES,
  }),
})
p api_instance.send_security_monitoring_notification_preview(body)
```

#### Instructions

First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=ruby) and then save the example to `example.rb` and run following commands:
    DD_SITE="datadoghq.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
##### 

```rust
// Test a notification rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::CreateNotificationRuleParameters;
use datadog_api_client::datadogV2::model::CreateNotificationRuleParametersData;
use datadog_api_client::datadogV2::model::CreateNotificationRuleParametersDataAttributes;
use datadog_api_client::datadogV2::model::NotificationRulesType;
use datadog_api_client::datadogV2::model::RuleSeverity;
use datadog_api_client::datadogV2::model::RuleTypesItems;
use datadog_api_client::datadogV2::model::Selectors;
use datadog_api_client::datadogV2::model::TriggerSource;

#[tokio::main]
async fn main() {
    let body =
        CreateNotificationRuleParameters::new().data(CreateNotificationRuleParametersData::new(
            CreateNotificationRuleParametersDataAttributes::new(
                "Rule 1".to_string(),
                Selectors::new(TriggerSource::SECURITY_SIGNALS)
                    .query("env:prod".to_string())
                    .rule_types(vec![RuleTypesItems::LOG_DETECTION])
                    .severities(vec![RuleSeverity::CRITICAL]),
                vec!["@john.doe@email.com".to_string()],
            )
            .enabled(true),
            NotificationRulesType::NOTIFICATION_RULES,
        ));
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .send_security_monitoring_notification_preview(body)
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}
```

#### Instructions

First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=rust) and then save the example to `src/main.rs` and run following commands:
    DD_SITE="datadoghq.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
##### 

```typescript
/**
 * Test a notification rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiSendSecurityMonitoringNotificationPreviewRequest =
  {
    body: {
      data: {
        attributes: {
          enabled: true,
          name: "Rule 1",
          selectors: {
            query: "env:prod",
            ruleTypes: ["log_detection"],
            severities: ["critical"],
            triggerSource: "security_signals",
          },
          targets: ["@john.doe@email.com"],
        },
        type: "notification_rules",
      },
    },
  };

apiInstance
  .sendSecurityMonitoringNotificationPreview(params)
  .then((data: v2.NotificationRulePreviewResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));
```

#### Instructions

First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=typescript) and then save the example to `example.ts` and run following commands:
    DD_SITE="datadoghq.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
{% /tab %}
