Migrate to the New Security Findings Data Model

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Overview

To make it easier to search for security findings throughout Datadog, the syntax for search queries is changing:

  • Standardized naming conventions for security finding data fields
  • A new schema to consistently organize those fields across security products

This change comes with a set of new features that use the new schema, and may also impact your existing workflows. This page details what is changing, the workflows that Datadog automatically updates, and the changes you need to make to avoid interruptions in your existing workflows.

Datadog will start rolling out changes January 28, 2026. You should plan to update any affected workflows in the first half of 2026 to avoid any interruptions as Datadog deprecates the old syntax.

View the new security findings schema so you can understand how finding details will be stored.

VIEW THE SCHEMA

Required action

  • If you use certain API endpoints or Terraform resources, changes will be required:
    • For List findings and Get a finding API endpoints, update your API calls to use the new unified Findings API. The documentation for this API will be published in early January 2026.
    • For datadog_security_notification_rule Terraform resources with trigger_source: "security_findings", update query values to use the new search syntax, starting January 28, 2026.
  • If you do not use public APIs or the security findings notification rules terraform resource, no changes are required. The following queries are updated automatically in the UI:
    • Explorers
    • Dashboards
    • Notification rules
    • Automation pipelines
    • Workflows

If you need assistance with your migration, contact Datadog support.

What is changing

New querying syntax

Following this change, you can use the same query syntax for all security findings, using attributes organized around namespaces. Here are some practical examples:

BeforeAfter (all findings)
Misconfigurations: @workflow.triage.status:open status:critical
Library vulnerabilities: status:open severity:Critical		@status:open @severity:critical
Misconfigurations: @dd_computed_attributes.is_publicly_accessible:true
Host Vulnerabilities: is_publicly_accessible:Accessible		@risk.is_publicly_accessible:true
Library Vulnerabilities: library_name:org.apache.logging.log4j
Host Vulnerabilities: package:org.apache.logging.log4j		@package.name:org.apache.logging.log4j

View the full specification at Security Findings Schema Reference.

New features

Starting January 28, 2026, the following features will be made available and use the new data model:

The following additional features will be released later:

Security findings

Security findings encompass misconfigurations, vulnerabilities, and security risks identified across your infrastructure and applications. This table shows the scope of security findings across Datadog and which findings are supported in the new data model.

ProductFinding TypeSupport
Cloud SecurityMisconfigurations (CSPM)Supported
Identity risks (CIEM)Supported
Attack pathsSupported
Host & container vulnerabilitiesSupport coming later
App & API Protection (Preview)API security findingsSupported
Code SecurityInfrastructure as code (IaC)Supported
Library vulnerabilities (SCA)Support coming later
Static code vulnerabilities (SAST)
Runtime code vulnerabilities (IAST)
Secrets

Further reading

Más enlaces, artículos y documentación útiles:

Cloud SecurityDOCUMENTATION more more Code SecurityDOCUMENTATION more more Application SecurityDOCUMENTATION more more