--- title: AI Guard Security Signals description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > Datadog Security > AI Guard > AI Guard Security Signals --- # AI Guard Security Signals {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} AI Guard isn't available in the site. {% /alert %} {% /callout %} AI Guard security signals provide visibility into threats and attacks AI Guard detects in your applications. These signals are built on top of [AAP (Application and API Protection) security signals](https://docs.datadoghq.com/security/application_security/security_signals.md) and integrate with Datadog's security monitoring workflows. ## Understand AI Guard signals{% #understand-ai-guard-signals %} Datadog creates AI Guard security signals when it detects a threat based on a configured detection rule. Signals indicating threats such as prompt injection, jailbreaking, or tool misuse appear in the Datadog Security Signals explorer. These signals can provide: - **Threat detection**: Attack context based on your configured detection rules - **Action insights**: Blocked or allowed actions information according to your rule settings - **Rich investigation context**: Attack categories detected, AI Guard evaluation results, and links to related AI Guard spans for comprehensive analysis - **Custom runbooks**: Custom remediation guidance and response procedures for specific threat scenarios ## Create detection rules{% #create-detection-rules %} You can create custom detection rules by defining thresholds for when you want to receive notifications; for example, more than 5 `DENY` actions in 10 minutes. When AI Guard evaluations exceed those thresholds, it generates security signals. To create AI Guard detection rules: 1. In Datadog, go to the [AI Guard detection rule explorer](https://app.datadoghq.com/security/ai-guard/settings/detection-rules), then click **New Rule**. {% image source="https://docs.dd-static.net/images/security/ai_guard/ai_guard_detection_rules_1.4a24778ad2c3fcf13cf258866b07b313.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/security/ai_guard/ai_guard_detection_rules_1.4a24778ad2c3fcf13cf258866b07b313.png?auto=format&fit=max&w=850&dpr=2 2x" alt="AI Guard Detection Rules Explorer" /%} 1. Under **Define Search Queries**, define the types of tags you want to create signals for. You can use the following AI Guard attributes to filter and target specific threat patterns: | Tag | Description | Possible values | | ----------------------------- | ---------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `@ai_guard.action` | Filter by AI Guard's evaluation result | `ALLOW` or `DENY` | | `@ai_guard.attack_categories` | Target specific attack types | - `jailbreak` - `indirect-prompt-injection` - `destructive-tool-call` - `denial-of-service-tool-call` - `security-exploit` - `authority-override` - `role-play` - `instruction-override` - `obfuscation` - `system-prompt-extraction` - `data-exfiltration` | | `@ai_guard.blocked` | Filter based on whether an action in the trace was blocked | `true` or `false` | | `@ai_guard.tools` | Filter by specific tool names involved in the evaluation | `get_user_profile`, `user_recent_transactions`, etc. | | `@ai_guard.sds.categories` | Filter by sensitive data categories detected by Sensitive Data Scanner | `credentials`, `email_address`, etc. | | `@ai_guard.sds.rule_tags` | Filter by specific sensitive data rule tags | `aws_access_key_id`, `aws_secret_access_key`, `claude_api_key`, `email_address`, etc. | 1. Under **Define Rule Conditions**, define your threshold conditions, set severity levels, choose who should get notifications for new signals and how often, and choose security responses to take. 1. Under **Describe your Playbook**, customize the notification and define tags to send with the signals. For more comprehensive detection rule capabilities, see [detection rules](https://docs.datadoghq.com/security/detection_rules.md). ## Investigate signals{% #investigate-signals %} To view and investigate AI Guard security signals, and correlate them with other security events, you can view signals in two places: - [Application and API Protection Security Signals explorer](https://app.datadoghq.com/security/ai-guard/signals) - [Cloud SIEM Security Signals explorer](https://app.datadoghq.com/security/siem/signals) In the Cloud SIEM Security Signals explorer, beside the search bar, click the **Filter** icon and select the **App & API Protection** checkbox to view AI Guard signals. The Security Signals explorers allow you to filter, prioritize, and investigate AI Guard signals alongside other application security threats, providing a unified view of your security posture. ## Further reading{% #further-reading %} - [AI Guard](https://docs.datadoghq.com/security/ai_guard.md) - [Get Started with AI Guard](https://docs.datadoghq.com/security/ai_guard/onboarding.md) - [Detection Rules](https://docs.datadoghq.com/security/detection_rules.md)