--- isPrivate: true title: Migrate to the New Security Findings Data Model description: >- Learn how to migrate to the unified Security Findings query syntax and data model, which consolidates querying across Cloud Security and Code Security findings. breadcrumbs: >- Docs > Datadog Security > Security Guides > Migrate to the New Security Findings Data Model --- # Migrate to the New Security Findings Data Model ## Overview{% #overview %} To make it easier to search for security findings throughout Datadog, the syntax for search queries is changing: - **Standardized naming conventions** for security finding data fields - **A new schema** to consistently organize those fields across security products This change comes with a set of new features that use the new schema, and may also impact your existing workflows. This page details what is changing, the workflows that Datadog automatically updates, and the changes you need to make to avoid interruptions in your existing workflows. {% alert level="warning" %} Datadog will start rolling out changes January 28, 2026. You should plan to update any affected workflows in the first half of 2026 to avoid any interruptions as Datadog deprecates the old syntax. {% /alert %} {% callout %} View the new security findings schema so you can understand how finding details will be stored. [VIEW THE SCHEMA](https://docs.datadoghq.com/security/guide/findings-schema/) {% /callout %} ### Required action{% #required-action %} - If you use certain API endpoints or Terraform resources, **changes will be required**: - For [List findings](https://docs.datadoghq.com/api/latest/security-monitoring/#list-findings) and [Get a finding](https://docs.datadoghq.com/api/latest/security-monitoring/#get-a-finding) API endpoints, update your API calls to use the new unified [Search security findings](https://docs.datadoghq.com/api/latest/security-monitoring/#search-security-findings) endpoint. - For [`datadog_security_notification_rule`](https://registry.terraform.io/providers/DataDog/datadog/latest/docs/resources/security_notification_rule) Terraform resources with `trigger_source: "security_findings"`, update `query` values to use the new search syntax: - Starting January 28, 2026, you can migrate your notification rules if they only include finding types that support the new data model (those listed as ***Supported*** in the Security Findings table). - If your Terraform notification rules include a finding type that does not yet support the new data model (those listed with ***Support coming later*** in the Security Findings table), you should wait until full support is available. - If you choose not to migrate Terraform notification rules whose finding types support the new data model, your existing notification rules continue to operate until full support for all finding types is available. Any ***required*** changes are clearly communicated in advance. - If you do not use public APIs or the security findings notification rules terraform resource, **no changes are required**. The following queries are updated automatically in the UI: - Explorers - Dashboards - Notification rules - Automation pipelines - Workflows If you need assistance with your migration, contact [Datadog support](https://docs.datadoghq.com/help). ## What is changing{% #what-is-changing %} ### New querying syntax{% #new-querying-syntax %} Following this change, you can use the same query syntax for all security findings, using attributes organized around namespaces. Here are some practical examples: | Before | After (all findings) | | ----------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------- | | **Misconfigurations:** `@workflow.triage.status:open status:critical`**Library vulnerabilities:** `status:open severity:Critical` | `@status:open @severity:critical` | | **Misconfigurations:** `@dd_computed_attributes.is_publicly_accessible:true`**Host Vulnerabilities:** `is_publicly_accessible:Accessible` | `@risk.is_publicly_accessible:true` | | **Library Vulnerabilities:** `library_name:org.apache.logging.log4j`**Host Vulnerabilities:** `package:org.apache.logging.log4j` | `@package.name:org.apache.logging.log4j` | View the full specification at [Security Findings Schema Reference](https://docs.datadoghq.com/security/guide/findings-schema/). ### New features{% #new-features %} Starting January 28, 2026, the following features will be made available and use the new data model: - Unified search queries for Cloud Security [Misconfigurations](https://docs.datadoghq.com/security/cloud_security_management/misconfigurations/), [Identity Risks](https://docs.datadoghq.com/security/cloud_security_management/identity_risks/), [Attack Paths](https://docs.datadoghq.com/security/security_inbox/?s=attack%20path#types-of-findings-in-security-inbox), [IaC](https://docs.datadoghq.com/security/code_security/iac_security/), and [API](https://docs.datadoghq.com/security/application_security/api-inventory/#api-findings) findings - A new unified [public findings API](https://docs.datadoghq.com/api/latest/security-monitoring/#search-security-findings) - [Dashboard](https://docs.datadoghq.com/dashboards) support for Code Security - Graphing security findings in [Datadog Sheets](https://docs.datadoghq.com/sheets) - Datadog [Workflow Automation](https://docs.datadoghq.com/actions/workflows) support for all finding types - Using SQL to query security findings and join them with other Datadog telemetry using [DDSQL Editor](https://docs.datadoghq.com/ddsql_editor) The following additional features will be released later: - Support for Cloud Security Vulnerabilities and Code Security findings (SCA, SAST, IAST, Secrets) in the unified search experience - [Data Access Controls](https://docs.datadoghq.com/account_management/rbac/data_access) - Security findings & tools in the [Datadog MCP Server](https://docs.datadoghq.com/bits_ai/mcp_server) - API & Terraform support for [automation pipelines](https://docs.datadoghq.com/security/automation_pipelines) ### Security findings{% #security-findings %} Security findings encompass misconfigurations, vulnerabilities, and security risks identified across your infrastructure and applications. This table shows the scope of security findings across Datadog and which findings are supported in the new data model. | Product | Finding Type | Support | | ----------------------------------------------------------------------------------------------- | ---------------------------- | --------- | | [**Cloud Security**](https://docs.datadoghq.com/security/cloud_security_management/) | Misconfigurations (CSPM) | Supported | | Identity risks (CIEM) | Supported | | Attack paths | Supported | | Host & container vulnerabilities | Support coming later | | [**App & API Protection**](https://docs.datadoghq.com/security/application_security/) (Preview) | API security findings | Supported | | [**Code Security**](https://docs.datadoghq.com/security/code_security/) | Infrastructure as code (IaC) | Supported | | Library vulnerabilities (SCA) | Support coming later | | Static code vulnerabilities (SAST) | | Runtime code vulnerabilities (IAST) | | Secrets | ## Further reading{% #further-reading %} - [Cloud Security](https://docs.datadoghq.com/security/cloud_security_management/) - [Code Security](https://docs.datadoghq.com/security/code_security/) - [Application Security](https://docs.datadoghq.com/security/application_security/)