A security signal is generated when a threat is detected in Datadog Security. You can send notifications to keep your team informed when these signals are generated.

Notifications can be set up for specific detection rules and also more broadly with notification rules. See Notification Variables to learn how to customize the notifications based on the signal’s severity and specific context on the threat.

Notification channels

Send notifications through email, Slack, Jira, PagerDuty, or a webhook.


  • Notify an active Datadog user by email with @<DD_USER_EMAIL_ADDRESS>.

    Note: An email address associated with a pending Datadog user invitation or a disabled user is considered inactive and does not receive notifications.

  • Notify any non-Datadog user by email with @<EMAIL>.


Notify your team through connected integrations by using the format @<INTEGRATION_NAME>-<VALUES>.

This table lists prefixes and example links:


Handles that include parentheses ((, )) are not supported. When a handle with parentheses is used, the handle is not parsed and no alert is created.

Detection Rule notifications

When you create or modify a new detection rule, you can use the Set rule case and Say what’s happening section to define the notifications that are sent.

Set rule case

In the Set rule case section, add rule cases to determine when a detection rule triggers a security signal and the severity of the signal. Use the Notify dropdown to send signal notifications generated from that case to the selected recipient(s).

Say what’s happening

Use the Say what’s happening section to determine the content that is sent when a signal is generated.

Rule name

Add a rule name for your detection rule. The rule name appears in the Detection Rules list view, as well as the title of the signal.


Use standard Markdown and notification variables to provide specific details about the signal by referencing its tags and event attributes.


Use the Tag resulting signals dropdown to tag your signals with different tags. For example, attack:sql-injection-attempt.

Notification rules

Notification rules allow you to set general alerting preferences so that you don’t have to set up notification preferences for individual detection rules. For example, you can set up a notification rule to send a notification if any CRITICAL or HIGH severity signal is triggered. See Notification Rules for more information on setup and configuration.

Further reading