GetSecurityMonitoringRule
Retrieve detailed information about a specific security monitoring rule by its ID using Datadog MCP Server. Supports JSON responses for success, not found, and rate limit errors.
Instructions
Get a rule's details.
Path Parameters:
rule_id (Required): The ID of the rule.
Responses:
200 (Success): OK
Content-Type:
application/json
404: Not Found
Content-Type:
application/jsonResponse Properties:
errors: A list of errors.
Example:
{
"errors": [
"Bad Request"
]
}429: Too many requests
Content-Type:
application/jsonResponse Properties:
errors: A list of errors.
Example:
{
"errors": [
"Bad Request"
]
}Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| rule_id | Yes | The ID of the rule. |
Output Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| result | Yes | Create a new rule. |
Implementation Reference
- datadog_mcp/server.py:75-146 (registration)The _get_route_filters method defines the whitelist of allowed read-only Datadog API endpoints, including '^/api/v2/security_monitoring.*' which enables the auto-generated 'GetSecurityMonitoringRule' tool (corresponding to GET /api/v2/security_monitoring/rules/{rule_id}). This is the registration point where the tool is included via FastMCP OpenAPI route mapping.
def _get_route_filters(self) -> list[RouteMap]: """Get route filtering rules for safe observability-focused tools. Security Model: 1. DENY ALL destructive operations (POST, PUT, PATCH, DELETE) 2. ALLOW ONLY specific read-only GET endpoints 3. DEFAULT DENY everything else This whitelist approach ensures only safe, read-only operations are exposed through the MCP interface. """ # Define safe read-only endpoints for observability workflows safe_endpoints = [ # Metrics and time-series data r"^/api/v2/metrics.*", # Query metrics data r"^/api/v2/query/.*", # Time-series queries # Dashboards and visualizations r"^/api/v2/dashboards.*", # Dashboard configurations r"^/api/v2/notebooks.*", # Notebook data # Monitoring and alerts r"^/api/v2/monitors.*", # Monitor configurations r"^/api/v2/downtime.*", # Scheduled downtimes r"^/api/v2/synthetics.*", # Synthetic tests # Logs and events r"^/api/v2/logs/events/search$", # Search logs r"^/api/v2/logs/events$", # List log events r"^/api/v2/logs/config.*", # Log pipeline configs # APM and traces r"^/api/v2/apm/.*", # APM data r"^/api/v2/traces/.*", # Trace data r"^/api/v2/spans/.*", # Span data # Infrastructure r"^/api/v2/hosts.*", # Host information r"^/api/v2/tags.*", # Tag management (read) r"^/api/v2/usage.*", # Usage statistics # Service management r"^/api/v2/services.*", # Service catalog r"^/api/v2/slos.*", # Service level objectives r"^/api/v2/incidents.*", # Incident management # Security and compliance r"^/api/v2/security_monitoring.*", # Security signals r"^/api/v2/cloud_workload_security.*", # CWS data # Teams and organization (read-only) r"^/api/v2/users.*", # User information r"^/api/v2/roles.*", # Role information r"^/api/v2/teams.*", # Team structure # API metadata r"^/api/v2/api_keys$", # List API keys (no create/delete) r"^/api/v2/application_keys$", # List app keys (no create/delete) ] filters = [ # SECURITY: Block ALL destructive operations first RouteMap( methods=["POST", "PUT", "PATCH", "DELETE"], mcp_type=MCPType.EXCLUDE ), ] # Add whitelisted read-only endpoints filters.extend( RouteMap( pattern=pattern, methods=["GET"], mcp_type=MCPType.TOOL, ) for pattern in safe_endpoints ) # SECURITY: Default deny everything else filters.append(RouteMap(pattern=r".*", mcp_type=MCPType.EXCLUDE)) return filters