ListSecurityMonitoringRules
Retrieve and manage security monitoring rules on the Datadog observability platform by using pagination parameters to filter and organize rule lists effectively.
Instructions
List rules.
Query Parameters:
page[size]: Size for a given page. The maximum allowed value is 100.
page[number]: Specific page number to return.
Responses:
200 (Success): OK
Content-Type:
application/jsonResponse Properties:
data: Array containing the list of rules.
Example:
{
"data": [
"unknown_type"
],
"meta": "unknown_type"
}
400: Bad Request
Content-Type:
application/jsonResponse Properties:
errors: A list of errors.
Example:
{
"errors": [
"Bad Request"
]
}
429: Too many requests
Content-Type:
application/jsonResponse Properties:
errors: A list of errors.
Example:
{
"errors": [
"Bad Request"
]
}
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| page[number] | No | Specific page number to return. | |
| page[size] | No | Size for a given page. The maximum allowed value is 100. |
Implementation Reference
- datadog_mcp/server.py:75-146 (registration)Registration of security monitoring tools via OpenAPI route filtering whitelist. The pattern r"^/api/v2/security_monitoring.*" enables the ListSecurityMonitoringRules tool (GET /api/v2/security_monitoring/rules) through FastMCP's dynamic OpenAPI tool generation.def _get_route_filters(self) -> list[RouteMap]: """Get route filtering rules for safe observability-focused tools. Security Model: 1. DENY ALL destructive operations (POST, PUT, PATCH, DELETE) 2. ALLOW ONLY specific read-only GET endpoints 3. DEFAULT DENY everything else This whitelist approach ensures only safe, read-only operations are exposed through the MCP interface. """ # Define safe read-only endpoints for observability workflows safe_endpoints = [ # Metrics and time-series data r"^/api/v2/metrics.*", # Query metrics data r"^/api/v2/query/.*", # Time-series queries # Dashboards and visualizations r"^/api/v2/dashboards.*", # Dashboard configurations r"^/api/v2/notebooks.*", # Notebook data # Monitoring and alerts r"^/api/v2/monitors.*", # Monitor configurations r"^/api/v2/downtime.*", # Scheduled downtimes r"^/api/v2/synthetics.*", # Synthetic tests # Logs and events r"^/api/v2/logs/events/search$", # Search logs r"^/api/v2/logs/events$", # List log events r"^/api/v2/logs/config.*", # Log pipeline configs # APM and traces r"^/api/v2/apm/.*", # APM data r"^/api/v2/traces/.*", # Trace data r"^/api/v2/spans/.*", # Span data # Infrastructure r"^/api/v2/hosts.*", # Host information r"^/api/v2/tags.*", # Tag management (read) r"^/api/v2/usage.*", # Usage statistics # Service management r"^/api/v2/services.*", # Service catalog r"^/api/v2/slos.*", # Service level objectives r"^/api/v2/incidents.*", # Incident management # Security and compliance r"^/api/v2/security_monitoring.*", # Security signals r"^/api/v2/cloud_workload_security.*", # CWS data # Teams and organization (read-only) r"^/api/v2/users.*", # User information r"^/api/v2/roles.*", # Role information r"^/api/v2/teams.*", # Team structure # API metadata r"^/api/v2/api_keys$", # List API keys (no create/delete) r"^/api/v2/application_keys$", # List app keys (no create/delete) ] filters = [ # SECURITY: Block ALL destructive operations first RouteMap( methods=["POST", "PUT", "PATCH", "DELETE"], mcp_type=MCPType.EXCLUDE ), ] # Add whitelisted read-only endpoints filters.extend( RouteMap( pattern=pattern, methods=["GET"], mcp_type=MCPType.TOOL, ) for pattern in safe_endpoints ) # SECURITY: Default deny everything else filters.append(RouteMap(pattern=r".*", mcp_type=MCPType.EXCLUDE)) return filters