ListSecurityMonitoringSignals
Retrieve and filter security signals using specific search queries, time ranges, and sorting criteria to monitor and analyze potential threats or anomalies.
Instructions
The list endpoint returns security signals that match a search query. Both this endpoint and the POST endpoint can be used interchangeably when listing security signals.
Query Parameters:
filter[query]: The search query for security signals.
filter[from]: The minimum timestamp for requested security signals.
filter[to]: The maximum timestamp for requested security signals.
sort: The order of the security signals in results.
page[cursor]: A list of results using the cursor provided in the previous query.
page[limit]: The maximum number of security signals in the response.
Responses:
200 (Success): OK
Content-Type:
application/jsonResponse Properties:
data: An array of security signals matching the request.
Example:
400: Bad Request
Content-Type:
application/jsonResponse Properties:
errors: A list of errors.
Example:
403: Not Authorized
Content-Type:
application/jsonResponse Properties:
errors: A list of errors.
Example:
429: Too many requests
Content-Type:
application/jsonResponse Properties:
errors: A list of errors.
Example:
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| filter[from] | No | The minimum timestamp for requested security signals. | |
| filter[query] | No | The search query for security signals. | |
| filter[to] | No | The maximum timestamp for requested security signals. | |
| page[cursor] | No | A list of results using the cursor provided in the previous query. | |
| page[limit] | No | The maximum number of security signals in the response. | |
| sort | No | The sort parameters used for querying security signals. |
Implementation Reference
- datadog_mcp/server.py:87-124 (registration)Registration of safe read-only endpoints as MCP tools via FastMCP OpenAPI integration. Includes '/api/v2/security_monitoring.*' which exposes the 'ListSecurityMonitoringSignals' tool from Datadog's OpenAPI spec.safe_endpoints = [ # Metrics and time-series data r"^/api/v2/metrics.*", # Query metrics data r"^/api/v2/query/.*", # Time-series queries # Dashboards and visualizations r"^/api/v2/dashboards.*", # Dashboard configurations r"^/api/v2/notebooks.*", # Notebook data # Monitoring and alerts r"^/api/v2/monitors.*", # Monitor configurations r"^/api/v2/downtime.*", # Scheduled downtimes r"^/api/v2/synthetics.*", # Synthetic tests # Logs and events r"^/api/v2/logs/events/search$", # Search logs r"^/api/v2/logs/events$", # List log events r"^/api/v2/logs/config.*", # Log pipeline configs # APM and traces r"^/api/v2/apm/.*", # APM data r"^/api/v2/traces/.*", # Trace data r"^/api/v2/spans/.*", # Span data # Infrastructure r"^/api/v2/hosts.*", # Host information r"^/api/v2/tags.*", # Tag management (read) r"^/api/v2/usage.*", # Usage statistics # Service management r"^/api/v2/services.*", # Service catalog r"^/api/v2/slos.*", # Service level objectives r"^/api/v2/incidents.*", # Incident management # Security and compliance r"^/api/v2/security_monitoring.*", # Security signals r"^/api/v2/cloud_workload_security.*", # CWS data # Teams and organization (read-only) r"^/api/v2/users.*", # User information r"^/api/v2/roles.*", # Role information r"^/api/v2/teams.*", # Team structure # API metadata r"^/api/v2/api_keys$", # List API keys (no create/delete) r"^/api/v2/application_keys$", # List app keys (no create/delete) ]