Notifications

Overview

Notifications help you keep your team informed when a finding or security signal is detected. Findings and security signals are generated when at least one case defined in a detection rule is matched over a given period of time. By promptly alerting your team, notifications ensure that immediate action can be taken to address any potential security issues, enhancing your organization’s overall security posture.

Notification types

Notifications can be set up for individual detection rules and also more broadly with notification rules.

Detection rules

When you create or modify a detection rule, you can define the notifications that are sent. For example, you can add rule cases to determine when a detection rule triggers a security signal.

You can also customize the notification message using Markdown and notification variables. This allows you to provide additional details about the signal by referencing its tags and event attributes. You can also add tags to the generated signal, for example, attack:sql-injection-attempt.

Notification rules

Notification rules allow you to set general alerting preferences that span across multiple detection rules, findings, and signals instead of having to set up notification preferences for individual detection rules. For example, you can set up a notification rule to send a notification if any CRITICAL or HIGH severity signal is triggered. See Notification Rules for more information on setup and configuration.

Notification channels

Notifications can be sent to individuals and teams through Slack, Jira, PagerDuty, webhooks, cases, email, and more. You can also use dynamic routing to automatically deliver finding notifications to the responsible team based on the team tag attached to the finding.

Integrations

Notify your team through connected integrations by using the format @<INTEGRATION_NAME>-<VALUES>.

This table lists prefixes and example links:

Handles that include parentheses () are not supported. When a handle with parentheses is used, the handle is not parsed and no alert is created.

Create a webhook for security automation

You can use webhooks to send alerts to other platforms, such as SOAR. To set up a webhook:

1. Navigate to the Webhooks integration.
2. Click + New in the Webhooks section.
3. Enter a name for the webhook.
4. Enter the webhook URL.
5. In the Payload section, select Security Signal.

6. See the Webhooks integration documentation for more information on adding variables, custom variables, custom headers, and encoding as a form.
7. Click Save.

To use the webhook, add @webhook-<WEBHOOK_NAME> to the rule’s notification section.

Teams

If a notification channel is set, you can route notifications to a specific Team. Monitor alerts targeting @team-handle are redirected to the selected communication channel. For more information on setting a notification channel to your Team, see the Teams documentation.

Cases

Automatically create a case for new security signals that meet your criteria. By default, the Cases section lists all projects that have project handles. You can click View All, then click + to add a handle to an existing project and enable automatic case creation directly from the recipient list, or go into your project settings to manage your project handles.

Email

• Notify an active Datadog user by email with @<DD_USER_EMAIL_ADDRESS>.

  An email address associated with a pending Datadog user invitation or a disabled user is considered inactive and does not receive notifications. Blocklists, IP or domain filtering, spam filtering, or email security tools may also cause missing notifications.

• Notify any non-Datadog user by email with @<EMAIL>.

Further reading

Request a personalized demo