Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
87 changes: 87 additions & 0 deletions content/en/mcp_server/tools.md
Original file line number Diff line number Diff line change
Expand Up @@ -1336,6 +1336,93 @@ Assigns or unassigns security findings to a user. Assignment cascades to any lin
- Unassign findings that are no longer relevant.
- Assign all findings from this rule to me.

### `get_datadog_security_passlist`
*Toolset: **security***\
*Permissions Required: `Application Security Management Protect Read`*\
Returns all WAF exclusion filter (passlist) entries for the organization to review existing suppressions.

- List all App & API Protection passlist entries.
- Show me active WAF exclusion filters.
- Check existing passlist suppressions before I add a new one.

### `upsert_datadog_security_passlist`
*Toolset: **security***\
*Permissions Required: `Application Security Management Protect Write`*\
Creates or updates a WAF exclusion filter (passlist) entry to suppress noisy rules on a specific service or endpoint.

- Add a WAF passlist entry for service "checkout-service" on endpoint "/api/pay" to ignore rule "sqli-detection".
- Update the exclusion filter to suppress rule "xss-rule" for service "auth-api".
- Create an AppSec passlist entry that matches rule ID "lfi-attack" on "/v1/users".

### `delete_datadog_security_passlist`
*Toolset: **security***\
*Permissions Required: `Application Security Management Protect Write`*\
Deletes an existing WAF exclusion filter (passlist) entry.

- Delete WAF exclusion filter "passlist-abc-123".
- Remove the passlist entry that matches rule "sqli-detection" on "/api/pay".

### `get_datadog_security_denylist`
*Toolset: **security***\
*Permissions Required: `Application Security Management Protect Read`*\
Lists blocked IPs, users, and user agents (denylist entries), with optional filtering.

- List all blocked entities on the AppSec denylist.
- Show me blocked IP addresses from yesterday.
- Check if IP "198.51.100.42" is on the security denylist.

### `upsert_datadog_security_denylist_entry`
*Toolset: **security***\
*Permissions Required: `Application Security Management Protect Write`*\
Adds or updates a denylist block for an IP, user, or user agent with an expiration.

- Block IP "198.51.100.42" on the denylist for 24 hours.
- Add user "attacker_user_99" to the blocked entities denylist.
- Create a denylist entry for user-agent "MaliciousScanner/1.0" with an expiration set to next week.

### `delete_datadog_security_denylist_entry`
*Toolset: **security***\
*Permissions Required: `Application Security Management Protect Write`*\
Unblocks a previously denylisted entity by setting its expiration in the past.

- Unblock IP "198.51.100.42" on the denylist.
- Remove user "attacker_user_99" from the blocked entities list.

### `get_datadog_security_aap_custom_rules`
*Toolset: **security***\
*Permissions Required: `Application Security Management Protect Read`*\
Reads App & API Protection (AAP) WAF custom rules, either retrieving a single rule by ID or enumerating all rules.

- List all custom WAF rules for my organization.
- Get the definition of AAP custom rule "rule-xyz-123".
- Show me custom security response rules.

### `upsert_datadog_security_aap_custom_rule`
*Toolset: **security***\
*Permissions Required: `Application Security Management Protect Write`*\
Creates or updates an AAP WAF custom rule across the attack attempt, business logic, or security response categories. This is a write operation that can block live traffic and requires explicit user approval.

- Create a custom WAF rule to block requests containing path "/admin" under the business logic category.
- Update AAP custom rule "rule-xyz-123" to monitor traffic instead of block.
- Upsert a custom rule for attack attempts matching pattern "union select" in the query string.

### `delete_datadog_security_aap_custom_rule`
*Toolset: **security***\
*Permissions Required: `Application Security Management Protect Write`*\
Deletes an AAP custom WAF rule.

- Delete custom WAF rule "rule-xyz-123".
- Remove the AAP custom rule that blocks "/admin" traffic.

### `get_datadog_security_aap_blocking_config`
*Toolset: **security***\
*Permissions Required: `Application Security Management Protect Read`*\
Retrieves the organization's App & API Protection (AAP) blocking status and default blocking behavior.

- Get the default WAF blocking behavior for our organization.
- Is AppSec blocking active in our environment?
- Show me the AAP blocking configuration.

## Software Delivery

Tools for interacting with Software Delivery ([CI Visibility][48], [Test Optimization][24], [Code Coverage][65], and [DORA metrics][66]).
Expand Down
43 changes: 43 additions & 0 deletions content/en/security/mcp_server.md
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ You can use the `security` toolset to:
- **Correlate signals and findings**: Cross-reference active security signals with open findings to determine whether an alert is tied to a known posture issue.
- **Inspect and manage detection rules**: List, retrieve, create, update, and delete detection rules to understand and manage the logic generating signals.
- **Manage suppressions**: Create, update, and delete suppressions to silence noisy rules for specific conditions without disabling them entirely.
- **Respond to attacks with App & API Protection**: Block or unblock IPs, users, and user agents on the denylist; suppress false positives with passlist exclusion filters; and create, update, or delete custom WAF rules to protect a specific service or endpoint.
- **Remediate vulnerabilities with an AI agent**: Pull library vulnerability findings, including code location and remediation guidance, and pass them to your AI agent to apply patches directly in your codebase.

## Quickstart
Expand Down Expand Up @@ -156,6 +157,48 @@ The `security` toolset exposes the following tools to your AI client. Each tool
: Deletes a suppression rule.
: *Permissions required: `Security Monitoring Suppressions Write`*

### App & API Protection

`get_datadog_security_passlist`
: Returns all WAF exclusion filter (passlist) entries for the organization to review existing suppressions.
: *Permissions required: `Application Security Management Protect Read`*

`upsert_datadog_security_passlist`
: Creates or updates a WAF exclusion filter (passlist) entry to suppress noisy rules on a specific service or endpoint.
: *Permissions required: `Application Security Management Protect Write`*

`delete_datadog_security_passlist`
: Deletes an existing WAF exclusion filter (passlist) entry.
: *Permissions required: `Application Security Management Protect Write`*

`get_datadog_security_denylist`
: Lists blocked IPs, users, and user agents (denylist entries), with optional filtering.
: *Permissions required: `Application Security Management Protect Read`*

`upsert_datadog_security_denylist_entry`
: Adds or updates a denylist block for an IP, user, or user agent with an expiration.
: *Permissions required: `Application Security Management Protect Write`*

`delete_datadog_security_denylist_entry`
: Unblocks a previously denylisted entity by setting its expiration in the past.
: *Permissions required: `Application Security Management Protect Write`*

`get_datadog_security_aap_custom_rules`
: Reads App & API Protection (AAP) WAF custom rules, either retrieving a single rule by ID or enumerating all rules.
: *Permissions required: `Application Security Management Protect Read`*

`upsert_datadog_security_aap_custom_rule`
: Creates or updates an AAP WAF custom rule across the attack attempt, business logic, or security response categories. This is a write operation that can block live traffic and requires explicit user approval.
: *Permissions required: `Application Security Management Protect Write`*

`delete_datadog_security_aap_custom_rule`
: Deletes an AAP custom WAF rule.
: *Permissions required: `Application Security Management Protect Write`*

`get_datadog_security_aap_blocking_config`
: Retrieves the organization's App & API Protection (AAP) blocking status and default blocking behavior.
: *Permissions required: `Application Security Management Protect Read`*

## Further reading

{{< partial name="whats-next/whats-next.html" >}}
Expand Down
Loading