How to Use the Datadog Cloud SIEM MCP in Claude

Q: Can I delete a custom detection rule?

Yes, you can. The deletedetectionrule tool is designed for this, but it's permanent. Note that you generally can't delete the default rules provided by Datadog, only your own custom ones.

Manage Datadog alerts without leaving the Claude Desktop app. Triage signals, check rules, and hunt threats right from your chat.

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

MCP Servers - Free for Subscribers

Connect Datadog Cloud SIEM MCP to Claude Desktop

Create your Vinkius account to connect Datadog Cloud SIEM to Claude Desktop and route execution through our secure gateway. The platform manages server hosting, runtime updates, and security layers. Configuration requires no manual server provisioning.

GDPR Free for Subscribers

Setup Datadog Cloud SIEM with Claude Desktop

Ask AI about this MCP

ChatGPT

Claude

Perplexity

Triage security signals from chat

Your agent can now triage Datadog signals for you. Just tell it to archive a false positive or reopen a closed alert, and it will use `triage_signal` to update the signal's status in Datadog, providing the required reason. This isn't just a status change. It's a direct command to your SIEM. You can move alerts from 'open' to 'archived' with reasons like 'false_positive' or 'testing_or_maintenance', all without opening the Datadog UI. It's the fastest way to clear your alert queue.

Audit and create detection rules

Check your security posture on the fly. Ask Claude to fetch a specific rule's logic using `get_detection_rule`. You'll get the exact queries, severity, and notification hooks, so you can see what's covered. If you spot a gap, you don't have to switch contexts. Describe the new rule you need — the message, the Lucene query, the severity — and your agent will use `create_detection_rule` to build and activate it instantly. This is how you close security holes in minutes.

Run threat hunts with your Claude Desktop agent

Start a threat hunt from your chat prompt. Use `search_raw_logs` to pull VPC Flow Logs or application stack traces related to a potential breach. Your agent can scan the last 15 minutes of logs for specific IPs or error messages. Once you find a lead, dig deeper. The `get_raw_log_context` tool grabs the 100 messages surrounding a suspicious log entry, giving you the full picture. This MCP server turns Claude into a real security investigation tool.

Setup guide

Set up Datadog Cloud SIEM MCP in Claude Web or Desktop

1

Open Claude Settings

Go to claude.ai, click your profile icon, then navigate to Customize → Connectors.
2

Add Custom Connector

Click the "+" button and select Add custom connector. Paste your Vinkius endpoint URL: https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp Replace [YOUR_TOKEN_HERE] with your token from cloud.vinkius.com. For OAuth-protected servers, expand Advanced settings to add credentials.
3

Start a conversation

Open a new chat. The Datadog Cloud SIEM MCP tools are available immediately — no restart needed.

Endpoint URL

https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp

No configuration file needed — paste the URL directly in the Claude web interface.

Available on Free (1 connector), Pro, Max, Team, and Enterprise plans.

Prerequisites

Claude Desktop installed (macOS or Windows)
Active Vinkius subscription with a valid endpoint token

1

Open Claude Desktop Settings

Click the menu icon at the top-left corner, go to Settings → Developer → Edit Config. This opens claude_desktop_config.json in your default text editor.
2

Paste the Datadog Cloud SIEM MCP configuration

Copy the JSON snippet on the right into the mcpServers object. Replace [YOUR_TOKEN_HERE] with your endpoint token from cloud.vinkius.com.
3

Restart Claude Desktop

Close and reopen the application. Claude needs a full restart to load new MCPs — refreshing a conversation is not enough.
4

Verify the connection

Open a new conversation. Click the 🔌 icon at the bottom of the message input. You should see tools listed under datadog-cloud-siem-mcp.

json

{
  "mcpServers": {
    "datadog-cloud-siem-mcp": {
      "url": "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
    }
  }
}

Get your connection token →

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Datadog Security. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

Why Choose Vinkius

Vinkius connects your tools to AI with real-time monitoring and automatic cost savings — all from one dashboard.

Connect Datadog Cloud SIEM now

Real-time monitoring

Live

visibility into every interaction

Connect your favorite tools to your AI and see exactly what's happening — every request, every response, in real time.

Built-in savings

60%

lower AI costs

Vinkius compresses data between your apps and your AI automatically. Lower bills every month — no configuration required.

Single dashboard

One

place for every integration

Every tool your AI connects to, managed from a single screen. One account, complete control.

Common questions about Datadog Cloud SIEM MCP in Claude Desktop

Just ask your agent in plain English. For example: "Search for critical signals in Datadog." It will use the `search_signals` tool with a Lucene query like `status:critical` to find what you need from the last 24 hours.

Yes. Ask Claude to "List all detection rules in Datadog." It uses `list_detection_rules` to pull the current list. You can then scan for rules covering things like AWS CloudTrail deviations or anomalous IAM usage.

Describe the rule you want. Tell Claude the name, the Lucene query to find the threat, and the severity. It will use the `create_detection_rule` tool to build it. This is much faster than using the UI for simple rules.

Yes, you can. The `delete_detection_rule` tool is designed for this, but it's permanent. Note that you generally can't delete the default rules provided by Datadog, only your own custom ones.

This server only touches your Datadog security data, like rule definitions, signal metadata, and raw log snippets that you ask for. When using the Claude Desktop app, the MCP server runs as a local process. Your security data never leaves your machine.

Use it with your favorite AI tools

Connect this server to Cursor, Claude, VS Code, and more.

OpenAI Agents SDK sdk-python

Google ADK sdk-python

Pydantic AI sdk-python

Vercel AI SDK sdk-typescript