How to Use the Datadog Cloud SIEM MCP in Cursor

Q: How can Cursor's agent help me investigate an alert from Datadog Cloud SIEM?

Tell the agent to search for the signal ID with searchsignals. Then, ask it to searchrawlogs for any associated IPs or user IDs. It will pull the relevant data directly into your editor for analysis.

Inject live Datadog SIEM data directly into your code. Let Cursor's agent write scripts using real security signals and detection rules.

See Vinkius in Action

Works with every AI agent you already use

…and any MCP-compatible client

MCP Servers - Free for Subscribers

Connect Datadog Cloud SIEM MCP to Cursor

Create your Vinkius account to connect Datadog Cloud SIEM to Cursor and route execution through our secure gateway. The platform manages server hosting, runtime updates, and security layers. Configuration requires no manual server provisioning.

GDPR Free for Subscribers

Setup Datadog Cloud SIEM with Cursor

Ask AI about this MCP

ChatGPT

Claude

Perplexity

Generate scripts that use live Datadog data

Stop writing boilerplate to hit the Datadog API. Tell your agent to get a list of active rules with `list_detection_rules`, then have it generate a Python script to iterate through them and call `get_detection_rule` for each one to audit their queries. This is about building real tools, not just viewing data. Your agent can write cleanup scripts that use `delete_detection_rule` or reporting scripts that pull data from `search_signals`. The code it generates works with live data from the start.

Prototype detection rules inside your editor

Draft new detection rules right in your code. Work out the perfect Lucene query for a new threat, then tell the Cursor agent to wrap it. It will use `create_detection_rule` to generate the correct API call and build the rule in Datadog. This turns your editor into a security rule IDE. You can version your queries in Git, test them with the agent, and deploy them without ever leaving Cursor. It's a proper 'security as code' workflow.

Use real alert data in your code, not mocks

When you're building a tool to parse alerts, you need real alert payloads. Ask your agent to find a critical alert with `search_signals`. It will inject the real JSON response directly into your editor. No more guessing at data structures or using stale mock data. You get the exact fields and formats from a live Datadog signal. This MCP server lets you build and test against production-like data instantly.

Setup guide

Set up Datadog Cloud SIEM MCP in Cursor

Prerequisites

Cursor installed (macOS, Windows, or Linux)
Active Vinkius subscription with a valid endpoint token

1

Open MCP Settings

Go to Cursor Settings → MCP or open the Command Palette (Cmd+Shift+P / Ctrl+Shift+P) and search for "MCP: Add Server".
2

Add the Datadog Cloud SIEM MCP

Cursor will create or open .cursor/mcp.json in your project root. Paste the JSON snippet on the right. Replace [YOUR_TOKEN_HERE] with your endpoint token from cloud.vinkius.com.
3

Enable Agent mode

Open Composer (Cmd+I / Ctrl+I) and switch to Agent mode using the dropdown at the top. MCP tools are only available in Agent mode.
4

Verify the connection

Ask Cursor something like "List my recent Datadog Cloud SIEM transactions." If the MCP tools are loaded correctly, Cursor will call the Datadog Cloud SIEM tools automatically. You can also check Settings → MCP for a green status indicator.

.cursor/mcp.json

{
  "mcpServers": {
    "datadog-cloud-siem-mcp": {
      "url": "https://edge.vinkius.com/[YOUR_TOKEN_HERE]/mcp"
    }
  }
}

Get your connection token →

Independent Platform Disclaimer: Vinkius is an independent platform and is not affiliated with, endorsed by, sponsored by, verified by, or otherwise authorized by Datadog Security. All third-party trademarks, logos, and brand names are the property of their respective owners. Their use on this website is strictly for informational purposes to identify service compatibility and interoperability.

Why Choose Vinkius

Vinkius connects your tools to AI with real-time monitoring and automatic cost savings — all from one dashboard.

Connect Datadog Cloud SIEM now

Real-time monitoring

Live

visibility into every interaction

Connect your favorite tools to your AI and see exactly what's happening — every request, every response, in real time.

Built-in savings

60%

lower AI costs

Vinkius compresses data between your apps and your AI automatically. Lower bills every month — no configuration required.

Single dashboard

One

place for every integration

Every tool your AI connects to, managed from a single screen. One account, complete control.

Common questions about Datadog Cloud SIEM MCP in Cursor

Tell the agent to search for the signal ID with `search_signals`. Then, ask it to `search_raw_logs` for any associated IPs or user IDs. It will pull the relevant data directly into your editor for analysis.

Absolutely. After investigating a signal, instruct your agent to "Archive this signal as a false positive." It will call the `triage_signal` tool with the correct parameters to update its status in Datadog.

Just ask it: "List the security filters in Datadog." The agent will run `list_security_filters` and show you the configurations that block high-volume, low-value logs from your SIEM.

It's a simple health check. The agent can use it to confirm that its API credentials for the Datadog Security Module are valid. It's a quick way to debug connection issues.

The server processes your Datadog SIEM data: signal and rule JSON, and raw log text. Because Cursor's agent executes the tools, this data flows through your local editor environment. Your project's `.cursor/mcp.json` configuration ensures the connection is scoped and secure.

Use it with your favorite AI tools

Connect this server to Cursor, Claude, VS Code, and more.

OpenAI Agents SDK sdk-python

Google ADK sdk-python

Pydantic AI sdk-python

Vercel AI SDK sdk-typescript