CSM Threats

Cloud Security Management Threats (CSM Threats) monitors file, network, and process activity across your environment to detect real-time threats to your infrastructure. See Cloud Security Management Threats for more information on setting up CSM Threats.

GET https://api.ap1.datadoghq.com/api/v2/security/cloud_workload/policy/downloadhttps://api.datadoghq.eu/api/v2/security/cloud_workload/policy/downloadhttps://api.ddog-gov.com/api/v2/security/cloud_workload/policy/downloadhttps://api.datadoghq.com/api/v2/security/cloud_workload/policy/downloadhttps://api.us3.datadoghq.com/api/v2/security/cloud_workload/policy/downloadhttps://api.us5.datadoghq.com/api/v2/security/cloud_workload/policy/download

Overview

The download endpoint generates a Cloud Workload Security policy file from your currently active Cloud Workload Security rules, and downloads them as a .policy file. This file can then be deployed to your Agents to update the policy running in your environment. This endpoint requires the security_monitoring_cws_agent_rules_read permission.

Response

OK

Expand All

Field

Type

Description

No response body

{}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                  # Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/cloud_workload/policy/download" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
"""
Get the latest Cloud Workload Security policy returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.csm_threats_api import CSMThreatsApi

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = CSMThreatsApi(api_client)
    response = api_instance.download_cloud_workload_policy_file()

    print(response.read())

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"
# Get the latest Cloud Workload Security policy returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::CSMThreatsAPI.new
p api_instance.download_cloud_workload_policy_file()

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"
// Get the latest Cloud Workload Security policy returns "OK" response

package main

import (
	"context"
	"fmt"
	"io/ioutil"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewCSMThreatsApi(apiClient)
	resp, r, err := api.DownloadCloudWorkloadPolicyFile(ctx)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `CSMThreatsApi.DownloadCloudWorkloadPolicyFile`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := ioutil.ReadAll(resp)
	fmt.Fprintf(os.Stdout, "Response from `CSMThreatsApi.DownloadCloudWorkloadPolicyFile`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"
// Get the latest Cloud Workload Security policy returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.CsmThreatsApi;
import java.io.File;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    CsmThreatsApi apiInstance = new CsmThreatsApi(defaultClient);

    try {
      File result = apiInstance.downloadCloudWorkloadPolicyFile();
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling CsmThreatsApi#downloadCloudWorkloadPolicyFile");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"
// Get the latest Cloud Workload Security policy returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_csm_threats::CSMThreatsAPI;

#[tokio::main]
async fn main() {
    let configuration = datadog::Configuration::new();
    let api = CSMThreatsAPI::with_config(configuration);
    let resp = api.download_cloud_workload_policy_file().await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" cargo run
/**
 * Get the latest Cloud Workload Security policy returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.CSMThreatsApi(configuration);

apiInstance
  .downloadCloudWorkloadPolicyFile()
  .then((data: client.HttpFile) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"

GET https://api.ap1.datadoghq.com/api/v2/remote_config/products/cws/policy/downloadhttps://api.datadoghq.eu/api/v2/remote_config/products/cws/policy/downloadhttps://api.ddog-gov.com/api/v2/remote_config/products/cws/policy/downloadhttps://api.datadoghq.com/api/v2/remote_config/products/cws/policy/downloadhttps://api.us3.datadoghq.com/api/v2/remote_config/products/cws/policy/downloadhttps://api.us5.datadoghq.com/api/v2/remote_config/products/cws/policy/download

Overview

The download endpoint generates a CSM Threats policy file from your currently active CSM Threats rules, and downloads them as a .policy file. This file can then be deployed to your Agents to update the policy running in your environment.

Response

OK

Expand All

Field

Type

Description

No response body

{}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                  # Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/remote_config/products/cws/policy/download" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
"""
Get the latest CSM Threats policy returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.csm_threats_api import CSMThreatsApi

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = CSMThreatsApi(api_client)
    response = api_instance.download_csm_threats_policy()

    print(response.read())

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"
# Get the latest CSM Threats policy returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::CSMThreatsAPI.new
p api_instance.download_csm_threats_policy()

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"
// Get the latest CSM Threats policy returns "OK" response

package main

import (
	"context"
	"fmt"
	"io/ioutil"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewCSMThreatsApi(apiClient)
	resp, r, err := api.DownloadCSMThreatsPolicy(ctx)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `CSMThreatsApi.DownloadCSMThreatsPolicy`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := ioutil.ReadAll(resp)
	fmt.Fprintf(os.Stdout, "Response from `CSMThreatsApi.DownloadCSMThreatsPolicy`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"
// Get the latest CSM Threats policy returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.CsmThreatsApi;
import java.io.File;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    CsmThreatsApi apiInstance = new CsmThreatsApi(defaultClient);

    try {
      File result = apiInstance.downloadCSMThreatsPolicy();
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling CsmThreatsApi#downloadCSMThreatsPolicy");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"
// Get the latest CSM Threats policy returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_csm_threats::CSMThreatsAPI;

#[tokio::main]
async fn main() {
    let configuration = datadog::Configuration::new();
    let api = CSMThreatsAPI::with_config(configuration);
    let resp = api.download_csm_threats_policy().await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" cargo run
/**
 * Get the latest CSM Threats policy returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.CSMThreatsApi(configuration);

apiInstance
  .downloadCSMThreatsPolicy()
  .then((data: client.HttpFile) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"

GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/{agent_rule_id}https://api.datadoghq.eu/api/v2/security_monitoring/cloud_workload_security/agent_rules/{agent_rule_id}https://api.ddog-gov.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/{agent_rule_id}https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/{agent_rule_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/{agent_rule_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/{agent_rule_id}

Overview

Get the details of a specific Agent rule. This endpoint requires the security_monitoring_cws_agent_rules_read permission.

Arguments

Path Parameters

Name

Type

Description

agent_rule_id [required]

string

The ID of the Agent rule.

Response

OK

Response object that includes an Agent rule.

Expand All

Field

Type

Description

data

object

Object for a single Agent rule.

attributes

object

A Cloud Workload Security Agent rule returned by the API.

actions

[object]

The array of actions the rule can perform if triggered.

filter

string

SECL expression used to target the container to apply the action on

kill

object

Kill system call applied on the container matching the rule

signal

string

Supported signals for the kill system call.

agentConstraint

string

The version of the agent.

category

string

The category of the Agent rule.

creationAuthorUuId

string

The ID of the user who created the rule.

creationDate

int64

When the Agent rule was created, timestamp in milliseconds.

creator

object

The attributes of the user who created the Agent rule.

handle

string

The handle of the user.

name

string

The name of the user.

defaultRule

boolean

Whether the rule is included by default.

description

string

The description of the Agent rule.

enabled

boolean

Whether the Agent rule is enabled.

expression

string

The SECL expression of the Agent rule.

filters

[string]

The platforms the Agent rule is supported on.

name

string

The name of the Agent rule.

updateAuthorUuId

string

The ID of the user who updated the rule.

updateDate

int64

Timestamp in milliseconds when the Agent rule was last updated.

updatedAt

int64

When the Agent rule was last updated, timestamp in milliseconds.

updater

object

The attributes of the user who last updated the Agent rule.

handle

string

The handle of the user.

name

string

The name of the user.

version

int64

The version of the Agent rule.

id

string

The ID of the Agent rule.

type

enum

The type of the resource. The value should always be agent_rule. Allowed enum values: agent_rule

default: agent_rule

{
  "data": {
    "attributes": {
      "actions": [
        {
          "filter": "string",
          "kill": {
            "signal": "string"
          }
        }
      ],
      "agentConstraint": "string",
      "category": "Process Activity",
      "creationAuthorUuId": "e51c9744-d158-11ec-ad23-da7ad0900002",
      "creationDate": 1624366480320,
      "creator": {
        "handle": "datadog.user@example.com",
        "name": "Datadog User"
      },
      "defaultRule": false,
      "description": "My Agent rule",
      "enabled": true,
      "expression": "exec.file.name == \\\"sh\\\"",
      "filters": [],
      "name": "my_agent_rule",
      "updateAuthorUuId": "e51c9744-d158-11ec-ad23-da7ad0900002",
      "updateDate": 1624366480320,
      "updatedAt": 1624366480320,
      "updater": {
        "handle": "datadog.user@example.com",
        "name": "Datadog User"
      },
      "version": 23
    },
    "id": "3dd-0uc-h1s",
    "type": "agent_rule"
  }
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                  # Path parameters
export agent_rule_id="3b5-v82-ns6"
# Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/${agent_rule_id}" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
"""
Get a Cloud Workload Security Agent rule returns "OK" response
"""

from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.csm_threats_api import CSMThreatsApi

# there is a valid "agent_rule" in the system
AGENT_RULE_DATA_ID = environ["AGENT_RULE_DATA_ID"]

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = CSMThreatsApi(api_client)
    response = api_instance.get_cloud_workload_security_agent_rule(
        agent_rule_id=AGENT_RULE_DATA_ID,
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"
# Get a Cloud Workload Security Agent rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::CSMThreatsAPI.new

# there is a valid "agent_rule" in the system
AGENT_RULE_DATA_ID = ENV["AGENT_RULE_DATA_ID"]
p api_instance.get_cloud_workload_security_agent_rule(AGENT_RULE_DATA_ID)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"
// Get a Cloud Workload Security Agent rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_csm_threats::CSMThreatsAPI;

#[tokio::main]
async fn main() {
    // there is a valid "agent_rule" in the system
    let agent_rule_data_id = std::env::var("AGENT_RULE_DATA_ID").unwrap();
    let configuration = datadog::Configuration::new();
    let api = CSMThreatsAPI::with_config(configuration);
    let resp = api
        .get_cloud_workload_security_agent_rule(agent_rule_data_id.clone())
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" cargo run
// Get a Cloud Workload Security Agent rule returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	// there is a valid "agent_rule" in the system
	AgentRuleDataID := os.Getenv("AGENT_RULE_DATA_ID")

	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewCSMThreatsApi(apiClient)
	resp, r, err := api.GetCloudWorkloadSecurityAgentRule(ctx, AgentRuleDataID)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `CSMThreatsApi.GetCloudWorkloadSecurityAgentRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `CSMThreatsApi.GetCloudWorkloadSecurityAgentRule`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"
// Get a Cloud Workload Security Agent rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.CsmThreatsApi;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    CsmThreatsApi apiInstance = new CsmThreatsApi(defaultClient);

    // there is a valid "agent_rule" in the system
    String AGENT_RULE_DATA_ID = System.getenv("AGENT_RULE_DATA_ID");

    try {
      CloudWorkloadSecurityAgentRuleResponse result =
          apiInstance.getCloudWorkloadSecurityAgentRule(AGENT_RULE_DATA_ID);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling CsmThreatsApi#getCloudWorkloadSecurityAgentRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"
/**
 * Get a Cloud Workload Security Agent rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.CSMThreatsApi(configuration);

// there is a valid "agent_rule" in the system
const AGENT_RULE_DATA_ID = process.env.AGENT_RULE_DATA_ID as string;

const params: v2.CSMThreatsApiGetCloudWorkloadSecurityAgentRuleRequest = {
  agentRuleId: AGENT_RULE_DATA_ID,
};

apiInstance
  .getCloudWorkloadSecurityAgentRule(params)
  .then((data: v2.CloudWorkloadSecurityAgentRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"

GET https://api.ap1.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}https://api.datadoghq.eu/api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}https://api.ddog-gov.com/api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}https://api.us3.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}https://api.us5.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}

Overview

Get the details of a specific Cloud Security Management Threats Agent rule.

Arguments

Path Parameters

Name

Type

Description

agent_rule_id [required]

string

The ID of the Agent rule.

Response

OK

Response object that includes an Agent rule.

Expand All

Field

Type

Description

data

object

Object for a single Agent rule.

attributes

object

A Cloud Workload Security Agent rule returned by the API.

actions

[object]

The array of actions the rule can perform if triggered.

filter

string

SECL expression used to target the container to apply the action on

kill

object

Kill system call applied on the container matching the rule

signal

string

Supported signals for the kill system call.

agentConstraint

string

The version of the agent.

category

string

The category of the Agent rule.

creationAuthorUuId

string

The ID of the user who created the rule.

creationDate

int64

When the Agent rule was created, timestamp in milliseconds.

creator

object

The attributes of the user who created the Agent rule.

handle

string

The handle of the user.

name

string

The name of the user.

defaultRule

boolean

Whether the rule is included by default.

description

string

The description of the Agent rule.

enabled

boolean

Whether the Agent rule is enabled.

expression

string

The SECL expression of the Agent rule.

filters

[string]

The platforms the Agent rule is supported on.

name

string

The name of the Agent rule.

updateAuthorUuId

string

The ID of the user who updated the rule.

updateDate

int64

Timestamp in milliseconds when the Agent rule was last updated.

updatedAt

int64

When the Agent rule was last updated, timestamp in milliseconds.

updater

object

The attributes of the user who last updated the Agent rule.

handle

string

The handle of the user.

name

string

The name of the user.

version

int64

The version of the Agent rule.

id

string

The ID of the Agent rule.

type

enum

The type of the resource. The value should always be agent_rule. Allowed enum values: agent_rule

default: agent_rule

{
  "data": {
    "attributes": {
      "actions": [
        {
          "filter": "string",
          "kill": {
            "signal": "string"
          }
        }
      ],
      "agentConstraint": "string",
      "category": "Process Activity",
      "creationAuthorUuId": "e51c9744-d158-11ec-ad23-da7ad0900002",
      "creationDate": 1624366480320,
      "creator": {
        "handle": "datadog.user@example.com",
        "name": "Datadog User"
      },
      "defaultRule": false,
      "description": "My Agent rule",
      "enabled": true,
      "expression": "exec.file.name == \\\"sh\\\"",
      "filters": [],
      "name": "my_agent_rule",
      "updateAuthorUuId": "e51c9744-d158-11ec-ad23-da7ad0900002",
      "updateDate": 1624366480320,
      "updatedAt": 1624366480320,
      "updater": {
        "handle": "datadog.user@example.com",
        "name": "Datadog User"
      },
      "version": 23
    },
    "id": "3dd-0uc-h1s",
    "type": "agent_rule"
  }
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                  # Path parameters
export agent_rule_id="3b5-v82-ns6"
# Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/${agent_rule_id}" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
"""
Get a CSM Threats Agent rule returns "OK" response
"""

from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.csm_threats_api import CSMThreatsApi

# there is a valid "agent_rule_rc" in the system
AGENT_RULE_DATA_ID = environ["AGENT_RULE_DATA_ID"]

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = CSMThreatsApi(api_client)
    response = api_instance.get_csm_threats_agent_rule(
        agent_rule_id=AGENT_RULE_DATA_ID,
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"
# Get a CSM Threats Agent rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::CSMThreatsAPI.new

# there is a valid "agent_rule_rc" in the system
AGENT_RULE_DATA_ID = ENV["AGENT_RULE_DATA_ID"]
p api_instance.get_csm_threats_agent_rule(AGENT_RULE_DATA_ID)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"
// Get a CSM Threats Agent rule returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	// there is a valid "agent_rule_rc" in the system
	AgentRuleDataID := os.Getenv("AGENT_RULE_DATA_ID")

	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewCSMThreatsApi(apiClient)
	resp, r, err := api.GetCSMThreatsAgentRule(ctx, AgentRuleDataID)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `CSMThreatsApi.GetCSMThreatsAgentRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `CSMThreatsApi.GetCSMThreatsAgentRule`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"
// Get a CSM Threats Agent rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.CsmThreatsApi;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    CsmThreatsApi apiInstance = new CsmThreatsApi(defaultClient);

    // there is a valid "agent_rule_rc" in the system
    String AGENT_RULE_DATA_ID = System.getenv("AGENT_RULE_DATA_ID");

    try {
      CloudWorkloadSecurityAgentRuleResponse result =
          apiInstance.getCSMThreatsAgentRule(AGENT_RULE_DATA_ID);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling CsmThreatsApi#getCSMThreatsAgentRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"
// Get a CSM Threats Agent rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_csm_threats::CSMThreatsAPI;

#[tokio::main]
async fn main() {
    // there is a valid "agent_rule_rc" in the system
    let agent_rule_data_id = std::env::var("AGENT_RULE_DATA_ID").unwrap();
    let configuration = datadog::Configuration::new();
    let api = CSMThreatsAPI::with_config(configuration);
    let resp = api
        .get_csm_threats_agent_rule(agent_rule_data_id.clone())
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" cargo run
/**
 * Get a CSM Threats Agent rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.CSMThreatsApi(configuration);

// there is a valid "agent_rule_rc" in the system
const AGENT_RULE_DATA_ID = process.env.AGENT_RULE_DATA_ID as string;

const params: v2.CSMThreatsApiGetCSMThreatsAgentRuleRequest = {
  agentRuleId: AGENT_RULE_DATA_ID,
};

apiInstance
  .getCSMThreatsAgentRule(params)
  .then((data: v2.CloudWorkloadSecurityAgentRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"

GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_ruleshttps://api.datadoghq.eu/api/v2/security_monitoring/cloud_workload_security/agent_ruleshttps://api.ddog-gov.com/api/v2/security_monitoring/cloud_workload_security/agent_ruleshttps://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_ruleshttps://api.us3.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_ruleshttps://api.us5.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules

Overview

Get the list of Agent rules. This endpoint requires the security_monitoring_cws_agent_rules_read permission.

Response

OK

Response object that includes a list of Agent rule.

Expand All

Field

Type

Description

data

[object]

A list of Agent rules objects.

attributes

object

A Cloud Workload Security Agent rule returned by the API.

actions

[object]

The array of actions the rule can perform if triggered.

filter

string

SECL expression used to target the container to apply the action on

kill

object

Kill system call applied on the container matching the rule

signal

string

Supported signals for the kill system call.

agentConstraint

string

The version of the agent.

category

string

The category of the Agent rule.

creationAuthorUuId

string

The ID of the user who created the rule.

creationDate

int64

When the Agent rule was created, timestamp in milliseconds.

creator

object

The attributes of the user who created the Agent rule.

handle

string

The handle of the user.

name

string

The name of the user.

defaultRule

boolean

Whether the rule is included by default.

description

string

The description of the Agent rule.

enabled

boolean

Whether the Agent rule is enabled.

expression

string

The SECL expression of the Agent rule.

filters

[string]

The platforms the Agent rule is supported on.

name

string

The name of the Agent rule.

updateAuthorUuId

string

The ID of the user who updated the rule.

updateDate

int64

Timestamp in milliseconds when the Agent rule was last updated.

updatedAt

int64

When the Agent rule was last updated, timestamp in milliseconds.

updater

object

The attributes of the user who last updated the Agent rule.

handle

string

The handle of the user.

name

string

The name of the user.

version

int64

The version of the Agent rule.

id

string

The ID of the Agent rule.

type

enum

The type of the resource. The value should always be agent_rule. Allowed enum values: agent_rule

default: agent_rule

{
  "data": [
    {
      "attributes": {
        "actions": [
          {
            "filter": "string",
            "kill": {
              "signal": "string"
            }
          }
        ],
        "agentConstraint": "string",
        "category": "Process Activity",
        "creationAuthorUuId": "e51c9744-d158-11ec-ad23-da7ad0900002",
        "creationDate": 1624366480320,
        "creator": {
          "handle": "datadog.user@example.com",
          "name": "Datadog User"
        },
        "defaultRule": false,
        "description": "My Agent rule",
        "enabled": true,
        "expression": "exec.file.name == \\\"sh\\\"",
        "filters": [],
        "name": "my_agent_rule",
        "updateAuthorUuId": "e51c9744-d158-11ec-ad23-da7ad0900002",
        "updateDate": 1624366480320,
        "updatedAt": 1624366480320,
        "updater": {
          "handle": "datadog.user@example.com",
          "name": "Datadog User"
        },
        "version": 23
      },
      "id": "3dd-0uc-h1s",
      "type": "agent_rule"
    }
  ]
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                  # Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
"""
Get all Cloud Workload Security Agent rules returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.csm_threats_api import CSMThreatsApi

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = CSMThreatsApi(api_client)
    response = api_instance.list_cloud_workload_security_agent_rules()

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"
# Get all Cloud Workload Security Agent rules returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::CSMThreatsAPI.new
p api_instance.list_cloud_workload_security_agent_rules()

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"
// Get all Cloud Workload Security Agent rules returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewCSMThreatsApi(apiClient)
	resp, r, err := api.ListCloudWorkloadSecurityAgentRules(ctx)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `CSMThreatsApi.ListCloudWorkloadSecurityAgentRules`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `CSMThreatsApi.ListCloudWorkloadSecurityAgentRules`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"
// Get all Cloud Workload Security Agent rules returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.CsmThreatsApi;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRulesListResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    CsmThreatsApi apiInstance = new CsmThreatsApi(defaultClient);

    try {
      CloudWorkloadSecurityAgentRulesListResponse result =
          apiInstance.listCloudWorkloadSecurityAgentRules();
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling CsmThreatsApi#listCloudWorkloadSecurityAgentRules");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"
// Get all Cloud Workload Security Agent rules returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_csm_threats::CSMThreatsAPI;

#[tokio::main]
async fn main() {
    let configuration = datadog::Configuration::new();
    let api = CSMThreatsAPI::with_config(configuration);
    let resp = api.list_cloud_workload_security_agent_rules().await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" cargo run
/**
 * Get all Cloud Workload Security Agent rules returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.CSMThreatsApi(configuration);

apiInstance
  .listCloudWorkloadSecurityAgentRules()
  .then((data: v2.CloudWorkloadSecurityAgentRulesListResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"

GET https://api.ap1.datadoghq.com/api/v2/remote_config/products/cws/agent_ruleshttps://api.datadoghq.eu/api/v2/remote_config/products/cws/agent_ruleshttps://api.ddog-gov.com/api/v2/remote_config/products/cws/agent_ruleshttps://api.datadoghq.com/api/v2/remote_config/products/cws/agent_ruleshttps://api.us3.datadoghq.com/api/v2/remote_config/products/cws/agent_ruleshttps://api.us5.datadoghq.com/api/v2/remote_config/products/cws/agent_rules

Overview

Get the list of Cloud Security Management Threats Agent rules.

Response

OK

Response object that includes a list of Agent rule.

Expand All

Field

Type

Description

data

[object]

A list of Agent rules objects.

attributes

object

A Cloud Workload Security Agent rule returned by the API.

actions

[object]

The array of actions the rule can perform if triggered.

filter

string

SECL expression used to target the container to apply the action on

kill

object

Kill system call applied on the container matching the rule

signal

string

Supported signals for the kill system call.

agentConstraint

string

The version of the agent.

category

string

The category of the Agent rule.

creationAuthorUuId

string

The ID of the user who created the rule.

creationDate

int64

When the Agent rule was created, timestamp in milliseconds.

creator

object

The attributes of the user who created the Agent rule.

handle

string

The handle of the user.

name

string

The name of the user.

defaultRule

boolean

Whether the rule is included by default.

description

string

The description of the Agent rule.

enabled

boolean

Whether the Agent rule is enabled.

expression

string

The SECL expression of the Agent rule.

filters

[string]

The platforms the Agent rule is supported on.

name

string

The name of the Agent rule.

updateAuthorUuId

string

The ID of the user who updated the rule.

updateDate

int64

Timestamp in milliseconds when the Agent rule was last updated.

updatedAt

int64

When the Agent rule was last updated, timestamp in milliseconds.

updater

object

The attributes of the user who last updated the Agent rule.

handle

string

The handle of the user.

name

string

The name of the user.

version

int64

The version of the Agent rule.

id

string

The ID of the Agent rule.

type

enum

The type of the resource. The value should always be agent_rule. Allowed enum values: agent_rule

default: agent_rule

{
  "data": [
    {
      "attributes": {
        "actions": [
          {
            "filter": "string",
            "kill": {
              "signal": "string"
            }
          }
        ],
        "agentConstraint": "string",
        "category": "Process Activity",
        "creationAuthorUuId": "e51c9744-d158-11ec-ad23-da7ad0900002",
        "creationDate": 1624366480320,
        "creator": {
          "handle": "datadog.user@example.com",
          "name": "Datadog User"
        },
        "defaultRule": false,
        "description": "My Agent rule",
        "enabled": true,
        "expression": "exec.file.name == \\\"sh\\\"",
        "filters": [],
        "name": "my_agent_rule",
        "updateAuthorUuId": "e51c9744-d158-11ec-ad23-da7ad0900002",
        "updateDate": 1624366480320,
        "updatedAt": 1624366480320,
        "updater": {
          "handle": "datadog.user@example.com",
          "name": "Datadog User"
        },
        "version": 23
      },
      "id": "3dd-0uc-h1s",
      "type": "agent_rule"
    }
  ]
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                  # Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/remote_config/products/cws/agent_rules" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
"""
Get all CSM Threats Agent rules returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.csm_threats_api import CSMThreatsApi

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = CSMThreatsApi(api_client)
    response = api_instance.list_csm_threats_agent_rules()

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"
# Get all CSM Threats Agent rules returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::CSMThreatsAPI.new
p api_instance.list_csm_threats_agent_rules()

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"
/**
 * Get all CSM Threats Agent rules returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.CSMThreatsApi(configuration);

apiInstance
  .listCSMThreatsAgentRules()
  .then((data: v2.CloudWorkloadSecurityAgentRulesListResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"
// Get all CSM Threats Agent rules returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewCSMThreatsApi(apiClient)
	resp, r, err := api.ListCSMThreatsAgentRules(ctx)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `CSMThreatsApi.ListCSMThreatsAgentRules`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `CSMThreatsApi.ListCSMThreatsAgentRules`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"
// Get all CSM Threats Agent rules returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.CsmThreatsApi;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRulesListResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    CsmThreatsApi apiInstance = new CsmThreatsApi(defaultClient);

    try {
      CloudWorkloadSecurityAgentRulesListResponse result = apiInstance.listCSMThreatsAgentRules();
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling CsmThreatsApi#listCSMThreatsAgentRules");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"
// Get all CSM Threats Agent rules returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_csm_threats::CSMThreatsAPI;

#[tokio::main]
async fn main() {
    let configuration = datadog::Configuration::new();
    let api = CSMThreatsAPI::with_config(configuration);
    let resp = api.list_csm_threats_agent_rules().await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" cargo run

POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_ruleshttps://api.datadoghq.eu/api/v2/security_monitoring/cloud_workload_security/agent_ruleshttps://api.ddog-gov.com/api/v2/security_monitoring/cloud_workload_security/agent_ruleshttps://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_ruleshttps://api.us3.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_ruleshttps://api.us5.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules

Overview

Create a new Agent rule with the given parameters. This endpoint requires the security_monitoring_cws_agent_rules_write permission.

Request

Body Data (required)

The definition of the new Agent rule.

Expand All

Field

Type

Description

data [required]

object

Object for a single Agent rule.

attributes [required]

object

Create a new Cloud Workload Security Agent rule.

description

string

The description of the Agent rule.

enabled

boolean

Whether the Agent rule is enabled.

expression [required]

string

The SECL expression of the Agent rule.

filters

[string]

The platforms the Agent rule is supported on.

name [required]

string

The name of the Agent rule.

type [required]

enum

The type of the resource. The value should always be agent_rule. Allowed enum values: agent_rule

default: agent_rule

{
  "data": {
    "attributes": {
      "description": "Test Agent rule",
      "enabled": true,
      "expression": "exec.file.name == \"sh\"",
      "name": "examplecsmthreat"
    },
    "type": "agent_rule"
  }
}

Response

OK

Response object that includes an Agent rule.

Expand All

Field

Type

Description

data

object

Object for a single Agent rule.

attributes

object

A Cloud Workload Security Agent rule returned by the API.

actions

[object]

The array of actions the rule can perform if triggered.

filter

string

SECL expression used to target the container to apply the action on

kill

object

Kill system call applied on the container matching the rule

signal

string

Supported signals for the kill system call.

agentConstraint

string

The version of the agent.

category

string

The category of the Agent rule.

creationAuthorUuId

string

The ID of the user who created the rule.

creationDate

int64

When the Agent rule was created, timestamp in milliseconds.

creator

object

The attributes of the user who created the Agent rule.

handle

string

The handle of the user.

name

string

The name of the user.

defaultRule

boolean

Whether the rule is included by default.

description

string

The description of the Agent rule.

enabled

boolean

Whether the Agent rule is enabled.

expression

string

The SECL expression of the Agent rule.

filters

[string]

The platforms the Agent rule is supported on.

name

string

The name of the Agent rule.

updateAuthorUuId

string

The ID of the user who updated the rule.

updateDate

int64

Timestamp in milliseconds when the Agent rule was last updated.

updatedAt

int64

When the Agent rule was last updated, timestamp in milliseconds.

updater

object

The attributes of the user who last updated the Agent rule.

handle

string

The handle of the user.

name

string

The name of the user.

version

int64

The version of the Agent rule.

id

string

The ID of the Agent rule.

type

enum

The type of the resource. The value should always be agent_rule. Allowed enum values: agent_rule

default: agent_rule

{
  "data": {
    "attributes": {
      "actions": [
        {
          "filter": "string",
          "kill": {
            "signal": "string"
          }
        }
      ],
      "agentConstraint": "string",
      "category": "Process Activity",
      "creationAuthorUuId": "e51c9744-d158-11ec-ad23-da7ad0900002",
      "creationDate": 1624366480320,
      "creator": {
        "handle": "datadog.user@example.com",
        "name": "Datadog User"
      },
      "defaultRule": false,
      "description": "My Agent rule",
      "enabled": true,
      "expression": "exec.file.name == \\\"sh\\\"",
      "filters": [],
      "name": "my_agent_rule",
      "updateAuthorUuId": "e51c9744-d158-11ec-ad23-da7ad0900002",
      "updateDate": 1624366480320,
      "updatedAt": 1624366480320,
      "updater": {
        "handle": "datadog.user@example.com",
        "name": "Datadog User"
      },
      "version": 23
    },
    "id": "3dd-0uc-h1s",
    "type": "agent_rule"
  }
}

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Conflict

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                          # Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "attributes": { "description": "Test Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "name": "examplecsmthreat" }, "type": "agent_rule" } } EOF
// Create a Cloud Workload Security Agent rule returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.CloudWorkloadSecurityAgentRuleCreateRequest{
		Data: datadogV2.CloudWorkloadSecurityAgentRuleCreateData{
			Attributes: datadogV2.CloudWorkloadSecurityAgentRuleCreateAttributes{
				Description: datadog.PtrString("Test Agent rule"),
				Enabled:     datadog.PtrBool(true),
				Expression:  `exec.file.name == "sh"`,
				Name:        "examplecsmthreat",
			},
			Type: datadogV2.CLOUDWORKLOADSECURITYAGENTRULETYPE_AGENT_RULE,
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewCSMThreatsApi(apiClient)
	resp, r, err := api.CreateCloudWorkloadSecurityAgentRule(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `CSMThreatsApi.CreateCloudWorkloadSecurityAgentRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `CSMThreatsApi.CreateCloudWorkloadSecurityAgentRule`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"
// Create a Cloud Workload Security Agent rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.CsmThreatsApi;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleCreateAttributes;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleCreateData;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleCreateRequest;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleResponse;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleType;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    CsmThreatsApi apiInstance = new CsmThreatsApi(defaultClient);

    CloudWorkloadSecurityAgentRuleCreateRequest body =
        new CloudWorkloadSecurityAgentRuleCreateRequest()
            .data(
                new CloudWorkloadSecurityAgentRuleCreateData()
                    .attributes(
                        new CloudWorkloadSecurityAgentRuleCreateAttributes()
                            .description("Test Agent rule")
                            .enabled(true)
                            .expression("""
exec.file.name == "sh"
""")
                            .name("examplecsmthreat"))
                    .type(CloudWorkloadSecurityAgentRuleType.AGENT_RULE));

    try {
      CloudWorkloadSecurityAgentRuleResponse result =
          apiInstance.createCloudWorkloadSecurityAgentRule(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling CsmThreatsApi#createCloudWorkloadSecurityAgentRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"
"""
Create a Cloud Workload Security Agent rule returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.csm_threats_api import CSMThreatsApi
from datadog_api_client.v2.model.cloud_workload_security_agent_rule_create_attributes import (
    CloudWorkloadSecurityAgentRuleCreateAttributes,
)
from datadog_api_client.v2.model.cloud_workload_security_agent_rule_create_data import (
    CloudWorkloadSecurityAgentRuleCreateData,
)
from datadog_api_client.v2.model.cloud_workload_security_agent_rule_create_request import (
    CloudWorkloadSecurityAgentRuleCreateRequest,
)
from datadog_api_client.v2.model.cloud_workload_security_agent_rule_type import CloudWorkloadSecurityAgentRuleType

body = CloudWorkloadSecurityAgentRuleCreateRequest(
    data=CloudWorkloadSecurityAgentRuleCreateData(
        attributes=CloudWorkloadSecurityAgentRuleCreateAttributes(
            description="Test Agent rule",
            enabled=True,
            expression='exec.file.name == "sh"',
            name="examplecsmthreat",
        ),
        type=CloudWorkloadSecurityAgentRuleType.AGENT_RULE,
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = CSMThreatsApi(api_client)
    response = api_instance.create_cloud_workload_security_agent_rule(body=body)

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"
# Create a Cloud Workload Security Agent rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::CSMThreatsAPI.new

body = DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleCreateRequest.new({
  data: DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleCreateData.new({
    attributes: DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleCreateAttributes.new({
      description: "Test Agent rule",
      enabled: true,
      expression: 'exec.file.name == "sh"',
      name: "examplecsmthreat",
    }),
    type: DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleType::AGENT_RULE,
  }),
})
p api_instance.create_cloud_workload_security_agent_rule(body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"
// Create a Cloud Workload Security Agent rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_csm_threats::CSMThreatsAPI;
use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleCreateAttributes;
use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleCreateData;
use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleCreateRequest;
use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleType;

#[tokio::main]
async fn main() {
    let body = CloudWorkloadSecurityAgentRuleCreateRequest::new(
        CloudWorkloadSecurityAgentRuleCreateData::new(
            CloudWorkloadSecurityAgentRuleCreateAttributes::new(
                r#"exec.file.name == "sh""#.to_string(),
                "examplecsmthreat".to_string(),
            )
            .description("Test Agent rule".to_string())
            .enabled(true),
            CloudWorkloadSecurityAgentRuleType::AGENT_RULE,
        ),
    );
    let configuration = datadog::Configuration::new();
    let api = CSMThreatsAPI::with_config(configuration);
    let resp = api.create_cloud_workload_security_agent_rule(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" cargo run
/**
 * Create a Cloud Workload Security Agent rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.CSMThreatsApi(configuration);

const params: v2.CSMThreatsApiCreateCloudWorkloadSecurityAgentRuleRequest = {
  body: {
    data: {
      attributes: {
        description: "Test Agent rule",
        enabled: true,
        expression: `exec.file.name == "sh"`,
        name: "examplecsmthreat",
      },
      type: "agent_rule",
    },
  },
};

apiInstance
  .createCloudWorkloadSecurityAgentRule(params)
  .then((data: v2.CloudWorkloadSecurityAgentRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"

POST https://api.ap1.datadoghq.com/api/v2/remote_config/products/cws/agent_ruleshttps://api.datadoghq.eu/api/v2/remote_config/products/cws/agent_ruleshttps://api.ddog-gov.com/api/v2/remote_config/products/cws/agent_ruleshttps://api.datadoghq.com/api/v2/remote_config/products/cws/agent_ruleshttps://api.us3.datadoghq.com/api/v2/remote_config/products/cws/agent_ruleshttps://api.us5.datadoghq.com/api/v2/remote_config/products/cws/agent_rules

Overview

Create a new Cloud Security Management Threats Agent rule with the given parameters.

Request

Body Data (required)

The definition of the new Agent rule.

Expand All

Field

Type

Description

data [required]

object

Object for a single Agent rule.

attributes [required]

object

Create a new Cloud Workload Security Agent rule.

description

string

The description of the Agent rule.

enabled

boolean

Whether the Agent rule is enabled.

expression [required]

string

The SECL expression of the Agent rule.

filters

[string]

The platforms the Agent rule is supported on.

name [required]

string

The name of the Agent rule.

type [required]

enum

The type of the resource. The value should always be agent_rule. Allowed enum values: agent_rule

default: agent_rule

{
  "data": {
    "attributes": {
      "description": "My Agent rule",
      "enabled": true,
      "expression": "exec.file.name == \"sh\"",
      "filters": [
        "os == \"linux\""
      ],
      "name": "examplecsmthreat"
    },
    "type": "agent_rule"
  }
}

Response

OK

Response object that includes an Agent rule.

Expand All

Field

Type

Description

data

object

Object for a single Agent rule.

attributes

object

A Cloud Workload Security Agent rule returned by the API.

actions

[object]

The array of actions the rule can perform if triggered.

filter

string

SECL expression used to target the container to apply the action on

kill

object

Kill system call applied on the container matching the rule

signal

string

Supported signals for the kill system call.

agentConstraint

string

The version of the agent.

category

string

The category of the Agent rule.

creationAuthorUuId

string

The ID of the user who created the rule.

creationDate

int64

When the Agent rule was created, timestamp in milliseconds.

creator

object

The attributes of the user who created the Agent rule.

handle

string

The handle of the user.

name

string

The name of the user.

defaultRule

boolean

Whether the rule is included by default.

description

string

The description of the Agent rule.

enabled

boolean

Whether the Agent rule is enabled.

expression

string

The SECL expression of the Agent rule.

filters

[string]

The platforms the Agent rule is supported on.

name

string

The name of the Agent rule.

updateAuthorUuId

string

The ID of the user who updated the rule.

updateDate

int64

Timestamp in milliseconds when the Agent rule was last updated.

updatedAt

int64

When the Agent rule was last updated, timestamp in milliseconds.

updater

object

The attributes of the user who last updated the Agent rule.

handle

string

The handle of the user.

name

string

The name of the user.

version

int64

The version of the Agent rule.

id

string

The ID of the Agent rule.

type

enum

The type of the resource. The value should always be agent_rule. Allowed enum values: agent_rule

default: agent_rule

{
  "data": {
    "attributes": {
      "actions": [
        {
          "filter": "string",
          "kill": {
            "signal": "string"
          }
        }
      ],
      "agentConstraint": "string",
      "category": "Process Activity",
      "creationAuthorUuId": "e51c9744-d158-11ec-ad23-da7ad0900002",
      "creationDate": 1624366480320,
      "creator": {
        "handle": "datadog.user@example.com",
        "name": "Datadog User"
      },
      "defaultRule": false,
      "description": "My Agent rule",
      "enabled": true,
      "expression": "exec.file.name == \\\"sh\\\"",
      "filters": [],
      "name": "my_agent_rule",
      "updateAuthorUuId": "e51c9744-d158-11ec-ad23-da7ad0900002",
      "updateDate": 1624366480320,
      "updatedAt": 1624366480320,
      "updater": {
        "handle": "datadog.user@example.com",
        "name": "Datadog User"
      },
      "version": 23
    },
    "id": "3dd-0uc-h1s",
    "type": "agent_rule"
  }
}

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Conflict

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                          # Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/remote_config/products/cws/agent_rules" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "attributes": { "description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "filters": [ "os == \"linux\"" ], "name": "examplecsmthreat" }, "type": "agent_rule" } } EOF
// Create a CSM Threats Agent rule returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.CloudWorkloadSecurityAgentRuleCreateRequest{
		Data: datadogV2.CloudWorkloadSecurityAgentRuleCreateData{
			Attributes: datadogV2.CloudWorkloadSecurityAgentRuleCreateAttributes{
				Description: datadog.PtrString("My Agent rule"),
				Enabled:     datadog.PtrBool(true),
				Expression:  `exec.file.name == "sh"`,
				Filters: []string{
					`os == "linux"`,
				},
				Name: "examplecsmthreat",
			},
			Type: datadogV2.CLOUDWORKLOADSECURITYAGENTRULETYPE_AGENT_RULE,
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewCSMThreatsApi(apiClient)
	resp, r, err := api.CreateCSMThreatsAgentRule(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `CSMThreatsApi.CreateCSMThreatsAgentRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `CSMThreatsApi.CreateCSMThreatsAgentRule`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"
// Create a CSM Threats Agent rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.CsmThreatsApi;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleCreateAttributes;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleCreateData;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleCreateRequest;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleResponse;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleType;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    CsmThreatsApi apiInstance = new CsmThreatsApi(defaultClient);

    CloudWorkloadSecurityAgentRuleCreateRequest body =
        new CloudWorkloadSecurityAgentRuleCreateRequest()
            .data(
                new CloudWorkloadSecurityAgentRuleCreateData()
                    .attributes(
                        new CloudWorkloadSecurityAgentRuleCreateAttributes()
                            .description("My Agent rule")
                            .enabled(true)
                            .expression("""
exec.file.name == "sh"
""")
                            .filters(Collections.singletonList("""
os == "linux"
"""))
                            .name("examplecsmthreat"))
                    .type(CloudWorkloadSecurityAgentRuleType.AGENT_RULE));

    try {
      CloudWorkloadSecurityAgentRuleResponse result = apiInstance.createCSMThreatsAgentRule(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling CsmThreatsApi#createCSMThreatsAgentRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"
"""
Create a CSM Threats Agent rule returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.csm_threats_api import CSMThreatsApi
from datadog_api_client.v2.model.cloud_workload_security_agent_rule_create_attributes import (
    CloudWorkloadSecurityAgentRuleCreateAttributes,
)
from datadog_api_client.v2.model.cloud_workload_security_agent_rule_create_data import (
    CloudWorkloadSecurityAgentRuleCreateData,
)
from datadog_api_client.v2.model.cloud_workload_security_agent_rule_create_request import (
    CloudWorkloadSecurityAgentRuleCreateRequest,
)
from datadog_api_client.v2.model.cloud_workload_security_agent_rule_type import CloudWorkloadSecurityAgentRuleType

body = CloudWorkloadSecurityAgentRuleCreateRequest(
    data=CloudWorkloadSecurityAgentRuleCreateData(
        attributes=CloudWorkloadSecurityAgentRuleCreateAttributes(
            description="My Agent rule",
            enabled=True,
            expression='exec.file.name == "sh"',
            filters=[
                'os == "linux"',
            ],
            name="examplecsmthreat",
        ),
        type=CloudWorkloadSecurityAgentRuleType.AGENT_RULE,
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = CSMThreatsApi(api_client)
    response = api_instance.create_csm_threats_agent_rule(body=body)

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"
# Create a CSM Threats Agent rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::CSMThreatsAPI.new

body = DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleCreateRequest.new({
  data: DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleCreateData.new({
    attributes: DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleCreateAttributes.new({
      description: "My Agent rule",
      enabled: true,
      expression: 'exec.file.name == "sh"',
      filters: [
        'os == "linux"',
      ],
      name: "examplecsmthreat",
    }),
    type: DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleType::AGENT_RULE,
  }),
})
p api_instance.create_csm_threats_agent_rule(body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"
// Create a CSM Threats Agent rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_csm_threats::CSMThreatsAPI;
use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleCreateAttributes;
use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleCreateData;
use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleCreateRequest;
use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleType;

#[tokio::main]
async fn main() {
    let body = CloudWorkloadSecurityAgentRuleCreateRequest::new(
        CloudWorkloadSecurityAgentRuleCreateData::new(
            CloudWorkloadSecurityAgentRuleCreateAttributes::new(
                r#"exec.file.name == "sh""#.to_string(),
                "examplecsmthreat".to_string(),
            )
            .description("My Agent rule".to_string())
            .enabled(true)
            .filters(vec![r#"os == "linux""#.to_string()]),
            CloudWorkloadSecurityAgentRuleType::AGENT_RULE,
        ),
    );
    let configuration = datadog::Configuration::new();
    let api = CSMThreatsAPI::with_config(configuration);
    let resp = api.create_csm_threats_agent_rule(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" cargo run
/**
 * Create a CSM Threats Agent rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.CSMThreatsApi(configuration);

const params: v2.CSMThreatsApiCreateCSMThreatsAgentRuleRequest = {
  body: {
    data: {
      attributes: {
        description: "My Agent rule",
        enabled: true,
        expression: `exec.file.name == "sh"`,
        filters: [`os == "linux"`],
        name: "examplecsmthreat",
      },
      type: "agent_rule",
    },
  },
};

apiInstance
  .createCSMThreatsAgentRule(params)
  .then((data: v2.CloudWorkloadSecurityAgentRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"

PATCH https://api.ap1.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/{agent_rule_id}https://api.datadoghq.eu/api/v2/security_monitoring/cloud_workload_security/agent_rules/{agent_rule_id}https://api.ddog-gov.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/{agent_rule_id}https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/{agent_rule_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/{agent_rule_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/{agent_rule_id}

Overview

Update a specific Agent rule. Returns the Agent rule object when the request is successful. This endpoint requires the security_monitoring_cws_agent_rules_write permission.

Arguments

Path Parameters

Name

Type

Description

agent_rule_id [required]

string

The ID of the Agent rule.

Request

Body Data (required)

New definition of the Agent rule.

Expand All

Field

Type

Description

data [required]

object

Object for a single Agent rule.

attributes [required]

object

Update an existing Cloud Workload Security Agent rule.

description

string

The description of the Agent rule.

enabled

boolean

Whether the Agent rule is enabled.

expression

string

The SECL expression of the Agent rule.

id

string

The ID of the agent rule.

type [required]

enum

The type of the resource. The value should always be agent_rule. Allowed enum values: agent_rule

default: agent_rule

{
  "data": {
    "attributes": {
      "description": "Test Agent rule",
      "enabled": true,
      "expression": "exec.file.name == \"sh\""
    },
    "type": "agent_rule",
    "id": "3dd-0uc-h1s"
  }
}

Response

OK

Response object that includes an Agent rule.

Expand All

Field

Type

Description

data

object

Object for a single Agent rule.

attributes

object

A Cloud Workload Security Agent rule returned by the API.

actions

[object]

The array of actions the rule can perform if triggered.

filter

string

SECL expression used to target the container to apply the action on

kill

object

Kill system call applied on the container matching the rule

signal

string

Supported signals for the kill system call.

agentConstraint

string

The version of the agent.

category

string

The category of the Agent rule.

creationAuthorUuId

string

The ID of the user who created the rule.

creationDate

int64

When the Agent rule was created, timestamp in milliseconds.

creator

object

The attributes of the user who created the Agent rule.

handle

string

The handle of the user.

name

string

The name of the user.

defaultRule

boolean

Whether the rule is included by default.

description

string

The description of the Agent rule.

enabled

boolean

Whether the Agent rule is enabled.

expression

string

The SECL expression of the Agent rule.

filters

[string]

The platforms the Agent rule is supported on.

name

string

The name of the Agent rule.

updateAuthorUuId

string

The ID of the user who updated the rule.

updateDate

int64

Timestamp in milliseconds when the Agent rule was last updated.

updatedAt

int64

When the Agent rule was last updated, timestamp in milliseconds.

updater

object

The attributes of the user who last updated the Agent rule.

handle

string

The handle of the user.

name

string

The name of the user.

version

int64

The version of the Agent rule.

id

string

The ID of the Agent rule.

type

enum

The type of the resource. The value should always be agent_rule. Allowed enum values: agent_rule

default: agent_rule

{
  "data": {
    "attributes": {
      "actions": [
        {
          "filter": "string",
          "kill": {
            "signal": "string"
          }
        }
      ],
      "agentConstraint": "string",
      "category": "Process Activity",
      "creationAuthorUuId": "e51c9744-d158-11ec-ad23-da7ad0900002",
      "creationDate": 1624366480320,
      "creator": {
        "handle": "datadog.user@example.com",
        "name": "Datadog User"
      },
      "defaultRule": false,
      "description": "My Agent rule",
      "enabled": true,
      "expression": "exec.file.name == \\\"sh\\\"",
      "filters": [],
      "name": "my_agent_rule",
      "updateAuthorUuId": "e51c9744-d158-11ec-ad23-da7ad0900002",
      "updateDate": 1624366480320,
      "updatedAt": 1624366480320,
      "updater": {
        "handle": "datadog.user@example.com",
        "name": "Datadog User"
      },
      "version": 23
    },
    "id": "3dd-0uc-h1s",
    "type": "agent_rule"
  }
}

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Concurrent Modification

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                          # Path parameters
export agent_rule_id="3b5-v82-ns6"
# Curl command
curl -X PATCH "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/${agent_rule_id}" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "attributes": { "description": "Test Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"" }, "type": "agent_rule", "id": "3dd-0uc-h1s" } } EOF
// Update a Cloud Workload Security Agent rule returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	// there is a valid "agent_rule" in the system
	AgentRuleDataID := os.Getenv("AGENT_RULE_DATA_ID")

	body := datadogV2.CloudWorkloadSecurityAgentRuleUpdateRequest{
		Data: datadogV2.CloudWorkloadSecurityAgentRuleUpdateData{
			Attributes: datadogV2.CloudWorkloadSecurityAgentRuleUpdateAttributes{
				Description: datadog.PtrString("Test Agent rule"),
				Enabled:     datadog.PtrBool(true),
				Expression:  datadog.PtrString(`exec.file.name == "sh"`),
			},
			Type: datadogV2.CLOUDWORKLOADSECURITYAGENTRULETYPE_AGENT_RULE,
			Id:   datadog.PtrString(AgentRuleDataID),
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewCSMThreatsApi(apiClient)
	resp, r, err := api.UpdateCloudWorkloadSecurityAgentRule(ctx, AgentRuleDataID, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `CSMThreatsApi.UpdateCloudWorkloadSecurityAgentRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `CSMThreatsApi.UpdateCloudWorkloadSecurityAgentRule`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"
// Update a Cloud Workload Security Agent rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.CsmThreatsApi;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleResponse;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleType;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleUpdateAttributes;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleUpdateData;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleUpdateRequest;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    CsmThreatsApi apiInstance = new CsmThreatsApi(defaultClient);

    // there is a valid "agent_rule" in the system
    String AGENT_RULE_DATA_ID = System.getenv("AGENT_RULE_DATA_ID");

    CloudWorkloadSecurityAgentRuleUpdateRequest body =
        new CloudWorkloadSecurityAgentRuleUpdateRequest()
            .data(
                new CloudWorkloadSecurityAgentRuleUpdateData()
                    .attributes(
                        new CloudWorkloadSecurityAgentRuleUpdateAttributes()
                            .description("Test Agent rule")
                            .enabled(true)
                            .expression("""
exec.file.name == "sh"
"""))
                    .type(CloudWorkloadSecurityAgentRuleType.AGENT_RULE)
                    .id(AGENT_RULE_DATA_ID));

    try {
      CloudWorkloadSecurityAgentRuleResponse result =
          apiInstance.updateCloudWorkloadSecurityAgentRule(AGENT_RULE_DATA_ID, body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling CsmThreatsApi#updateCloudWorkloadSecurityAgentRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"
"""
Update a Cloud Workload Security Agent rule returns "OK" response
"""

from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.csm_threats_api import CSMThreatsApi
from datadog_api_client.v2.model.cloud_workload_security_agent_rule_type import CloudWorkloadSecurityAgentRuleType
from datadog_api_client.v2.model.cloud_workload_security_agent_rule_update_attributes import (
    CloudWorkloadSecurityAgentRuleUpdateAttributes,
)
from datadog_api_client.v2.model.cloud_workload_security_agent_rule_update_data import (
    CloudWorkloadSecurityAgentRuleUpdateData,
)
from datadog_api_client.v2.model.cloud_workload_security_agent_rule_update_request import (
    CloudWorkloadSecurityAgentRuleUpdateRequest,
)

# there is a valid "agent_rule" in the system
AGENT_RULE_DATA_ID = environ["AGENT_RULE_DATA_ID"]

body = CloudWorkloadSecurityAgentRuleUpdateRequest(
    data=CloudWorkloadSecurityAgentRuleUpdateData(
        attributes=CloudWorkloadSecurityAgentRuleUpdateAttributes(
            description="Test Agent rule",
            enabled=True,
            expression='exec.file.name == "sh"',
        ),
        type=CloudWorkloadSecurityAgentRuleType.AGENT_RULE,
        id=AGENT_RULE_DATA_ID,
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = CSMThreatsApi(api_client)
    response = api_instance.update_cloud_workload_security_agent_rule(agent_rule_id=AGENT_RULE_DATA_ID, body=body)

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"
# Update a Cloud Workload Security Agent rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::CSMThreatsAPI.new

# there is a valid "agent_rule" in the system
AGENT_RULE_DATA_ID = ENV["AGENT_RULE_DATA_ID"]

body = DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleUpdateRequest.new({
  data: DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleUpdateData.new({
    attributes: DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleUpdateAttributes.new({
      description: "Test Agent rule",
      enabled: true,
      expression: 'exec.file.name == "sh"',
    }),
    type: DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleType::AGENT_RULE,
    id: AGENT_RULE_DATA_ID,
  }),
})
p api_instance.update_cloud_workload_security_agent_rule(AGENT_RULE_DATA_ID, body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"
// Update a Cloud Workload Security Agent rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_csm_threats::CSMThreatsAPI;
use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleType;
use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleUpdateAttributes;
use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleUpdateData;
use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleUpdateRequest;

#[tokio::main]
async fn main() {
    // there is a valid "agent_rule" in the system
    let agent_rule_data_id = std::env::var("AGENT_RULE_DATA_ID").unwrap();
    let body = CloudWorkloadSecurityAgentRuleUpdateRequest::new(
        CloudWorkloadSecurityAgentRuleUpdateData::new(
            CloudWorkloadSecurityAgentRuleUpdateAttributes::new()
                .description("Test Agent rule".to_string())
                .enabled(true)
                .expression(r#"exec.file.name == "sh""#.to_string()),
            CloudWorkloadSecurityAgentRuleType::AGENT_RULE,
        )
        .id(agent_rule_data_id.clone()),
    );
    let configuration = datadog::Configuration::new();
    let api = CSMThreatsAPI::with_config(configuration);
    let resp = api
        .update_cloud_workload_security_agent_rule(agent_rule_data_id.clone(), body)
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" cargo run
/**
 * Update a Cloud Workload Security Agent rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.CSMThreatsApi(configuration);

// there is a valid "agent_rule" in the system
const AGENT_RULE_DATA_ID = process.env.AGENT_RULE_DATA_ID as string;

const params: v2.CSMThreatsApiUpdateCloudWorkloadSecurityAgentRuleRequest = {
  body: {
    data: {
      attributes: {
        description: "Test Agent rule",
        enabled: true,
        expression: `exec.file.name == "sh"`,
      },
      type: "agent_rule",
      id: AGENT_RULE_DATA_ID,
    },
  },
  agentRuleId: AGENT_RULE_DATA_ID,
};

apiInstance
  .updateCloudWorkloadSecurityAgentRule(params)
  .then((data: v2.CloudWorkloadSecurityAgentRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"

PATCH https://api.ap1.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}https://api.datadoghq.eu/api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}https://api.ddog-gov.com/api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}https://api.us3.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}https://api.us5.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/{agent_rule_id}

Overview

Update a specific Cloud Security Management Threats Agent rule. Returns the Agent rule object when the request is successful.

Arguments

Path Parameters

Name

Type

Description

agent_rule_id [required]

string

The ID of the Agent rule.

Request

Body Data (required)

New definition of the Agent rule.

Expand All

Field

Type

Description

data [required]

object

Object for a single Agent rule.

attributes [required]

object

Update an existing Cloud Workload Security Agent rule.

description

string

The description of the Agent rule.

enabled

boolean

Whether the Agent rule is enabled.

expression

string

The SECL expression of the Agent rule.

id

string

The ID of the agent rule.

type [required]

enum

The type of the resource. The value should always be agent_rule. Allowed enum values: agent_rule

default: agent_rule

{
  "data": {
    "attributes": {
      "description": "Test Agent rule",
      "enabled": true,
      "expression": "exec.file.name == \"sh\""
    },
    "type": "agent_rule",