Language

English Français 日本語 한국어 Español

Datadog Site

Site help
US1 US3 US5 EU AP1 AP2 US1-FED US2-FED

Create a Workload Protection agent rule

POST https://api.ap1.datadoghq.com/api/v2/remote_config/products/cws/agent_ruleshttps://api.ap2.datadoghq.com/api/v2/remote_config/products/cws/agent_ruleshttps://api.datadoghq.eu/api/v2/remote_config/products/cws/agent_ruleshttps://api.ddog-gov.com/api/v2/remote_config/products/cws/agent_ruleshttps://api.us2.ddog-gov.com/api/v2/remote_config/products/cws/agent_ruleshttps://api.datadoghq.com/api/v2/remote_config/products/cws/agent_ruleshttps://api.us3.datadoghq.com/api/v2/remote_config/products/cws/agent_ruleshttps://api.us5.datadoghq.com/api/v2/remote_config/products/cws/agent_rules

Overview

Create a new Workload Protection agent rule with the given parameters.

Note: This endpoint is not available for the Government (US1-FED) site. Please reference the (US1-FED) specific resource below.

Request

Body Data (required)

The definition of the new agent rule

Expand All

Field

Type

Description

data [required]

object

Object for a single Agent rule

attributes [required]

object

Create a new Cloud Workload Security Agent rule.

actions

[object]

The array of actions the rule can perform if triggered

filter

string

SECL expression used to target the container to apply the action on

hash

object

Hash file specified by the field attribute

field

string

The field of the hash action

kill

object

Kill system call applied on the container matching the rule

signal

string

Supported signals for the kill system call

metadata

object

The metadata action applied on the scope matching the rule

image_tag

string

The image tag of the metadata action

service

string

The service of the metadata action

short_image

string

The short image of the metadata action

set

object

The set action applied on the scope matching the rule

append

boolean

Whether the value should be appended to the field.

default_value

string

The default value of the set action

expression

string

The expression of the set action.

field

string

The field of the set action

inherited

boolean

Whether the value should be inherited.

name

string

The name of the set action

scope

string

The scope of the set action.

size

int64

The size of the set action.

ttl

int64

The time to live of the set action.

value

 <oneOf>

The value of the set action

Option 1

string

Option 2

integer

Option 3

boolean

agent_version

string

Constrain the rule to specific versions of the Datadog Agent.

blocking

[string]

The blocking policies that the rule belongs to.

description

string

The description of the Agent rule.

disabled

[string]

The disabled policies that the rule belongs to.

enabled

boolean

Whether the Agent rule is enabled.

expression [required]

string

The SECL expression of the Agent rule.

filters

[string]

The platforms the Agent rule is supported on.

monitoring

[string]

The monitoring policies that the rule belongs to.

name [required]

string

The name of the Agent rule.

policy_id

string

The ID of the policy where the Agent rule is saved.

product_tags

[string]

The list of product tags associated with the rule.

silent

boolean

Whether the rule is silent.

type [required]

enum

The type of the resource, must always be agent_rule Allowed enum values: agent_rule

default: agent_rule

{
  "data": {
    "attributes": {
      "description": "My Agent rule",
      "enabled": true,
      "expression": "exec.file.name == \"sh\"",
      "agent_version": "> 7.60",
      "filters": [],
      "name": "examplecsmthreat",
      "policy_id": "6517fcc1-cec7-4394-a655-8d6e9d085255",
      "product_tags": []
    },
    "type": "agent_rule"
  }
}
{
  "data": {
    "attributes": {
      "description": "My Agent rule with set action",
      "enabled": true,
      "expression": "exec.file.name == \"sh\"",
      "filters": [],
      "name": "examplecsmthreat",
      "policy_id": "6517fcc1-cec7-4394-a655-8d6e9d085255",
      "product_tags": [],
      "actions": [
        {
          "set": {
            "name": "test_set",
            "value": "test_value",
            "scope": "process",
            "inherited": true
          }
        },
        {
          "hash": {
            "field": "exec.file"
          }
        }
      ]
    },
    "type": "agent_rule"
  }
}
{
  "data": {
    "attributes": {
      "description": "My Agent rule with set action with expression",
      "enabled": true,
      "expression": "exec.file.name == \"sh\"",
      "filters": [],
      "name": "examplecsmthreat",
      "policy_id": "6517fcc1-cec7-4394-a655-8d6e9d085255",
      "product_tags": [],
      "actions": [
        {
          "set": {
            "name": "test_set",
            "expression": "exec.file.path",
            "default_value": "/dev/null",
            "scope": "process"
          }
        }
      ]
    },
    "type": "agent_rule"
  }
}

Response

OK

Response object that includes an Agent rule

Expand All

Field

Type

Description

data

object

Object for a single Agent rule

attributes

object

A Cloud Workload Security Agent rule returned by the API

actions

[object]

The array of actions the rule can perform if triggered

filter

string

SECL expression used to target the container to apply the action on

hash

object

Hash file specified by the field attribute

field

string

The field of the hash action

kill

object

Kill system call applied on the container matching the rule

signal

string

Supported signals for the kill system call

metadata

object

The metadata action applied on the scope matching the rule

image_tag

string

The image tag of the metadata action

service

string

The service of the metadata action

short_image

string

The short image of the metadata action

set

object

The set action applied on the scope matching the rule

append

boolean

Whether the value should be appended to the field.

default_value

string

The default value of the set action

expression

string

The expression of the set action.

field

string

The field of the set action

inherited

boolean

Whether the value should be inherited.

name

string

The name of the set action

scope

string

The scope of the set action.

size

int64

The size of the set action.

ttl

int64

The time to live of the set action.

value

 <oneOf>

The value of the set action

Option 1

string

Option 2

integer

Option 3

boolean

agentConstraint

string

The version of the Agent

blocking

[string]

The blocking policies that the rule belongs to

category

string

The category of the Agent rule

creationAuthorUuId

string

The ID of the user who created the rule

creationDate

int64

When the Agent rule was created, timestamp in milliseconds

creator

object

The attributes of the user who created the Agent rule

handle

string

The handle of the user

name

string

The name of the user

defaultRule

boolean

Whether the rule is included by default

description

string

The description of the Agent rule

disabled

[string]

The disabled policies that the rule belongs to

enabled

boolean

Whether the Agent rule is enabled

expression

string

The SECL expression of the Agent rule

filters

[string]

The platforms the Agent rule is supported on

monitoring

[string]

The monitoring policies that the rule belongs to

name

string

The name of the Agent rule

product_tags

[string]

The list of product tags associated with the rule

silent

boolean

Whether the rule is silent.

updateAuthorUuId

string

The ID of the user who updated the rule

updateDate

int64

Timestamp in milliseconds when the Agent rule was last updated

updatedAt

int64

When the Agent rule was last updated, timestamp in milliseconds

updater

object

The attributes of the user who last updated the Agent rule

handle

string

The handle of the user

name

string

The name of the user

version

int64

The version of the Agent rule

id

string

The ID of the Agent rule

type

enum

The type of the resource, must always be agent_rule Allowed enum values: agent_rule

default: agent_rule

{
  "data": {
    "attributes": {
      "actions": [
        {
          "filter": "string",
          "hash": {
            "field": "string"
          },
          "kill": {
            "signal": "string"
          },
          "metadata": {
            "image_tag": "string",
            "service": "string",
            "short_image": "string"
          },
          "set": {
            "append": false,
            "default_value": "string",
            "expression": "string",
            "field": "string",
            "inherited": false,
            "name": "string",
            "scope": "string",
            "size": "integer",
            "ttl": "integer",
            "value": {
              "type": "undefined"
            }
          }
        }
      ],
      "agentConstraint": "string",
      "blocking": [],
      "category": "Process Activity",
      "creationAuthorUuId": "e51c9744-d158-11ec-ad23-da7ad0900002",
      "creationDate": 1624366480320,
      "creator": {
        "handle": "datadog.user@example.com",
        "name": "Datadog User"
      },
      "defaultRule": false,
      "description": "My Agent rule",
      "disabled": [],
      "enabled": true,
      "expression": "exec.file.name == \"sh\"",
      "filters": [],
      "monitoring": [],
      "name": "my_agent_rule",
      "product_tags": [],
      "silent": false,
      "updateAuthorUuId": "e51c9744-d158-11ec-ad23-da7ad0900002",
      "updateDate": 1624366480320,
      "updatedAt": 1624366480320,
      "updater": {
        "handle": "datadog.user@example.com",
        "name": "Datadog User"
      },
      "version": 23
    },
    "id": "3dd-0uc-h1s",
    "type": "agent_rule"
  }
}

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Conflict

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                          ## default
# 

# Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.us2.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/remote_config/products/cws/agent_rules" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "description": "My Agent rule",
      "enabled": true,
      "expression": "exec.file.name == \"sh\"",
      "name": "my_agent_rule",
      "policy_id": "a8c8e364-6556-434d-b798-a4c23de29c0b",
      "silent": false
    },
    "type": "agent_rule"
  }
}
EOF

                        
                          ## default
# 

# Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.us2.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/remote_config/products/cws/agent_rules" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "description": "My Agent rule",
      "enabled": true,
      "expression": "exec.file.name == \"sh\"",
      "name": "my_agent_rule",
      "policy_id": "a8c8e364-6556-434d-b798-a4c23de29c0b",
      "silent": false
    },
    "type": "agent_rule"
  }
}
EOF

                        
                          ## default
# 

# Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.us2.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/remote_config/products/cws/agent_rules" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "description": "My Agent rule",
      "enabled": true,
      "expression": "exec.file.name == \"sh\"",
      "name": "my_agent_rule",
      "policy_id": "a8c8e364-6556-434d-b798-a4c23de29c0b",
      "silent": false
    },
    "type": "agent_rule"
  }
}
EOF

                        
// Create a Workload Protection agent rule returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	// there is a valid "policy_rc" in the system
	PolicyDataID := os.Getenv("POLICY_DATA_ID")

	body := datadogV2.CloudWorkloadSecurityAgentRuleCreateRequest{
		Data: datadogV2.CloudWorkloadSecurityAgentRuleCreateData{
			Attributes: datadogV2.CloudWorkloadSecurityAgentRuleCreateAttributes{
				Description:  datadog.PtrString("My Agent rule"),
				Enabled:      datadog.PtrBool(true),
				Expression:   `exec.file.name == "sh"`,
				AgentVersion: datadog.PtrString("> 7.60"),
				Filters:      []string{},
				Name:         "examplecsmthreat",
				PolicyId:     datadog.PtrString(PolicyDataID),
				ProductTags:  []string{},
			},
			Type: datadogV2.CLOUDWORKLOADSECURITYAGENTRULETYPE_AGENT_RULE,
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewCSMThreatsApi(apiClient)
	resp, r, err := api.CreateCSMThreatsAgentRule(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `CSMThreatsApi.CreateCSMThreatsAgentRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `CSMThreatsApi.CreateCSMThreatsAgentRule`:\n%s\n", responseContent)
}

// Create a Workload Protection agent rule with set action returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	// there is a valid "policy_rc" in the system
	PolicyDataID := os.Getenv("POLICY_DATA_ID")

	body := datadogV2.CloudWorkloadSecurityAgentRuleCreateRequest{
		Data: datadogV2.CloudWorkloadSecurityAgentRuleCreateData{
			Attributes: datadogV2.CloudWorkloadSecurityAgentRuleCreateAttributes{
				Description: datadog.PtrString("My Agent rule with set action"),
				Enabled:     datadog.PtrBool(true),
				Expression:  `exec.file.name == "sh"`,
				Filters:     []string{},
				Name:        "examplecsmthreat",
				PolicyId:    datadog.PtrString(PolicyDataID),
				ProductTags: []string{},
				Actions: []datadogV2.CloudWorkloadSecurityAgentRuleAction{
					{
						Set: &datadogV2.CloudWorkloadSecurityAgentRuleActionSet{
							Name: datadog.PtrString("test_set"),
							Value: &datadogV2.CloudWorkloadSecurityAgentRuleActionSetValue{
								String: datadog.PtrString("test_value")},
							Scope:     datadog.PtrString("process"),
							Inherited: datadog.PtrBool(true),
						},
					},
					{
						Hash: &datadogV2.CloudWorkloadSecurityAgentRuleActionHash{
							Field: datadog.PtrString("exec.file"),
						},
					},
				},
			},
			Type: datadogV2.CLOUDWORKLOADSECURITYAGENTRULETYPE_AGENT_RULE,
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewCSMThreatsApi(apiClient)
	resp, r, err := api.CreateCSMThreatsAgentRule(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `CSMThreatsApi.CreateCSMThreatsAgentRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `CSMThreatsApi.CreateCSMThreatsAgentRule`:\n%s\n", responseContent)
}

// Create a Workload Protection agent rule with set action with expression returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	// there is a valid "policy_rc" in the system
	PolicyDataID := os.Getenv("POLICY_DATA_ID")

	body := datadogV2.CloudWorkloadSecurityAgentRuleCreateRequest{
		Data: datadogV2.CloudWorkloadSecurityAgentRuleCreateData{
			Attributes: datadogV2.CloudWorkloadSecurityAgentRuleCreateAttributes{
				Description: datadog.PtrString("My Agent rule with set action with expression"),
				Enabled:     datadog.PtrBool(true),
				Expression:  `exec.file.name == "sh"`,
				Filters:     []string{},
				Name:        "examplecsmthreat",
				PolicyId:    datadog.PtrString(PolicyDataID),
				ProductTags: []string{},
				Actions: []datadogV2.CloudWorkloadSecurityAgentRuleAction{
					{
						Set: &datadogV2.CloudWorkloadSecurityAgentRuleActionSet{
							Name:         datadog.PtrString("test_set"),
							Expression:   datadog.PtrString("exec.file.path"),
							DefaultValue: datadog.PtrString("/dev/null"),
							Scope:        datadog.PtrString("process"),
						},
					},
				},
			},
			Type: datadogV2.CLOUDWORKLOADSECURITYAGENTRULETYPE_AGENT_RULE,
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewCSMThreatsApi(apiClient)
	resp, r, err := api.CreateCSMThreatsAgentRule(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `CSMThreatsApi.CreateCSMThreatsAgentRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `CSMThreatsApi.CreateCSMThreatsAgentRule`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"
// Create a Workload Protection agent rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.CsmThreatsApi;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleCreateAttributes;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleCreateData;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleCreateRequest;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleResponse;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleType;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    CsmThreatsApi apiInstance = new CsmThreatsApi(defaultClient);

    // there is a valid "policy_rc" in the system
    String POLICY_DATA_ID = System.getenv("POLICY_DATA_ID");

    CloudWorkloadSecurityAgentRuleCreateRequest body =
        new CloudWorkloadSecurityAgentRuleCreateRequest()
            .data(
                new CloudWorkloadSecurityAgentRuleCreateData()
                    .attributes(
                        new CloudWorkloadSecurityAgentRuleCreateAttributes()
                            .description("My Agent rule")
                            .enabled(true)
                            .expression("""
exec.file.name == "sh"
""")
                            .agentVersion("> 7.60")
                            .name("examplecsmthreat")
                            .policyId(POLICY_DATA_ID))
                    .type(CloudWorkloadSecurityAgentRuleType.AGENT_RULE));

    try {
      CloudWorkloadSecurityAgentRuleResponse result = apiInstance.createCSMThreatsAgentRule(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling CsmThreatsApi#createCSMThreatsAgentRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

// Create a Workload Protection agent rule with set action returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.CsmThreatsApi;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleAction;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleActionHash;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleActionSet;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleActionSetValue;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleCreateAttributes;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleCreateData;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleCreateRequest;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleResponse;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleType;
import java.util.Arrays;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    CsmThreatsApi apiInstance = new CsmThreatsApi(defaultClient);

    // there is a valid "policy_rc" in the system
    String POLICY_DATA_ID = System.getenv("POLICY_DATA_ID");

    CloudWorkloadSecurityAgentRuleCreateRequest body =
        new CloudWorkloadSecurityAgentRuleCreateRequest()
            .data(
                new CloudWorkloadSecurityAgentRuleCreateData()
                    .attributes(
                        new CloudWorkloadSecurityAgentRuleCreateAttributes()
                            .description("My Agent rule with set action")
                            .enabled(true)
                            .expression("""
exec.file.name == "sh"
""")
                            .name("examplecsmthreat")
                            .policyId(POLICY_DATA_ID)
                            .actions(
                                Arrays.asList(
                                    new CloudWorkloadSecurityAgentRuleAction()
                                        .set(
                                            new CloudWorkloadSecurityAgentRuleActionSet()
                                                .name("test_set")
                                                .value(
                                                    new CloudWorkloadSecurityAgentRuleActionSetValue(
                                                        "test_value"))
                                                .scope("process")
                                                .inherited(true)),
                                    new CloudWorkloadSecurityAgentRuleAction()
                                        .hash(
                                            new CloudWorkloadSecurityAgentRuleActionHash()
                                                .field("exec.file")))))
                    .type(CloudWorkloadSecurityAgentRuleType.AGENT_RULE));

    try {
      CloudWorkloadSecurityAgentRuleResponse result = apiInstance.createCSMThreatsAgentRule(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling CsmThreatsApi#createCSMThreatsAgentRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

// Create a Workload Protection agent rule with set action with expression returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.CsmThreatsApi;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleAction;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleActionSet;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleCreateAttributes;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleCreateData;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleCreateRequest;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleResponse;
import com.datadog.api.client.v2.model.CloudWorkloadSecurityAgentRuleType;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    CsmThreatsApi apiInstance = new CsmThreatsApi(defaultClient);

    // there is a valid "policy_rc" in the system
    String POLICY_DATA_ID = System.getenv("POLICY_DATA_ID");

    CloudWorkloadSecurityAgentRuleCreateRequest body =
        new CloudWorkloadSecurityAgentRuleCreateRequest()
            .data(
                new CloudWorkloadSecurityAgentRuleCreateData()
                    .attributes(
                        new CloudWorkloadSecurityAgentRuleCreateAttributes()
                            .description("My Agent rule with set action with expression")
                            .enabled(true)
                            .expression("""
exec.file.name == "sh"
""")
                            .name("examplecsmthreat")
                            .policyId(POLICY_DATA_ID)
                            .actions(
                                Collections.singletonList(
                                    new CloudWorkloadSecurityAgentRuleAction()
                                        .set(
                                            new CloudWorkloadSecurityAgentRuleActionSet()
                                                .name("test_set")
                                                .expression("exec.file.path")
                                                .defaultValue("/dev/null")
                                                .scope("process")))))
                    .type(CloudWorkloadSecurityAgentRuleType.AGENT_RULE));

    try {
      CloudWorkloadSecurityAgentRuleResponse result = apiInstance.createCSMThreatsAgentRule(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling CsmThreatsApi#createCSMThreatsAgentRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"
"""
Create a Workload Protection agent rule returns "OK" response
"""

from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.csm_threats_api import CSMThreatsApi
from datadog_api_client.v2.model.cloud_workload_security_agent_rule_create_attributes import (
    CloudWorkloadSecurityAgentRuleCreateAttributes,
)
from datadog_api_client.v2.model.cloud_workload_security_agent_rule_create_data import (
    CloudWorkloadSecurityAgentRuleCreateData,
)
from datadog_api_client.v2.model.cloud_workload_security_agent_rule_create_request import (
    CloudWorkloadSecurityAgentRuleCreateRequest,
)
from datadog_api_client.v2.model.cloud_workload_security_agent_rule_type import CloudWorkloadSecurityAgentRuleType

# there is a valid "policy_rc" in the system
POLICY_DATA_ID = environ["POLICY_DATA_ID"]

body = CloudWorkloadSecurityAgentRuleCreateRequest(
    data=CloudWorkloadSecurityAgentRuleCreateData(
        attributes=CloudWorkloadSecurityAgentRuleCreateAttributes(
            description="My Agent rule",
            enabled=True,
            expression='exec.file.name == "sh"',
            agent_version="> 7.60",
            filters=[],
            name="examplecsmthreat",
            policy_id=POLICY_DATA_ID,
            product_tags=[],
        ),
        type=CloudWorkloadSecurityAgentRuleType.AGENT_RULE,
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = CSMThreatsApi(api_client)
    response = api_instance.create_csm_threats_agent_rule(body=body)

    print(response)

"""
Create a Workload Protection agent rule with set action returns "OK" response
"""

from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.csm_threats_api import CSMThreatsApi
from datadog_api_client.v2.model.cloud_workload_security_agent_rule_action import CloudWorkloadSecurityAgentRuleAction
from datadog_api_client.v2.model.cloud_workload_security_agent_rule_action_hash import (
    CloudWorkloadSecurityAgentRuleActionHash,
)
from datadog_api_client.v2.model.cloud_workload_security_agent_rule_action_set import (
    CloudWorkloadSecurityAgentRuleActionSet,
)
from datadog_api_client.v2.model.cloud_workload_security_agent_rule_create_attributes import (
    CloudWorkloadSecurityAgentRuleCreateAttributes,
)
from datadog_api_client.v2.model.cloud_workload_security_agent_rule_create_data import (
    CloudWorkloadSecurityAgentRuleCreateData,
)
from datadog_api_client.v2.model.cloud_workload_security_agent_rule_create_request import (
    CloudWorkloadSecurityAgentRuleCreateRequest,
)
from datadog_api_client.v2.model.cloud_workload_security_agent_rule_type import CloudWorkloadSecurityAgentRuleType

# there is a valid "policy_rc" in the system
POLICY_DATA_ID = environ["POLICY_DATA_ID"]

body = CloudWorkloadSecurityAgentRuleCreateRequest(
    data=CloudWorkloadSecurityAgentRuleCreateData(
        attributes=CloudWorkloadSecurityAgentRuleCreateAttributes(
            description="My Agent rule with set action",
            enabled=True,
            expression='exec.file.name == "sh"',
            filters=[],
            name="examplecsmthreat",
            policy_id=POLICY_DATA_ID,
            product_tags=[],
            actions=[
                CloudWorkloadSecurityAgentRuleAction(
                    set=CloudWorkloadSecurityAgentRuleActionSet(
                        name="test_set",
                        value="test_value",
                        scope="process",
                        inherited=True,
                    ),
                ),
                CloudWorkloadSecurityAgentRuleAction(
                    hash=CloudWorkloadSecurityAgentRuleActionHash(
                        field="exec.file",
                    ),
                ),
            ],
        ),
        type=CloudWorkloadSecurityAgentRuleType.AGENT_RULE,
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = CSMThreatsApi(api_client)
    response = api_instance.create_csm_threats_agent_rule(body=body)

    print(response)

"""
Create a Workload Protection agent rule with set action with expression returns "OK" response
"""

from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.csm_threats_api import CSMThreatsApi
from datadog_api_client.v2.model.cloud_workload_security_agent_rule_action import CloudWorkloadSecurityAgentRuleAction
from datadog_api_client.v2.model.cloud_workload_security_agent_rule_action_set import (
    CloudWorkloadSecurityAgentRuleActionSet,
)
from datadog_api_client.v2.model.cloud_workload_security_agent_rule_create_attributes import (
    CloudWorkloadSecurityAgentRuleCreateAttributes,
)
from datadog_api_client.v2.model.cloud_workload_security_agent_rule_create_data import (
    CloudWorkloadSecurityAgentRuleCreateData,
)
from datadog_api_client.v2.model.cloud_workload_security_agent_rule_create_request import (
    CloudWorkloadSecurityAgentRuleCreateRequest,
)
from datadog_api_client.v2.model.cloud_workload_security_agent_rule_type import CloudWorkloadSecurityAgentRuleType

# there is a valid "policy_rc" in the system
POLICY_DATA_ID = environ["POLICY_DATA_ID"]

body = CloudWorkloadSecurityAgentRuleCreateRequest(
    data=CloudWorkloadSecurityAgentRuleCreateData(
        attributes=CloudWorkloadSecurityAgentRuleCreateAttributes(
            description="My Agent rule with set action with expression",
            enabled=True,
            expression='exec.file.name == "sh"',
            filters=[],
            name="examplecsmthreat",
            policy_id=POLICY_DATA_ID,
            product_tags=[],
            actions=[
                CloudWorkloadSecurityAgentRuleAction(
                    set=CloudWorkloadSecurityAgentRuleActionSet(
                        name="test_set",
                        expression="exec.file.path",
                        default_value="/dev/null",
                        scope="process",
                    ),
                ),
            ],
        ),
        type=CloudWorkloadSecurityAgentRuleType.AGENT_RULE,
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = CSMThreatsApi(api_client)
    response = api_instance.create_csm_threats_agent_rule(body=body)

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"
# Create a Workload Protection agent rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::CSMThreatsAPI.new

# there is a valid "policy_rc" in the system
POLICY_DATA_ID = ENV["POLICY_DATA_ID"]

body = DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleCreateRequest.new({
  data: DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleCreateData.new({
    attributes: DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleCreateAttributes.new({
      description: "My Agent rule",
      enabled: true,
      expression: 'exec.file.name == "sh"',
      agent_version: "> 7.60",
      filters: [],
      name: "examplecsmthreat",
      policy_id: POLICY_DATA_ID,
      product_tags: [],
    }),
    type: DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleType::AGENT_RULE,
  }),
})
p api_instance.create_csm_threats_agent_rule(body)

# Create a Workload Protection agent rule with set action returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::CSMThreatsAPI.new

# there is a valid "policy_rc" in the system
POLICY_DATA_ID = ENV["POLICY_DATA_ID"]

body = DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleCreateRequest.new({
  data: DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleCreateData.new({
    attributes: DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleCreateAttributes.new({
      description: "My Agent rule with set action",
      enabled: true,
      expression: 'exec.file.name == "sh"',
      filters: [],
      name: "examplecsmthreat",
      policy_id: POLICY_DATA_ID,
      product_tags: [],
      actions: [
        DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleAction.new({
          set: DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleActionSet.new({
            name: "test_set",
            value: "test_value",
            scope: "process",
            inherited: true,
          }),
        }),
        DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleAction.new({
          _hash: DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleActionHash.new({
            field: "exec.file",
          }),
        }),
      ],
    }),
    type: DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleType::AGENT_RULE,
  }),
})
p api_instance.create_csm_threats_agent_rule(body)

# Create a Workload Protection agent rule with set action with expression returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::CSMThreatsAPI.new

# there is a valid "policy_rc" in the system
POLICY_DATA_ID = ENV["POLICY_DATA_ID"]

body = DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleCreateRequest.new({
  data: DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleCreateData.new({
    attributes: DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleCreateAttributes.new({
      description: "My Agent rule with set action with expression",
      enabled: true,
      expression: 'exec.file.name == "sh"',
      filters: [],
      name: "examplecsmthreat",
      policy_id: POLICY_DATA_ID,
      product_tags: [],
      actions: [
        DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleAction.new({
          set: DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleActionSet.new({
            name: "test_set",
            expression: "exec.file.path",
            default_value: "/dev/null",
            scope: "process",
          }),
        }),
      ],
    }),
    type: DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleType::AGENT_RULE,
  }),
})
p api_instance.create_csm_threats_agent_rule(body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"
// Create a Workload Protection agent rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_csm_threats::CSMThreatsAPI;
use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleCreateAttributes;
use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleCreateData;
use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleCreateRequest;
use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleType;

#[tokio::main]
async fn main() {
    // there is a valid "policy_rc" in the system
    let policy_data_id = std::env::var("POLICY_DATA_ID").unwrap();
    let body = CloudWorkloadSecurityAgentRuleCreateRequest::new(
        CloudWorkloadSecurityAgentRuleCreateData::new(
            CloudWorkloadSecurityAgentRuleCreateAttributes::new(
                r#"exec.file.name == "sh""#.to_string(),
                "examplecsmthreat".to_string(),
            )
            .agent_version("> 7.60".to_string())
            .description("My Agent rule".to_string())
            .enabled(true)
            .filters(vec![])
            .policy_id(policy_data_id.clone())
            .product_tags(vec![]),
            CloudWorkloadSecurityAgentRuleType::AGENT_RULE,
        ),
    );
    let configuration = datadog::Configuration::new();
    let api = CSMThreatsAPI::with_config(configuration);
    let resp = api.create_csm_threats_agent_rule(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

// Create a Workload Protection agent rule with set action returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_csm_threats::CSMThreatsAPI;
use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleAction;
use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleActionHash;
use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleActionSet;
use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleActionSetValue;
use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleCreateAttributes;
use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleCreateData;
use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleCreateRequest;
use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleType;

#[tokio::main]
async fn main() {
    // there is a valid "policy_rc" in the system
    let policy_data_id = std::env::var("POLICY_DATA_ID").unwrap();
    let body = CloudWorkloadSecurityAgentRuleCreateRequest::new(
        CloudWorkloadSecurityAgentRuleCreateData::new(
            CloudWorkloadSecurityAgentRuleCreateAttributes::new(
                r#"exec.file.name == "sh""#.to_string(),
                "examplecsmthreat".to_string(),
            )
            .actions(Some(vec![
                CloudWorkloadSecurityAgentRuleAction::new().set(
                    CloudWorkloadSecurityAgentRuleActionSet::new()
                        .inherited(true)
                        .name("test_set".to_string())
                        .scope("process".to_string())
                        .value(CloudWorkloadSecurityAgentRuleActionSetValue::String(
                            "test_value".to_string(),
                        )),
                ),
                CloudWorkloadSecurityAgentRuleAction::new().hash(
                    CloudWorkloadSecurityAgentRuleActionHash::new().field("exec.file".to_string()),
                ),
            ]))
            .description("My Agent rule with set action".to_string())
            .enabled(true)
            .filters(vec![])
            .policy_id(policy_data_id.clone())
            .product_tags(vec![]),
            CloudWorkloadSecurityAgentRuleType::AGENT_RULE,
        ),
    );
    let configuration = datadog::Configuration::new();
    let api = CSMThreatsAPI::with_config(configuration);
    let resp = api.create_csm_threats_agent_rule(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

// Create a Workload Protection agent rule with set action with expression returns
// "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_csm_threats::CSMThreatsAPI;
use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleAction;
use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleActionSet;
use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleCreateAttributes;
use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleCreateData;
use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleCreateRequest;
use datadog_api_client::datadogV2::model::CloudWorkloadSecurityAgentRuleType;

#[tokio::main]
async fn main() {
    // there is a valid "policy_rc" in the system
    let policy_data_id = std::env::var("POLICY_DATA_ID").unwrap();
    let body = CloudWorkloadSecurityAgentRuleCreateRequest::new(
        CloudWorkloadSecurityAgentRuleCreateData::new(
            CloudWorkloadSecurityAgentRuleCreateAttributes::new(
                r#"exec.file.name == "sh""#.to_string(),
                "examplecsmthreat".to_string(),
            )
            .actions(Some(vec![CloudWorkloadSecurityAgentRuleAction::new().set(
                CloudWorkloadSecurityAgentRuleActionSet::new()
                    .default_value("/dev/null".to_string())
                    .expression("exec.file.path".to_string())
                    .name("test_set".to_string())
                    .scope("process".to_string()),
            )]))
            .description("My Agent rule with set action with expression".to_string())
            .enabled(true)
            .filters(vec![])
            .policy_id(policy_data_id.clone())
            .product_tags(vec![]),
            CloudWorkloadSecurityAgentRuleType::AGENT_RULE,
        ),
    );
    let configuration = datadog::Configuration::new();
    let api = CSMThreatsAPI::with_config(configuration);
    let resp = api.create_csm_threats_agent_rule(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" cargo run
/**
 * Create a Workload Protection agent rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.CSMThreatsApi(configuration);

// there is a valid "policy_rc" in the system
const POLICY_DATA_ID = process.env.POLICY_DATA_ID as string;

const params: v2.CSMThreatsApiCreateCSMThreatsAgentRuleRequest = {
  body: {
    data: {
      attributes: {
        description: "My Agent rule",
        enabled: true,
        expression: `exec.file.name == "sh"`,
        agentVersion: "> 7.60",
        filters: [],
        name: "examplecsmthreat",
        policyId: POLICY_DATA_ID,
        productTags: [],
      },
      type: "agent_rule",
    },
  },
};

apiInstance
  .createCSMThreatsAgentRule(params)
  .then((data: v2.CloudWorkloadSecurityAgentRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

/**
 * Create a Workload Protection agent rule with set action returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.CSMThreatsApi(configuration);

// there is a valid "policy_rc" in the system
const POLICY_DATA_ID = process.env.POLICY_DATA_ID as string;

const params: v2.CSMThreatsApiCreateCSMThreatsAgentRuleRequest = {
  body: {
    data: {
      attributes: {
        description: "My Agent rule with set action",
        enabled: true,
        expression: `exec.file.name == "sh"`,
        filters: [],
        name: "examplecsmthreat",
        policyId: POLICY_DATA_ID,
        productTags: [],
        actions: [
          {
            set: {
              name: "test_set",
              value: "test_value",
              scope: "process",
              inherited: true,
            },
          },
          {
            hash: {
              field: "exec.file",
            },
          },
        ],
      },
      type: "agent_rule",
    },
  },
};

apiInstance
  .createCSMThreatsAgentRule(params)
  .then((data: v2.CloudWorkloadSecurityAgentRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

/**
 * Create a Workload Protection agent rule with set action with expression returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.CSMThreatsApi(configuration);

// there is a valid "policy_rc" in the system
const POLICY_DATA_ID = process.env.POLICY_DATA_ID as string;

const params: v2.CSMThreatsApiCreateCSMThreatsAgentRuleRequest = {
  body: {
    data: {
      attributes: {
        description: "My Agent rule with set action with expression",
        enabled: true,
        expression: `exec.file.name == "sh"`,
        filters: [],
        name: "examplecsmthreat",
        policyId: POLICY_DATA_ID,
        productTags: [],
        actions: [
          {
            set: {
              name: "test_set",
              expression: "exec.file.path",
              defaultValue: "/dev/null",
              scope: "process",
            },
          },
        ],
      },
      type: "agent_rule",
    },
  },
};

apiInstance
  .createCSMThreatsAgentRule(params)
  .then((data: v2.CloudWorkloadSecurityAgentRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"