--- title: Security Monitoring description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > API Reference > Security Monitoring --- # Security Monitoring Create and manage your security rules, signals, filters, and more. See the [Datadog Security page](https://docs.datadoghq.com/security/) for more information. ## Change the triage state of a security signal{% #change-the-triage-state-of-a-security-signal %} {% tab title="v1" %} | Datadog site | API endpoint | | ----------------- | --------------------------------------------------------------------------------------- | | ap1.datadoghq.com | PATCH https://api.ap1.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/state | | ap2.datadoghq.com | PATCH https://api.ap2.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/state | | app.datadoghq.eu | PATCH https://api.datadoghq.eu/api/v1/security_analytics/signals/{signal_id}/state | | app.ddog-gov.com | PATCH https://api.ddog-gov.com/api/v1/security_analytics/signals/{signal_id}/state | | app.datadoghq.com | PATCH https://api.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/state | | us3.datadoghq.com | PATCH https://api.us3.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/state | | us5.datadoghq.com | PATCH https://api.us5.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/state | ### Overview This endpoint is deprecated - Change the triage state of a security signal. This endpoint requires the `security_monitoring_signals_write` permission. ### Arguments #### Path Parameters | Name | Type | Description | | --------------------------- | ------ | --------------------- | | signal_id [*required*] | string | The ID of the signal. | ### Request #### Body Data (required) Attributes describing the signal update. {% tab title="Model" %} | Field | Type | Description | | ----------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | archiveComment | string | Optional comment to explain why a signal is being archived. | | archiveReason | enum | Reason why a signal has been archived. Allowed enum values: `none,false_positive,testing_or_maintenance,investigated_case_opened,true_positive_benign,true_positive_malicious,other` | | state [*required*] | enum | The new triage state of the signal. Allowed enum values: `open,archived,under_review` | | version | int64 | Version of the updated signal. If server side version is higher, update will be rejected. | {% /tab %} {% tab title="Example" %} ```json { "archiveReason": "none", "state": "open" } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} Updated signal data following a successfully performed update. | Field | Type | Description | | ------ | ------ | ----------------------- | | status | string | Status of the response. | {% /tab %} {% tab title="Example" %} ```json { "status": "string" } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} Error response object. | Field | Type | Description | | ------------------------ | -------- | ------------------------------------ | | errors [*required*] | [string] | Array of errors returned by the API. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Forbidden {% tab title="Model" %} Error response object. | Field | Type | Description | | ------------------------ | -------- | ------------------------------------ | | errors [*required*] | [string] | Array of errors returned by the API. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} Error response object. | Field | Type | Description | | ------------------------ | -------- | ------------------------------------ | | errors [*required*] | [string] | Array of errors returned by the API. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} Error response object. | Field | Type | Description | | ------------------------ | -------- | ------------------------------------ | | errors [*required*] | [string] | Array of errors returned by the API. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport signal_id="CHANGE_ME"\# Curl commandcurl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v1/security_analytics/signals/${signal_id}/state" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "archiveReason": "none", "state": "open" } EOF ##### ```go // Change the triage state of a security signal returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV1" ) func main() { body := datadogV1.SignalStateUpdateRequest{ ArchiveReason: datadogV1.SIGNALARCHIVEREASON_NONE.Ptr(), State: datadogV1.SIGNALTRIAGESTATE_OPEN, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV1.NewSecurityMonitoringApi(apiClient) resp, r, err := api.EditSecurityMonitoringSignalState(ctx, "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.EditSecurityMonitoringSignalState`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.EditSecurityMonitoringSignalState`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Change the triage state of a security signal returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v1.api.SecurityMonitoringApi; import com.datadog.api.client.v1.model.SignalArchiveReason; import com.datadog.api.client.v1.model.SignalStateUpdateRequest; import com.datadog.api.client.v1.model.SignalTriageState; import com.datadog.api.client.v1.model.SuccessfulSignalUpdateResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); SignalStateUpdateRequest body = new SignalStateUpdateRequest() .archiveReason(SignalArchiveReason.NONE) .state(SignalTriageState.OPEN); try { SuccessfulSignalUpdateResponse result = apiInstance.editSecurityMonitoringSignalState( "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#editSecurityMonitoringSignalState"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Change the triage state of a security signal returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v1.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v1.model.signal_archive_reason import SignalArchiveReason from datadog_api_client.v1.model.signal_state_update_request import SignalStateUpdateRequest from datadog_api_client.v1.model.signal_triage_state import SignalTriageState body = SignalStateUpdateRequest( archive_reason=SignalArchiveReason.NONE, state=SignalTriageState.OPEN, ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.edit_security_monitoring_signal_state( signal_id="AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body=body ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Change the triage state of a security signal returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V1::SecurityMonitoringAPI.new body = DatadogAPIClient::V1::SignalStateUpdateRequest.new({ archive_reason: DatadogAPIClient::V1::SignalArchiveReason::NONE, state: DatadogAPIClient::V1::SignalTriageState::OPEN, }) p api_instance.edit_security_monitoring_signal_state("AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Change the triage state of a security signal returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV1::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV1::model::SignalArchiveReason; use datadog_api_client::datadogV1::model::SignalStateUpdateRequest; use datadog_api_client::datadogV1::model::SignalTriageState; #[tokio::main] async fn main() { let body = SignalStateUpdateRequest::new(SignalTriageState::OPEN) .archive_reason(SignalArchiveReason::NONE); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .edit_security_monitoring_signal_state( "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE".to_string(), body, ) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Change the triage state of a security signal returns "OK" response */ import { client, v1 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v1.SecurityMonitoringApi(configuration); const params: v1.SecurityMonitoringApiEditSecurityMonitoringSignalStateRequest = { body: { archiveReason: "none", state: "open", }, signalId: "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", }; apiInstance .editSecurityMonitoringSignalState(params) .then((data: v1.SuccessfulSignalUpdateResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ---------------------------------------------------------------------------------------- | | ap1.datadoghq.com | PATCH https://api.ap1.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/state | | ap2.datadoghq.com | PATCH https://api.ap2.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/state | | app.datadoghq.eu | PATCH https://api.datadoghq.eu/api/v2/security_monitoring/signals/{signal_id}/state | | app.ddog-gov.com | PATCH https://api.ddog-gov.com/api/v2/security_monitoring/signals/{signal_id}/state | | app.datadoghq.com | PATCH https://api.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/state | | us3.datadoghq.com | PATCH https://api.us3.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/state | | us5.datadoghq.com | PATCH https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/state | ### Overview Change the triage state of a security signal. This endpoint requires the `security_monitoring_signals_write` permission. ### Arguments #### Path Parameters | Name | Type | Description | | --------------------------- | ------ | --------------------- | | signal_id [*required*] | string | The ID of the signal. | ### Request #### Body Data (required) Attributes describing the signal update. {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------ | ---------------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data [*required*] | object | Data containing the patch for changing the state of a signal. | | data | attributes [*required*] | object | Attributes describing the change of state of a security signal. | | attributes | archive_comment | string | Optional comment to display on archived signals. | | attributes | archive_reason | enum | Reason a signal is archived. Allowed enum values: `none,false_positive,testing_or_maintenance,remediated,investigated_case_opened,true_positive_benign,true_positive_malicious,other` | | attributes | state [*required*] | enum | The new triage state of the signal. Allowed enum values: `open,archived,under_review` | | attributes | version | int64 | Version of the updated signal. If server side version is higher, update will be rejected. | | data | id | | The unique ID of the security signal. | | data | type | enum | The type of event. Allowed enum values: `signal_metadata` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "archive_reason": "none", "state": "open" } } } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} The response returned after all triage operations, containing the updated signal triage data. | Parent field | Field | Type | Description | | -------------------- | ------------------------------ | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data [*required*] | object | Data containing the updated triage attributes of the signal. | | data | attributes | object | Attributes describing a triage state update operation over a security signal. | | attributes | archive_comment | string | Optional comment to display on archived signals. | | attributes | archive_comment_timestamp | int64 | Timestamp of the last edit to the comment. | | attributes | archive_comment_user | object | Object representing a given user entity. | | archive_comment_user | handle | string | The handle for this user account. | | archive_comment_user | icon | string | Gravatar icon associated to the user. | | archive_comment_user | id | int64 | Numerical ID assigned by Datadog to this user account. | | archive_comment_user | name | string | The name for this user account. | | archive_comment_user | uuid [*required*] | string | UUID assigned by Datadog to this user account. | | attributes | archive_reason | enum | Reason a signal is archived. Allowed enum values: `none,false_positive,testing_or_maintenance,remediated,investigated_case_opened,true_positive_benign,true_positive_malicious,other` | | attributes | assignee [*required*] | object | Object representing a given user entity. | | assignee | handle | string | The handle for this user account. | | assignee | icon | string | Gravatar icon associated to the user. | | assignee | id | int64 | Numerical ID assigned by Datadog to this user account. | | assignee | name | string | The name for this user account. | | assignee | uuid [*required*] | string | UUID assigned by Datadog to this user account. | | attributes | incident_ids [*required*] | [integer] | Array of incidents that are associated with this signal. | | attributes | state [*required*] | enum | The new triage state of the signal. Allowed enum values: `open,archived,under_review` | | attributes | state_update_timestamp | int64 | Timestamp of the last update to the signal state. | | attributes | state_update_user | object | Object representing a given user entity. | | state_update_user | handle | string | The handle for this user account. | | state_update_user | icon | string | Gravatar icon associated to the user. | | state_update_user | id | int64 | Numerical ID assigned by Datadog to this user account. | | state_update_user | name | string | The name for this user account. | | state_update_user | uuid [*required*] | string | UUID assigned by Datadog to this user account. | | data | id | string | The unique ID of the security signal. | | data | type | enum | The type of event. Allowed enum values: `signal_metadata` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "archive_comment": "string", "archive_comment_timestamp": "integer", "archive_comment_user": { "handle": "string", "icon": "/path/to/matching/gravatar/icon", "id": "integer", "name": "string", "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940" }, "archive_reason": "string", "assignee": { "handle": "string", "icon": "/path/to/matching/gravatar/icon", "id": "integer", "name": "string", "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940" }, "incident_ids": [ 2066 ], "state": "open", "state_update_timestamp": "integer", "state_update_user": { "handle": "string", "icon": "/path/to/matching/gravatar/icon", "id": "integer", "name": "string", "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940" } }, "id": "string", "type": "signal_metadata" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport signal_id="CHANGE_ME"\# Curl commandcurl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/${signal_id}/state" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "attributes": { "archive_reason": "none", "state": "open" } } } EOF ##### ```go // Change the triage state of a security signal returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.SecurityMonitoringSignalStateUpdateRequest{ Data: datadogV2.SecurityMonitoringSignalStateUpdateData{ Attributes: datadogV2.SecurityMonitoringSignalStateUpdateAttributes{ ArchiveReason: datadogV2.SECURITYMONITORINGSIGNALARCHIVEREASON_NONE.Ptr(), State: datadogV2.SECURITYMONITORINGSIGNALSTATE_OPEN, }, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.EditSecurityMonitoringSignalState(ctx, "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.EditSecurityMonitoringSignalState`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.EditSecurityMonitoringSignalState`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Change the triage state of a security signal returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringSignalArchiveReason; import com.datadog.api.client.v2.model.SecurityMonitoringSignalState; import com.datadog.api.client.v2.model.SecurityMonitoringSignalStateUpdateAttributes; import com.datadog.api.client.v2.model.SecurityMonitoringSignalStateUpdateData; import com.datadog.api.client.v2.model.SecurityMonitoringSignalStateUpdateRequest; import com.datadog.api.client.v2.model.SecurityMonitoringSignalTriageUpdateResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); SecurityMonitoringSignalStateUpdateRequest body = new SecurityMonitoringSignalStateUpdateRequest() .data( new SecurityMonitoringSignalStateUpdateData() .attributes( new SecurityMonitoringSignalStateUpdateAttributes() .archiveReason(SecurityMonitoringSignalArchiveReason.NONE) .state(SecurityMonitoringSignalState.OPEN))); try { SecurityMonitoringSignalTriageUpdateResponse result = apiInstance.editSecurityMonitoringSignalState( "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#editSecurityMonitoringSignalState"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Change the triage state of a security signal returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.security_monitoring_signal_archive_reason import SecurityMonitoringSignalArchiveReason from datadog_api_client.v2.model.security_monitoring_signal_state import SecurityMonitoringSignalState from datadog_api_client.v2.model.security_monitoring_signal_state_update_attributes import ( SecurityMonitoringSignalStateUpdateAttributes, ) from datadog_api_client.v2.model.security_monitoring_signal_state_update_data import ( SecurityMonitoringSignalStateUpdateData, ) from datadog_api_client.v2.model.security_monitoring_signal_state_update_request import ( SecurityMonitoringSignalStateUpdateRequest, ) body = SecurityMonitoringSignalStateUpdateRequest( data=SecurityMonitoringSignalStateUpdateData( attributes=SecurityMonitoringSignalStateUpdateAttributes( archive_reason=SecurityMonitoringSignalArchiveReason.NONE, state=SecurityMonitoringSignalState.OPEN, ), ), ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.edit_security_monitoring_signal_state( signal_id="AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body=body ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Change the triage state of a security signal returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::SecurityMonitoringSignalStateUpdateRequest.new({ data: DatadogAPIClient::V2::SecurityMonitoringSignalStateUpdateData.new({ attributes: DatadogAPIClient::V2::SecurityMonitoringSignalStateUpdateAttributes.new({ archive_reason: DatadogAPIClient::V2::SecurityMonitoringSignalArchiveReason::NONE, state: DatadogAPIClient::V2::SecurityMonitoringSignalState::OPEN, }), }), }) p api_instance.edit_security_monitoring_signal_state("AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Change the triage state of a security signal returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::SecurityMonitoringSignalArchiveReason; use datadog_api_client::datadogV2::model::SecurityMonitoringSignalState; use datadog_api_client::datadogV2::model::SecurityMonitoringSignalStateUpdateAttributes; use datadog_api_client::datadogV2::model::SecurityMonitoringSignalStateUpdateData; use datadog_api_client::datadogV2::model::SecurityMonitoringSignalStateUpdateRequest; #[tokio::main] async fn main() { let body = SecurityMonitoringSignalStateUpdateRequest::new( SecurityMonitoringSignalStateUpdateData::new( SecurityMonitoringSignalStateUpdateAttributes::new(SecurityMonitoringSignalState::OPEN) .archive_reason(SecurityMonitoringSignalArchiveReason::NONE), ), ); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .edit_security_monitoring_signal_state( "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE".to_string(), body, ) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Change the triage state of a security signal returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiEditSecurityMonitoringSignalStateRequest = { body: { data: { attributes: { archiveReason: "none", state: "open", }, }, }, signalId: "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", }; apiInstance .editSecurityMonitoringSignalState(params) .then((data: v2.SecurityMonitoringSignalTriageUpdateResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## List findings{% #list-findings %} {% tab title="v2" %} **Note**: This endpoint uses the legacy security findings data model and is planned for deprecation. Use the [search security findings endpoint](https://docs.datadoghq.com/api/latest/security-monitoring/#search-security-findings), which is based on the [new security findings schema](https://docs.datadoghq.com/security/guide/findings-schema/), to search security findings. If you have any feedback, contact [Datadog support](https://docs.datadoghq.com/help/). | Datadog site | API endpoint | | ----------------- | -------------------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/posture_management/findings | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/posture_management/findings | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/posture_management/findings | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/posture_management/findings | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/posture_management/findings | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/posture_management/findings | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/posture_management/findings | ### Overview Get a list of findings. These include both misconfigurations and identity risks. **Note**: To filter and return only identity risks, add the following query parameter: `?filter[tags]=dd_rule_type:ciem` ### Filtering{% #filtering %} Filters can be applied by appending query parameters to the URL. - Using a single filter: `?filter[attribute_key]=attribute_value` - Chaining filters: `?filter[attribute_key]=attribute_value&filter[attribute_key]=attribute_value...` - Filtering on tags: `?filter[tags]=tag_key:tag_value&filter[tags]=tag_key_2:tag_value_2` Here, `attribute_key` can be any of the filter keys described further below. Query parameters of type `integer` support comparison operators (`>`, `>=`, `<`, `<=`). This is particularly useful when filtering by `evaluation_changed_at` or `resource_discovery_timestamp`. For example: `?filter[evaluation_changed_at]=>20123123121`. You can also use the negation operator on strings. For example, use `filter[resource_type]=-aws*` to filter for any non-AWS resources. The operator must come after the equal sign. For example, to filter with the `>=` operator, add the operator after the equal sign: `filter[evaluation_changed_at]=>=1678809373257`. Query parameters must be only among the documented ones and with values of correct types. Duplicated query parameters (e.g. `filter[status]=low&filter[status]=info`) are not allowed. ### Additional extension fields{% #additional-extension-fields %} Additional extension fields are available for some findings. The data is available when you include the query parameter `?detailed_findings=true` in the request. The following fields are available for findings: - `external_id`: The resource external ID related to the finding. - `description`: The description and remediation steps for the finding. - `datadog_link`: The Datadog relative link for the finding. - `ip_addresses`: The list of private IP addresses for the resource related to the finding. ### Response{% #response %} The response includes an array of finding objects, pagination metadata, and a count of items that match the query. Each finding object contains the following: - The finding ID that can be used in a `GetFinding` request to retrieve the full finding details. - Core attributes, including status, evaluation, high-level resource details, muted state, and rule details. - `evaluation_changed_at` and `resource_discovery_date` time stamps. - An array of associated tags. OAuth apps require the `security_monitoring_findings_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Arguments #### Query Strings | Name | Type | Description | | ----------------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------- | | page[limit] | integer | Limit the number of findings returned. Must be <= 1000. | | snapshot_timestamp | integer | Return findings for a given snapshot of time (Unix ms). | | page[cursor] | string | Return the next page of findings pointed to by the cursor. | | filter[tags] | string | Return findings that have these associated tags (repeatable). | | filter[evaluation_changed_at] | string | Return findings that have changed from pass to fail or vice versa on a specified date (Unix ms) or date range (using comparison operators). | | filter[muted] | boolean | Set to `true` to return findings that are muted. Set to `false` to return unmuted findings. | | filter[rule_id] | string | Return findings for the specified rule ID. | | filter[rule_name] | string | Return findings for the specified rule. | | filter[resource_type] | string | Return only findings for the specified resource type. | | filter[@resource_id] | string | Return only findings for the specified resource id. | | filter[discovery_timestamp] | string | Return findings that were found on a specified date (Unix ms) or date range (using comparison operators). | | filter[evaluation] | enum | Return only `pass` or `fail` findings.Allowed enum values: `pass, fail` | | filter[status] | enum | Return only findings with the specified status.Allowed enum values: `critical, high, medium, low, info` | | filter[vulnerability_type] | array | Return findings that match the selected vulnerability types (repeatable). | | detailed_findings | boolean | Return additional fields for some findings. | ### Response {% tab title="200" %} OK {% tab title="Model" %} The expected response schema when listing findings. | Parent field | Field | Type | Description | | ------------ | ----------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data [*required*] | [object] | Array of findings. | | data | attributes | object | The JSON:API attributes of the finding. | | attributes | datadog_link | string | The Datadog relative link for this finding. | | attributes | description | string | The description and remediation steps for this finding. | | attributes | evaluation | enum | The evaluation of the finding. Allowed enum values: `pass,fail` | | attributes | evaluation_changed_at | int64 | The date on which the evaluation for this finding changed (Unix ms). | | attributes | external_id | string | The cloud-based ID for the resource related to the finding. | | attributes | mute | object | Information about the mute status of this finding. | | mute | description | string | Additional information about the reason why this finding is muted or unmuted. | | mute | expiration_date | int64 | The expiration date of the mute or unmute action (Unix ms). | | mute | muted | boolean | Whether this finding is muted or unmuted. | | mute | reason | enum | The reason why this finding is muted or unmuted. Allowed enum values: `PENDING_FIX,FALSE_POSITIVE,ACCEPTED_RISK,NO_PENDING_FIX,HUMAN_ERROR,NO_LONGER_ACCEPTED_RISK,OTHER` | | mute | start_date | int64 | The start of the mute period. | | mute | uuid | string | The ID of the user who muted or unmuted this finding. | | attributes | resource | string | The resource name of this finding. | | attributes | resource_discovery_date | int64 | The date on which the resource was discovered (Unix ms). | | attributes | resource_type | string | The resource type of this finding. | | attributes | rule | object | The rule that triggered this finding. | | rule | id | string | The ID of the rule that triggered this finding. | | rule | name | string | The name of the rule that triggered this finding. | | attributes | status | enum | The status of the finding. Allowed enum values: `critical,high,medium,low,info` | | attributes | tags | [string] | The tags associated with this finding. | | attributes | vulnerability_type | enum | The vulnerability type of the finding. Allowed enum values: `misconfiguration,attack_path,identity_risk,api_security` | | data | id | string | The unique ID for this finding. | | data | type | enum | The JSON:API type for findings. Allowed enum values: `finding` | | | meta [*required*] | object | Metadata for pagination. | | meta | page | object | Pagination and findings count information. | | page | cursor | string | The cursor used to paginate requests. | | page | total_filtered_count | int64 | The total count of findings after the filter has been applied. | | meta | snapshot_timestamp | int64 | The point in time corresponding to the listed findings. | {% /tab %} {% tab title="Example" %} ```json { "data": [ { "attributes": { "datadog_link": "/security/compliance?panels=cpfinding%7Cevent%7CruleId%3Adef-000-u5t%7CresourceId%3Ae8c9ab7c52ebd7bf2fdb4db641082d7d%7CtabId%3Aoverview", "description": "## Remediation\n\n1. In the console, go to **Storage Account**.\n2. For each Storage Account, navigate to **Data Protection**.\n3. Select **Set soft delete enabled** and enter the number of days to retain soft deleted data.", "evaluation": "pass", "evaluation_changed_at": 1678721573794, "external_id": "arn:aws:s3:::my-example-bucket", "mute": { "description": "To be resolved later", "expiration_date": 1778721573794, "muted": true, "reason": "ACCEPTED_RISK", "start_date": 1678721573794, "uuid": "e51c9744-d158-11ec-ad23-da7ad0900002" }, "resource": "my_resource_name", "resource_discovery_date": 1678721573794, "resource_type": "azure_storage_account", "rule": { "id": "dv2-jzf-41i", "name": "Soft delete is enabled for Azure Storage" }, "status": "critical", "tags": [ "cloud_provider:aws", "myTag:myValue" ], "vulnerability_type": "misconfiguration" }, "id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==", "type": "finding" } ], "meta": { "page": { "cursor": "eyJhZnRlciI6IkFRQUFBWWJiaEJXQS1OY1dqUUFBQUFCQldXSmlhRUpYUVVGQlJFSktkbTlDTUdaWFRVbDNRVUUiLCJ2YWx1ZXMiOlsiY3JpdGljYWwiXX0=", "total_filtered_count": 213 }, "snapshot_timestamp": 1678721573794 } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request: The server cannot process the request due to invalid syntax in the request. {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Forbidden: Access denied {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found: The requested finding cannot be found. {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests: The rate limit set by the API has been exceeded. {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/posture_management/findings" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ List findings returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi configuration = Configuration() configuration.unstable_operations["list_findings"] = True with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.list_findings() print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # List findings returns "OK" response require "datadog_api_client" DatadogAPIClient.configure do |config| config.unstable_operations["v2.list_findings".to_sym] = true end api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new p api_instance.list_findings() ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // List findings returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() configuration.SetUnstableOperationEnabled("v2.ListFindings", true) apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.ListFindings(ctx, *datadogV2.NewListFindingsOptionalParameters()) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListFindings`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListFindings`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // List findings returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.ListFindingsResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); defaultClient.setUnstableOperationEnabled("v2.listFindings", true); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { ListFindingsResponse result = apiInstance.listFindings(); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#listFindings"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // List findings returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::ListFindingsOptionalParams; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { let mut configuration = datadog::Configuration::new(); configuration.set_unstable_operation_enabled("v2.ListFindings", true); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .list_findings(ListFindingsOptionalParams::default()) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * List findings returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); configuration.unstableOperations["v2.listFindings"] = true; const apiInstance = new v2.SecurityMonitoringApi(configuration); apiInstance .listFindings() .then((data: v2.ListFindingsResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Add a security signal to an incident{% #add-a-security-signal-to-an-incident %} {% tab title="v1" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------------------------------- | | ap1.datadoghq.com | PATCH https://api.ap1.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/add_to_incident | | ap2.datadoghq.com | PATCH https://api.ap2.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/add_to_incident | | app.datadoghq.eu | PATCH https://api.datadoghq.eu/api/v1/security_analytics/signals/{signal_id}/add_to_incident | | app.ddog-gov.com | PATCH https://api.ddog-gov.com/api/v1/security_analytics/signals/{signal_id}/add_to_incident | | app.datadoghq.com | PATCH https://api.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/add_to_incident | | us3.datadoghq.com | PATCH https://api.us3.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/add_to_incident | | us5.datadoghq.com | PATCH https://api.us5.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/add_to_incident | ### Overview Add a security signal to an incident. This makes it possible to search for signals by incident within the signal explorer and to view the signals on the incident timeline. This endpoint requires the `security_monitoring_signals_write` permission. ### Arguments #### Path Parameters | Name | Type | Description | | --------------------------- | ------ | --------------------- | | signal_id [*required*] | string | The ID of the signal. | ### Request #### Body Data (required) Attributes describing the signal update. {% tab title="Model" %} | Field | Type | Description | | ----------------------------- | ------- | ----------------------------------------------------------------------------------------- | | add_to_signal_timeline | boolean | Whether to post the signal on the incident timeline. | | incident_id [*required*] | int64 | Public ID attribute of the incident to which the signal will be added. | | version | int64 | Version of the updated signal. If server side version is higher, update will be rejected. | {% /tab %} {% tab title="Example" %} ```json { "incident_id": 2609 } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} Updated signal data following a successfully performed update. | Field | Type | Description | | ------ | ------ | ----------------------- | | status | string | Status of the response. | {% /tab %} {% tab title="Example" %} ```json { "status": "string" } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} Error response object. | Field | Type | Description | | ------------------------ | -------- | ------------------------------------ | | errors [*required*] | [string] | Array of errors returned by the API. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Forbidden {% tab title="Model" %} Error response object. | Field | Type | Description | | ------------------------ | -------- | ------------------------------------ | | errors [*required*] | [string] | Array of errors returned by the API. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} Error response object. | Field | Type | Description | | ------------------------ | -------- | ------------------------------------ | | errors [*required*] | [string] | Array of errors returned by the API. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} Error response object. | Field | Type | Description | | ------------------------ | -------- | ------------------------------------ | | errors [*required*] | [string] | Array of errors returned by the API. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport signal_id="CHANGE_ME"\# Curl commandcurl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v1/security_analytics/signals/${signal_id}/add_to_incident" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "incident_id": 2609 } EOF ##### ```go // Add a security signal to an incident returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV1" ) func main() { body := datadogV1.AddSignalToIncidentRequest{ IncidentId: 2609, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV1.NewSecurityMonitoringApi(apiClient) resp, r, err := api.AddSecurityMonitoringSignalToIncident(ctx, "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.AddSecurityMonitoringSignalToIncident`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.AddSecurityMonitoringSignalToIncident`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Add a security signal to an incident returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v1.api.SecurityMonitoringApi; import com.datadog.api.client.v1.model.AddSignalToIncidentRequest; import com.datadog.api.client.v1.model.SuccessfulSignalUpdateResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); AddSignalToIncidentRequest body = new AddSignalToIncidentRequest().incidentId(2609L); try { SuccessfulSignalUpdateResponse result = apiInstance.addSecurityMonitoringSignalToIncident( "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#addSecurityMonitoringSignalToIncident"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Add a security signal to an incident returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v1.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v1.model.add_signal_to_incident_request import AddSignalToIncidentRequest body = AddSignalToIncidentRequest( incident_id=2609, ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.add_security_monitoring_signal_to_incident( signal_id="AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body=body ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Add a security signal to an incident returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V1::SecurityMonitoringAPI.new body = DatadogAPIClient::V1::AddSignalToIncidentRequest.new({ incident_id: 2609, }) p api_instance.add_security_monitoring_signal_to_incident("AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Add a security signal to an incident returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV1::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV1::model::AddSignalToIncidentRequest; #[tokio::main] async fn main() { let body = AddSignalToIncidentRequest::new(2609); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .add_security_monitoring_signal_to_incident( "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE".to_string(), body, ) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Add a security signal to an incident returns "OK" response */ import { client, v1 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v1.SecurityMonitoringApi(configuration); const params: v1.SecurityMonitoringApiAddSecurityMonitoringSignalToIncidentRequest = { body: { incidentId: 2609, }, signalId: "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", }; apiInstance .addSecurityMonitoringSignalToIncident(params) .then((data: v1.SuccessfulSignalUpdateResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Mute or unmute a batch of findings{% #mute-or-unmute-a-batch-of-findings %} {% tab title="v2" %} **Note**: This endpoint is in public beta. If you have any feedback, contact [Datadog support](https://docs.datadoghq.com/help/). | Datadog site | API endpoint | | ----------------- | ---------------------------------------------------------------------- | | ap1.datadoghq.com | PATCH https://api.ap1.datadoghq.com/api/v2/posture_management/findings | | ap2.datadoghq.com | PATCH https://api.ap2.datadoghq.com/api/v2/posture_management/findings | | app.datadoghq.eu | PATCH https://api.datadoghq.eu/api/v2/posture_management/findings | | app.ddog-gov.com | PATCH https://api.ddog-gov.com/api/v2/posture_management/findings | | app.datadoghq.com | PATCH https://api.datadoghq.com/api/v2/posture_management/findings | | us3.datadoghq.com | PATCH https://api.us3.datadoghq.com/api/v2/posture_management/findings | | us5.datadoghq.com | PATCH https://api.us5.datadoghq.com/api/v2/posture_management/findings | ### Overview Mute or unmute findings. This endpoint requires any of the following permissions: `security_monitoring_findings_write``appsec_vm_write` ### Request #### Body Data (required) ### Attributes{% #attributes %} All findings are updated with the same attributes. The request body must include at least two attributes: `muted` and `reason`. The allowed reasons depend on whether the finding is being muted or unmuted: - To mute a finding: `PENDING_FIX`, `FALSE_POSITIVE`, `ACCEPTED_RISK`, `OTHER`. - To unmute a finding : `NO_PENDING_FIX`, `HUMAN_ERROR`, `NO_LONGER_ACCEPTED_RISK`, `OTHER`. ### Meta{% #meta %} The request body must include a list of the finding IDs to be updated. {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------ | ---------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data [*required*] | object | Data object containing the new bulk mute properties of the finding. | | data | attributes [*required*] | object | The mute properties to be updated. | | attributes | mute [*required*] | object | Object containing the new mute properties of the findings. | | mute | description | string | Additional information about the reason why those findings are muted or unmuted. This field has a maximum limit of 280 characters. | | mute | expiration_date | int64 | The expiration date of the mute or unmute action (Unix ms). It must be set to a value greater than the current timestamp. If this field is not provided, the finding will be muted or unmuted indefinitely, which is equivalent to setting the expiration date to 9999999999999. | | mute | muted [*required*] | boolean | Whether those findings should be muted or unmuted. | | mute | reason [*required*] | enum | The reason why this finding is muted or unmuted. Allowed enum values: `PENDING_FIX,FALSE_POSITIVE,ACCEPTED_RISK,NO_PENDING_FIX,HUMAN_ERROR,NO_LONGER_ACCEPTED_RISK,OTHER` | | data | id [*required*] | string | UUID to identify the request | | data | meta [*required*] | object | Meta object containing the findings to be updated. | | meta | findings | [object] | Array of findings. | | findings | finding_id | string | The unique ID for this finding. | | data | type [*required*] | enum | The JSON:API type for findings. Allowed enum values: `finding` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "mute": { "expiration_date": 1778721573794, "muted": true, "reason": "ACCEPTED_RISK" } }, "id": "dbe5f567-192b-4404-b908-29b70e1c9f76", "meta": { "findings": [ { "finding_id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==" } ] }, "type": "finding" } } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} The expected response schema. | Parent field | Field | Type | Description | | ------------ | ---------------------- | ------ | -------------------------------------------------------------- | | | data [*required*] | object | Data object containing the ID of the request that was updated. | | data | id | string | UUID used to identify the request | | data | type | enum | The JSON:API type for findings. Allowed enum values: `finding` | {% /tab %} {% tab title="Example" %} ```json { "data": { "id": "93bfeb70-af47-424d-908a-948d3f08e37f", "type": "finding" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request: The server cannot process the request due to invalid syntax in the request. {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Forbidden: Access denied {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found: The requested finding cannot be found. {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="422" %} Invalid Request: The server understands the request syntax but cannot process it due to invalid data. {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests: The rate limit set by the API has been exceeded. {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/posture_management/findings" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "attributes": { "mute": { "expiration_date": 1778721573794, "muted": true, "reason": "ACCEPTED_RISK" } }, "id": "dbe5f567-192b-4404-b908-29b70e1c9f76", "meta": { "findings": [ { "finding_id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==" } ] }, "type": "finding" } } EOF ##### ```go // Mute or unmute a batch of findings returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.BulkMuteFindingsRequest{ Data: datadogV2.BulkMuteFindingsRequestData{ Attributes: datadogV2.BulkMuteFindingsRequestAttributes{ Mute: datadogV2.BulkMuteFindingsRequestProperties{ ExpirationDate: datadog.PtrInt64(1778721573794), Muted: true, Reason: datadogV2.FINDINGMUTEREASON_ACCEPTED_RISK, }, }, Id: "dbe5f567-192b-4404-b908-29b70e1c9f76", Meta: datadogV2.BulkMuteFindingsRequestMeta{ Findings: []datadogV2.BulkMuteFindingsRequestMetaFindings{ { FindingId: datadog.PtrString("ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw=="), }, }, }, Type: datadogV2.FINDINGTYPE_FINDING, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() configuration.SetUnstableOperationEnabled("v2.MuteFindings", true) apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.MuteFindings(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.MuteFindings`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.MuteFindings`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Mute or unmute a batch of findings returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.BulkMuteFindingsRequest; import com.datadog.api.client.v2.model.BulkMuteFindingsRequestAttributes; import com.datadog.api.client.v2.model.BulkMuteFindingsRequestData; import com.datadog.api.client.v2.model.BulkMuteFindingsRequestMeta; import com.datadog.api.client.v2.model.BulkMuteFindingsRequestMetaFindings; import com.datadog.api.client.v2.model.BulkMuteFindingsRequestProperties; import com.datadog.api.client.v2.model.BulkMuteFindingsResponse; import com.datadog.api.client.v2.model.FindingMuteReason; import com.datadog.api.client.v2.model.FindingType; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); defaultClient.setUnstableOperationEnabled("v2.muteFindings", true); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); BulkMuteFindingsRequest body = new BulkMuteFindingsRequest() .data( new BulkMuteFindingsRequestData() .attributes( new BulkMuteFindingsRequestAttributes() .mute( new BulkMuteFindingsRequestProperties() .expirationDate(1778721573794L) .muted(true) .reason(FindingMuteReason.ACCEPTED_RISK))) .id("dbe5f567-192b-4404-b908-29b70e1c9f76") .meta( new BulkMuteFindingsRequestMeta() .findings( Collections.singletonList( new BulkMuteFindingsRequestMetaFindings() .findingId( "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==")))) .type(FindingType.FINDING)); try { BulkMuteFindingsResponse result = apiInstance.muteFindings(body); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#muteFindings"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Mute or unmute a batch of findings returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.bulk_mute_findings_request import BulkMuteFindingsRequest from datadog_api_client.v2.model.bulk_mute_findings_request_attributes import BulkMuteFindingsRequestAttributes from datadog_api_client.v2.model.bulk_mute_findings_request_data import BulkMuteFindingsRequestData from datadog_api_client.v2.model.bulk_mute_findings_request_meta import BulkMuteFindingsRequestMeta from datadog_api_client.v2.model.bulk_mute_findings_request_meta_findings import BulkMuteFindingsRequestMetaFindings from datadog_api_client.v2.model.bulk_mute_findings_request_properties import BulkMuteFindingsRequestProperties from datadog_api_client.v2.model.finding_mute_reason import FindingMuteReason from datadog_api_client.v2.model.finding_type import FindingType body = BulkMuteFindingsRequest( data=BulkMuteFindingsRequestData( attributes=BulkMuteFindingsRequestAttributes( mute=BulkMuteFindingsRequestProperties( expiration_date=1778721573794, muted=True, reason=FindingMuteReason.ACCEPTED_RISK, ), ), id="dbe5f567-192b-4404-b908-29b70e1c9f76", meta=BulkMuteFindingsRequestMeta( findings=[ BulkMuteFindingsRequestMetaFindings( finding_id="ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==", ), ], ), type=FindingType.FINDING, ), ) configuration = Configuration() configuration.unstable_operations["mute_findings"] = True with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.mute_findings(body=body) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Mute or unmute a batch of findings returns "OK" response require "datadog_api_client" DatadogAPIClient.configure do |config| config.unstable_operations["v2.mute_findings".to_sym] = true end api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::BulkMuteFindingsRequest.new({ data: DatadogAPIClient::V2::BulkMuteFindingsRequestData.new({ attributes: DatadogAPIClient::V2::BulkMuteFindingsRequestAttributes.new({ mute: DatadogAPIClient::V2::BulkMuteFindingsRequestProperties.new({ expiration_date: 1778721573794, muted: true, reason: DatadogAPIClient::V2::FindingMuteReason::ACCEPTED_RISK, }), }), id: "dbe5f567-192b-4404-b908-29b70e1c9f76", meta: DatadogAPIClient::V2::BulkMuteFindingsRequestMeta.new({ findings: [ DatadogAPIClient::V2::BulkMuteFindingsRequestMetaFindings.new({ finding_id: "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==", }), ], }), type: DatadogAPIClient::V2::FindingType::FINDING, }), }) p api_instance.mute_findings(body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Mute or unmute a batch of findings returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::BulkMuteFindingsRequest; use datadog_api_client::datadogV2::model::BulkMuteFindingsRequestAttributes; use datadog_api_client::datadogV2::model::BulkMuteFindingsRequestData; use datadog_api_client::datadogV2::model::BulkMuteFindingsRequestMeta; use datadog_api_client::datadogV2::model::BulkMuteFindingsRequestMetaFindings; use datadog_api_client::datadogV2::model::BulkMuteFindingsRequestProperties; use datadog_api_client::datadogV2::model::FindingMuteReason; use datadog_api_client::datadogV2::model::FindingType; #[tokio::main] async fn main() { let body = BulkMuteFindingsRequest::new(BulkMuteFindingsRequestData::new( BulkMuteFindingsRequestAttributes::new( BulkMuteFindingsRequestProperties::new(true, FindingMuteReason::ACCEPTED_RISK) .expiration_date(1778721573794), ), "dbe5f567-192b-4404-b908-29b70e1c9f76".to_string(), BulkMuteFindingsRequestMeta::new() .findings(vec![BulkMuteFindingsRequestMetaFindings::new().finding_id( "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==".to_string(), )]), FindingType::FINDING, )); let mut configuration = datadog::Configuration::new(); configuration.set_unstable_operation_enabled("v2.MuteFindings", true); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.mute_findings(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Mute or unmute a batch of findings returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); configuration.unstableOperations["v2.muteFindings"] = true; const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiMuteFindingsRequest = { body: { data: { attributes: { mute: { expirationDate: 1778721573794, muted: true, reason: "ACCEPTED_RISK", }, }, id: "dbe5f567-192b-4404-b908-29b70e1c9f76", meta: { findings: [ { findingId: "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==", }, ], }, type: "finding", }, }, }; apiInstance .muteFindings(params) .then((data: v2.BulkMuteFindingsResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Get a finding{% #get-a-finding %} {% tab title="v2" %} **Note**: This endpoint uses the legacy security findings data model and is planned for deprecation. Use the [search security findings endpoint](https://docs.datadoghq.com/api/latest/security-monitoring/#search-security-findings), which is based on the [new security findings schema](https://docs.datadoghq.com/security/guide/findings-schema/), to search security findings. If you have any feedback, contact [Datadog support](https://docs.datadoghq.com/help/). | Datadog site | API endpoint | | ----------------- | --------------------------------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/posture_management/findings/{finding_id} | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/posture_management/findings/{finding_id} | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/posture_management/findings/{finding_id} | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/posture_management/findings/{finding_id} | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/posture_management/findings/{finding_id} | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/posture_management/findings/{finding_id} | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/posture_management/findings/{finding_id} | ### Overview Returns a single finding with message and resource configuration. OAuth apps require the `security_monitoring_findings_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Arguments #### Path Parameters | Name | Type | Description | | ---------------------------- | ------ | ---------------------- | | finding_id [*required*] | string | The ID of the finding. | #### Query Strings | Name | Type | Description | | ------------------ | ------- | ---------------------------------------------------------- | | snapshot_timestamp | integer | Return the finding for a given snapshot of time (Unix ms). | ### Response {% tab title="200" %} OK {% tab title="Model" %} The expected response schema when getting a finding. | Parent field | Field | Type | Description | | ------------ | ----------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data [*required*] | object | A single finding with with message and resource configuration. | | data | attributes | object | The JSON:API attributes of the detailed finding. | | attributes | evaluation | enum | The evaluation of the finding. Allowed enum values: `pass,fail` | | attributes | evaluation_changed_at | int64 | The date on which the evaluation for this finding changed (Unix ms). | | attributes | message | string | The remediation message for this finding. | | attributes | mute | object | Information about the mute status of this finding. | | mute | description | string | Additional information about the reason why this finding is muted or unmuted. | | mute | expiration_date | int64 | The expiration date of the mute or unmute action (Unix ms). | | mute | muted | boolean | Whether this finding is muted or unmuted. | | mute | reason | enum | The reason why this finding is muted or unmuted. Allowed enum values: `PENDING_FIX,FALSE_POSITIVE,ACCEPTED_RISK,NO_PENDING_FIX,HUMAN_ERROR,NO_LONGER_ACCEPTED_RISK,OTHER` | | mute | start_date | int64 | The start of the mute period. | | mute | uuid | string | The ID of the user who muted or unmuted this finding. | | attributes | resource | string | The resource name of this finding. | | attributes | resource_configuration | object | The resource configuration for this finding. | | attributes | resource_discovery_date | int64 | The date on which the resource was discovered (Unix ms). | | attributes | resource_type | string | The resource type of this finding. | | attributes | rule | object | The rule that triggered this finding. | | rule | id | string | The ID of the rule that triggered this finding. | | rule | name | string | The name of the rule that triggered this finding. | | attributes | status | enum | The status of the finding. Allowed enum values: `critical,high,medium,low,info` | | attributes | tags | [string] | The tags associated with this finding. | | data | id | string | The unique ID for this finding. | | data | type | enum | The JSON:API type for findings that have the message and resource configuration. Allowed enum values: `detailed_finding` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "evaluation": "pass", "evaluation_changed_at": 1678721573794, "message": "## Remediation\n\n### From the console\n\n1. Go to Storage Account\n2. For each Storage Account, navigate to Data Protection\n3. Select Set soft delete enabled and enter the number of days to retain soft deleted data.", "mute": { "description": "To be resolved later", "expiration_date": 1778721573794, "muted": true, "reason": "ACCEPTED_RISK", "start_date": 1678721573794, "uuid": "e51c9744-d158-11ec-ad23-da7ad0900002" }, "resource": "my_resource_name", "resource_configuration": {}, "resource_discovery_date": 1678721573794, "resource_type": "azure_storage_account", "rule": { "id": "dv2-jzf-41i", "name": "Soft delete is enabled for Azure Storage" }, "status": "critical", "tags": [ "cloud_provider:aws", "myTag:myValue" ] }, "id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==", "type": "detailed_finding" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request: The server cannot process the request due to invalid syntax in the request. {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Forbidden: Access denied {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found: The requested finding cannot be found. {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests: The rate limit set by the API has been exceeded. {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport finding_id="CHANGE_ME"\# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/posture_management/findings/${finding_id}" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Get a finding returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi configuration = Configuration() configuration.unstable_operations["get_finding"] = True with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.get_finding( finding_id="AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz", ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Get a finding returns "OK" response require "datadog_api_client" DatadogAPIClient.configure do |config| config.unstable_operations["v2.get_finding".to_sym] = true end api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new p api_instance.get_finding("AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz") ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Get a finding returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() configuration.SetUnstableOperationEnabled("v2.GetFinding", true) apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.GetFinding(ctx, "AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz", *datadogV2.NewGetFindingOptionalParameters()) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetFinding`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetFinding`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Get a finding returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.GetFindingResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); defaultClient.setUnstableOperationEnabled("v2.getFinding", true); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { GetFindingResponse result = apiInstance.getFinding( "AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz"); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#getFinding"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Get a finding returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::GetFindingOptionalParams; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { let mut configuration = datadog::Configuration::new(); configuration.set_unstable_operation_enabled("v2.GetFinding", true); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .get_finding( "AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz".to_string(), GetFindingOptionalParams::default(), ) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Get a finding returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); configuration.unstableOperations["v2.getFinding"] = true; const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiGetFindingRequest = { findingId: "AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz", }; apiInstance .getFinding(params) .then((data: v2.GetFindingResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Modify the triage assignee of a security signal{% #modify-the-triage-assignee-of-a-security-signal %} {% tab title="v1" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------------------------ | | ap1.datadoghq.com | PATCH https://api.ap1.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/assignee | | ap2.datadoghq.com | PATCH https://api.ap2.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/assignee | | app.datadoghq.eu | PATCH https://api.datadoghq.eu/api/v1/security_analytics/signals/{signal_id}/assignee | | app.ddog-gov.com | PATCH https://api.ddog-gov.com/api/v1/security_analytics/signals/{signal_id}/assignee | | app.datadoghq.com | PATCH https://api.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/assignee | | us3.datadoghq.com | PATCH https://api.us3.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/assignee | | us5.datadoghq.com | PATCH https://api.us5.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/assignee | ### Overview This endpoint is deprecated - Modify the triage assignee of a security signal. This endpoint requires the `security_monitoring_signals_write` permission. ### Arguments #### Path Parameters | Name | Type | Description | | --------------------------- | ------ | --------------------- | | signal_id [*required*] | string | The ID of the signal. | ### Request #### Body Data (required) Attributes describing the signal update. {% tab title="Model" %} | Field | Type | Description | | -------------------------- | ------ | ----------------------------------------------------------------------------------------- | | assignee [*required*] | string | The UUID of the user being assigned. Use empty string to return signal to unassigned. | | version | int64 | Version of the updated signal. If server side version is higher, update will be rejected. | {% /tab %} {% tab title="Example" %} ```json { "assignee": "773b045d-ccf8-4808-bd3b-955ef6a8c940" } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} Updated signal data following a successfully performed update. | Field | Type | Description | | ------ | ------ | ----------------------- | | status | string | Status of the response. | {% /tab %} {% tab title="Example" %} ```json { "status": "string" } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} Error response object. | Field | Type | Description | | ------------------------ | -------- | ------------------------------------ | | errors [*required*] | [string] | Array of errors returned by the API. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Forbidden {% tab title="Model" %} Error response object. | Field | Type | Description | | ------------------------ | -------- | ------------------------------------ | | errors [*required*] | [string] | Array of errors returned by the API. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} Error response object. | Field | Type | Description | | ------------------------ | -------- | ------------------------------------ | | errors [*required*] | [string] | Array of errors returned by the API. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} Error response object. | Field | Type | Description | | ------------------------ | -------- | ------------------------------------ | | errors [*required*] | [string] | Array of errors returned by the API. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport signal_id="CHANGE_ME"\# Curl commandcurl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v1/security_analytics/signals/${signal_id}/assignee" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "assignee": "773b045d-ccf8-4808-bd3b-955ef6a8c940" } EOF ##### ```go // Modify the triage assignee of a security signal returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV1" ) func main() { body := datadogV1.SignalAssigneeUpdateRequest{ Assignee: "773b045d-ccf8-4808-bd3b-955ef6a8c940", } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV1.NewSecurityMonitoringApi(apiClient) resp, r, err := api.EditSecurityMonitoringSignalAssignee(ctx, "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.EditSecurityMonitoringSignalAssignee`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.EditSecurityMonitoringSignalAssignee`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Modify the triage assignee of a security signal returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v1.api.SecurityMonitoringApi; import com.datadog.api.client.v1.model.SignalAssigneeUpdateRequest; import com.datadog.api.client.v1.model.SuccessfulSignalUpdateResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); SignalAssigneeUpdateRequest body = new SignalAssigneeUpdateRequest().assignee("773b045d-ccf8-4808-bd3b-955ef6a8c940"); try { SuccessfulSignalUpdateResponse result = apiInstance.editSecurityMonitoringSignalAssignee( "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#editSecurityMonitoringSignalAssignee"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Modify the triage assignee of a security signal returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v1.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v1.model.signal_assignee_update_request import SignalAssigneeUpdateRequest body = SignalAssigneeUpdateRequest( assignee="773b045d-ccf8-4808-bd3b-955ef6a8c940", ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.edit_security_monitoring_signal_assignee( signal_id="AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body=body ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Modify the triage assignee of a security signal returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V1::SecurityMonitoringAPI.new body = DatadogAPIClient::V1::SignalAssigneeUpdateRequest.new({ assignee: "773b045d-ccf8-4808-bd3b-955ef6a8c940", }) p api_instance.edit_security_monitoring_signal_assignee("AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Modify the triage assignee of a security signal returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV1::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV1::model::SignalAssigneeUpdateRequest; #[tokio::main] async fn main() { let body = SignalAssigneeUpdateRequest::new("773b045d-ccf8-4808-bd3b-955ef6a8c940".to_string()); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .edit_security_monitoring_signal_assignee( "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE".to_string(), body, ) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Modify the triage assignee of a security signal returns "OK" response */ import { client, v1 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v1.SecurityMonitoringApi(configuration); const params: v1.SecurityMonitoringApiEditSecurityMonitoringSignalAssigneeRequest = { body: { assignee: "773b045d-ccf8-4808-bd3b-955ef6a8c940", }, signalId: "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", }; apiInstance .editSecurityMonitoringSignalAssignee(params) .then((data: v1.SuccessfulSignalUpdateResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------------------------- | | ap1.datadoghq.com | PATCH https://api.ap1.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/assignee | | ap2.datadoghq.com | PATCH https://api.ap2.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/assignee | | app.datadoghq.eu | PATCH https://api.datadoghq.eu/api/v2/security_monitoring/signals/{signal_id}/assignee | | app.ddog-gov.com | PATCH https://api.ddog-gov.com/api/v2/security_monitoring/signals/{signal_id}/assignee | | app.datadoghq.com | PATCH https://api.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/assignee | | us3.datadoghq.com | PATCH https://api.us3.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/assignee | | us5.datadoghq.com | PATCH https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/assignee | ### Overview Modify the triage assignee of a security signal. This endpoint requires the `security_monitoring_signals_write` permission. ### Arguments #### Path Parameters | Name | Type | Description | | --------------------------- | ------ | --------------------- | | signal_id [*required*] | string | The ID of the signal. | ### Request #### Body Data (required) Attributes describing the signal update. {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------ | ---------------------------- | ------ | ----------------------------------------------------------------------------------------- | | | data [*required*] | object | Data containing the patch for changing the assignee of a signal. | | data | attributes [*required*] | object | Attributes describing the new assignee of a security signal. | | attributes | assignee [*required*] | object | Object representing a given user entity. | | assignee | handle | string | The handle for this user account. | | assignee | icon | string | Gravatar icon associated to the user. | | assignee | id | int64 | Numerical ID assigned by Datadog to this user account. | | assignee | name | string | The name for this user account. | | assignee | uuid [*required*] | string | UUID assigned by Datadog to this user account. | | attributes | version | int64 | Version of the updated signal. If server side version is higher, update will be rejected. | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "assignee": { "uuid": "" } } } } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} The response returned after all triage operations, containing the updated signal triage data. | Parent field | Field | Type | Description | | -------------------- | ------------------------------ | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data [*required*] | object | Data containing the updated triage attributes of the signal. | | data | attributes | object | Attributes describing a triage state update operation over a security signal. | | attributes | archive_comment | string | Optional comment to display on archived signals. | | attributes | archive_comment_timestamp | int64 | Timestamp of the last edit to the comment. | | attributes | archive_comment_user | object | Object representing a given user entity. | | archive_comment_user | handle | string | The handle for this user account. | | archive_comment_user | icon | string | Gravatar icon associated to the user. | | archive_comment_user | id | int64 | Numerical ID assigned by Datadog to this user account. | | archive_comment_user | name | string | The name for this user account. | | archive_comment_user | uuid [*required*] | string | UUID assigned by Datadog to this user account. | | attributes | archive_reason | enum | Reason a signal is archived. Allowed enum values: `none,false_positive,testing_or_maintenance,remediated,investigated_case_opened,true_positive_benign,true_positive_malicious,other` | | attributes | assignee [*required*] | object | Object representing a given user entity. | | assignee | handle | string | The handle for this user account. | | assignee | icon | string | Gravatar icon associated to the user. | | assignee | id | int64 | Numerical ID assigned by Datadog to this user account. | | assignee | name | string | The name for this user account. | | assignee | uuid [*required*] | string | UUID assigned by Datadog to this user account. | | attributes | incident_ids [*required*] | [integer] | Array of incidents that are associated with this signal. | | attributes | state [*required*] | enum | The new triage state of the signal. Allowed enum values: `open,archived,under_review` | | attributes | state_update_timestamp | int64 | Timestamp of the last update to the signal state. | | attributes | state_update_user | object | Object representing a given user entity. | | state_update_user | handle | string | The handle for this user account. | | state_update_user | icon | string | Gravatar icon associated to the user. | | state_update_user | id | int64 | Numerical ID assigned by Datadog to this user account. | | state_update_user | name | string | The name for this user account. | | state_update_user | uuid [*required*] | string | UUID assigned by Datadog to this user account. | | data | id | string | The unique ID of the security signal. | | data | type | enum | The type of event. Allowed enum values: `signal_metadata` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "archive_comment": "string", "archive_comment_timestamp": "integer", "archive_comment_user": { "handle": "string", "icon": "/path/to/matching/gravatar/icon", "id": "integer", "name": "string", "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940" }, "archive_reason": "string", "assignee": { "handle": "string", "icon": "/path/to/matching/gravatar/icon", "id": "integer", "name": "string", "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940" }, "incident_ids": [ 2066 ], "state": "open", "state_update_timestamp": "integer", "state_update_user": { "handle": "string", "icon": "/path/to/matching/gravatar/icon", "id": "integer", "name": "string", "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940" } }, "id": "string", "type": "signal_metadata" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport signal_id="CHANGE_ME"\# Curl commandcurl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/${signal_id}/assignee" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "attributes": { "assignee": { "uuid": "" } } } } EOF ##### ```go // Modify the triage assignee of a security signal returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.SecurityMonitoringSignalAssigneeUpdateRequest{ Data: datadogV2.SecurityMonitoringSignalAssigneeUpdateData{ Attributes: datadogV2.SecurityMonitoringSignalAssigneeUpdateAttributes{ Assignee: datadogV2.SecurityMonitoringTriageUser{ Uuid: "", }, }, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.EditSecurityMonitoringSignalAssignee(ctx, "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.EditSecurityMonitoringSignalAssignee`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.EditSecurityMonitoringSignalAssignee`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Modify the triage assignee of a security signal returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringSignalAssigneeUpdateAttributes; import com.datadog.api.client.v2.model.SecurityMonitoringSignalAssigneeUpdateData; import com.datadog.api.client.v2.model.SecurityMonitoringSignalAssigneeUpdateRequest; import com.datadog.api.client.v2.model.SecurityMonitoringSignalTriageUpdateResponse; import com.datadog.api.client.v2.model.SecurityMonitoringTriageUser; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); SecurityMonitoringSignalAssigneeUpdateRequest body = new SecurityMonitoringSignalAssigneeUpdateRequest() .data( new SecurityMonitoringSignalAssigneeUpdateData() .attributes( new SecurityMonitoringSignalAssigneeUpdateAttributes() .assignee(new SecurityMonitoringTriageUser().uuid("")))); try { SecurityMonitoringSignalTriageUpdateResponse result = apiInstance.editSecurityMonitoringSignalAssignee( "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#editSecurityMonitoringSignalAssignee"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Modify the triage assignee of a security signal returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.security_monitoring_signal_assignee_update_attributes import ( SecurityMonitoringSignalAssigneeUpdateAttributes, ) from datadog_api_client.v2.model.security_monitoring_signal_assignee_update_data import ( SecurityMonitoringSignalAssigneeUpdateData, ) from datadog_api_client.v2.model.security_monitoring_signal_assignee_update_request import ( SecurityMonitoringSignalAssigneeUpdateRequest, ) from datadog_api_client.v2.model.security_monitoring_triage_user import SecurityMonitoringTriageUser body = SecurityMonitoringSignalAssigneeUpdateRequest( data=SecurityMonitoringSignalAssigneeUpdateData( attributes=SecurityMonitoringSignalAssigneeUpdateAttributes( assignee=SecurityMonitoringTriageUser( uuid="", ), ), ), ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.edit_security_monitoring_signal_assignee( signal_id="AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body=body ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Modify the triage assignee of a security signal returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::SecurityMonitoringSignalAssigneeUpdateRequest.new({ data: DatadogAPIClient::V2::SecurityMonitoringSignalAssigneeUpdateData.new({ attributes: DatadogAPIClient::V2::SecurityMonitoringSignalAssigneeUpdateAttributes.new({ assignee: DatadogAPIClient::V2::SecurityMonitoringTriageUser.new({ uuid: "", }), }), }), }) p api_instance.edit_security_monitoring_signal_assignee("AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Modify the triage assignee of a security signal returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::SecurityMonitoringSignalAssigneeUpdateAttributes; use datadog_api_client::datadogV2::model::SecurityMonitoringSignalAssigneeUpdateData; use datadog_api_client::datadogV2::model::SecurityMonitoringSignalAssigneeUpdateRequest; use datadog_api_client::datadogV2::model::SecurityMonitoringTriageUser; #[tokio::main] async fn main() { let body = SecurityMonitoringSignalAssigneeUpdateRequest::new( SecurityMonitoringSignalAssigneeUpdateData::new( SecurityMonitoringSignalAssigneeUpdateAttributes::new( SecurityMonitoringTriageUser::new("".to_string()), ), ), ); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .edit_security_monitoring_signal_assignee( "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE".to_string(), body, ) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Modify the triage assignee of a security signal returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiEditSecurityMonitoringSignalAssigneeRequest = { body: { data: { attributes: { assignee: { uuid: "", }, }, }, }, signalId: "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", }; apiInstance .editSecurityMonitoringSignalAssignee(params) .then((data: v2.SecurityMonitoringSignalTriageUpdateResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Get the list of vulnerability notification rules{% #get-the-list-of-vulnerability-notification-rules %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------------------ | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/security/vulnerabilities/notification_rules | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/security/vulnerabilities/notification_rules | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/security/vulnerabilities/notification_rules | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/security/vulnerabilities/notification_rules | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/security/vulnerabilities/notification_rules | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/security/vulnerabilities/notification_rules | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/security/vulnerabilities/notification_rules | ### Overview Returns the list of notification rules for security vulnerabilities. This endpoint requires the `security_monitoring_notification_profiles_read` permission. ### Response {% tab title="200" %} The list of notification rules. {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------ | -------------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data | [object] | | data | attributes [*required*] | object | Attributes of the notification rule. | | attributes | created_at [*required*] | int64 | Date as Unix timestamp in milliseconds. | | attributes | created_by [*required*] | object | User creating or modifying a rule. | | created_by | handle | string | The user handle. | | created_by | name | string | The user name. | | attributes | enabled [*required*] | boolean | Field used to enable or disable the rule. | | attributes | modified_at [*required*] | int64 | Date as Unix timestamp in milliseconds. | | attributes | modified_by [*required*] | object | User creating or modifying a rule. | | modified_by | handle | string | The user handle. | | modified_by | name | string | The user name. | | attributes | name [*required*] | string | Name of the notification rule. | | attributes | selectors [*required*] | object | Selectors are used to filter security issues for which notifications should be generated. Users can specify rule severities, rule types, a query to filter security issues on tags and attributes, and the trigger source. Only the trigger_source field is required. | | selectors | query | string | The query is composed of one or several key:value pairs, which can be used to filter security issues on tags and attributes. | | selectors | rule_types | [string] | Security rule types used as filters in security rules. | | selectors | severities | [string] | The security rules severities to consider. | | selectors | trigger_source [*required*] | enum | The type of security issues on which the rule applies. Notification rules based on security signals need to use the trigger source "security_signals", while notification rules based on security vulnerabilities need to use the trigger source "security_findings". Allowed enum values: `security_findings,security_signals` | | attributes | targets [*required*] | [string] | List of recipients to notify when a notification rule is triggered. Many different target types are supported, such as email addresses, Slack channels, and PagerDuty services. The appropriate integrations need to be properly configured to send notifications to the specified targets. | | attributes | time_aggregation | int64 | Time aggregation period (in seconds) is used to aggregate the results of the notification rule evaluation. Results are aggregated over a selected time frame using a rolling window, which updates with each new evaluation. Notifications are only sent for new issues discovered during the window. Time aggregation is only available for vulnerability-based notification rules. When omitted or set to 0, no aggregation is done. | | attributes | version [*required*] | int64 | Version of the notification rule. It is updated when the rule is modified. | | data | id [*required*] | string | The ID of a notification rule. | | data | type [*required*] | enum | The rule type associated to notification rules. Allowed enum values: `notification_rules` | {% /tab %} {% tab title="Example" %} ```json { "data": [ { "attributes": { "created_at": 1722439510282, "created_by": { "handle": "john.doe@domain.com", "name": "John Doe" }, "enabled": true, "modified_at": 1722439510282, "modified_by": { "handle": "john.doe@domain.com", "name": "John Doe" }, "name": "Rule 1", "selectors": { "query": "(source:production_service OR env:prod)", "rule_types": [ "misconfiguration", "attack_path" ], "severities": [ "critical" ], "trigger_source": "security_findings" }, "targets": [ "@john.doe@email.com" ], "time_aggregation": 86400, "version": 1 }, "id": "aaa-bbb-ccc", "type": "notification_rules" } ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Forbidden {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/vulnerabilities/notification_rules" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Get the list of vulnerability notification rules returns "The list of notification rules." response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.get_vulnerability_notification_rules() print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Get the list of vulnerability notification rules returns "The list of notification rules." response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new p api_instance.get_vulnerability_notification_rules() ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Get the list of vulnerability notification rules returns "The list of notification rules." response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.GetVulnerabilityNotificationRules(ctx) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetVulnerabilityNotificationRules`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetVulnerabilityNotificationRules`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Get the list of vulnerability notification rules returns "The list of notification rules." // response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { apiInstance.getVulnerabilityNotificationRules(); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#getVulnerabilityNotificationRules"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Get the list of vulnerability notification rules returns "The list of // notification rules." response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.get_vulnerability_notification_rules().await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Get the list of vulnerability notification rules returns "The list of notification rules." response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); apiInstance .getVulnerabilityNotificationRules() .then((data: any) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Create a new vulnerability-based notification rule{% #create-a-new-vulnerability-based-notification-rule %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------------------- | | ap1.datadoghq.com | POST https://api.ap1.datadoghq.com/api/v2/security/vulnerabilities/notification_rules | | ap2.datadoghq.com | POST https://api.ap2.datadoghq.com/api/v2/security/vulnerabilities/notification_rules | | app.datadoghq.eu | POST https://api.datadoghq.eu/api/v2/security/vulnerabilities/notification_rules | | app.ddog-gov.com | POST https://api.ddog-gov.com/api/v2/security/vulnerabilities/notification_rules | | app.datadoghq.com | POST https://api.datadoghq.com/api/v2/security/vulnerabilities/notification_rules | | us3.datadoghq.com | POST https://api.us3.datadoghq.com/api/v2/security/vulnerabilities/notification_rules | | us5.datadoghq.com | POST https://api.us5.datadoghq.com/api/v2/security/vulnerabilities/notification_rules | ### Overview Create a new notification rule for security vulnerabilities and return the created rule. This endpoint requires the `security_monitoring_notification_profiles_write` permission. ### Request #### Body Data (required) The body of the create notification rule request is composed of the rule type and the rule attributes: the rule name, the selectors, the notification targets, and the rule enabled status. {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------ | -------------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data | object | Data of the notification rule create request: the rule type, and the rule attributes. All fields are required. | | data | attributes [*required*] | object | Attributes of the notification rule create request. | | attributes | enabled | boolean | Field used to enable or disable the rule. | | attributes | name [*required*] | string | Name of the notification rule. | | attributes | selectors [*required*] | object | Selectors are used to filter security issues for which notifications should be generated. Users can specify rule severities, rule types, a query to filter security issues on tags and attributes, and the trigger source. Only the trigger_source field is required. | | selectors | query | string | The query is composed of one or several key:value pairs, which can be used to filter security issues on tags and attributes. | | selectors | rule_types | [string] | Security rule types used as filters in security rules. | | selectors | severities | [string] | The security rules severities to consider. | | selectors | trigger_source [*required*] | enum | The type of security issues on which the rule applies. Notification rules based on security signals need to use the trigger source "security_signals", while notification rules based on security vulnerabilities need to use the trigger source "security_findings". Allowed enum values: `security_findings,security_signals` | | attributes | targets [*required*] | [string] | List of recipients to notify when a notification rule is triggered. Many different target types are supported, such as email addresses, Slack channels, and PagerDuty services. The appropriate integrations need to be properly configured to send notifications to the specified targets. | | attributes | time_aggregation | int64 | Time aggregation period (in seconds) is used to aggregate the results of the notification rule evaluation. Results are aggregated over a selected time frame using a rolling window, which updates with each new evaluation. Notifications are only sent for new issues discovered during the window. Time aggregation is only available for vulnerability-based notification rules. When omitted or set to 0, no aggregation is done. | | data | type [*required*] | enum | The rule type associated to notification rules. Allowed enum values: `notification_rules` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "enabled": true, "name": "Rule 1", "selectors": { "query": "(source:production_service OR env:prod)", "rule_types": [ "misconfiguration", "attack_path" ], "severities": [ "critical" ], "trigger_source": "security_findings" }, "targets": [ "@john.doe@email.com" ], "time_aggregation": 86400 }, "type": "notification_rules" } } ``` {% /tab %} ### Response {% tab title="201" %} Successfully created the notification rule. {% tab title="Model" %} Response object which includes a notification rule. | Parent field | Field | Type | Description | | ------------ | -------------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data | object | Notification rules allow full control over notifications generated by the various Datadog security products. They allow users to define the conditions under which a notification should be generated (based on rule severities, rule types, rule tags, and so on), and the targets to notify. A notification rule is composed of a rule ID, a rule type, and the rule attributes. All fields are required. | | data | attributes [*required*] | object | Attributes of the notification rule. | | attributes | created_at [*required*] | int64 | Date as Unix timestamp in milliseconds. | | attributes | created_by [*required*] | object | User creating or modifying a rule. | | created_by | handle | string | The user handle. | | created_by | name | string | The user name. | | attributes | enabled [*required*] | boolean | Field used to enable or disable the rule. | | attributes | modified_at [*required*] | int64 | Date as Unix timestamp in milliseconds. | | attributes | modified_by [*required*] | object | User creating or modifying a rule. | | modified_by | handle | string | The user handle. | | modified_by | name | string | The user name. | | attributes | name [*required*] | string | Name of the notification rule. | | attributes | selectors [*required*] | object | Selectors are used to filter security issues for which notifications should be generated. Users can specify rule severities, rule types, a query to filter security issues on tags and attributes, and the trigger source. Only the trigger_source field is required. | | selectors | query | string | The query is composed of one or several key:value pairs, which can be used to filter security issues on tags and attributes. | | selectors | rule_types | [string] | Security rule types used as filters in security rules. | | selectors | severities | [string] | The security rules severities to consider. | | selectors | trigger_source [*required*] | enum | The type of security issues on which the rule applies. Notification rules based on security signals need to use the trigger source "security_signals", while notification rules based on security vulnerabilities need to use the trigger source "security_findings". Allowed enum values: `security_findings,security_signals` | | attributes | targets [*required*] | [string] | List of recipients to notify when a notification rule is triggered. Many different target types are supported, such as email addresses, Slack channels, and PagerDuty services. The appropriate integrations need to be properly configured to send notifications to the specified targets. | | attributes | time_aggregation | int64 | Time aggregation period (in seconds) is used to aggregate the results of the notification rule evaluation. Results are aggregated over a selected time frame using a rolling window, which updates with each new evaluation. Notifications are only sent for new issues discovered during the window. Time aggregation is only available for vulnerability-based notification rules. When omitted or set to 0, no aggregation is done. | | attributes | version [*required*] | int64 | Version of the notification rule. It is updated when the rule is modified. | | data | id [*required*] | string | The ID of a notification rule. | | data | type [*required*] | enum | The rule type associated to notification rules. Allowed enum values: `notification_rules` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "created_at": 1722439510282, "created_by": { "handle": "john.doe@domain.com", "name": "John Doe" }, "enabled": true, "modified_at": 1722439510282, "modified_by": { "handle": "john.doe@domain.com", "name": "John Doe" }, "name": "Rule 1", "selectors": { "query": "(source:production_service OR env:prod)", "rule_types": [ "misconfiguration", "attack_path" ], "severities": [ "critical" ], "trigger_source": "security_findings" }, "targets": [ "@john.doe@email.com" ], "time_aggregation": 86400, "version": 1 }, "id": "aaa-bbb-ccc", "type": "notification_rules" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Forbidden {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/vulnerabilities/notification_rules" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "attributes": { "enabled": true, "name": "Rule 1", "selectors": { "query": "(source:production_service OR env:prod)", "rule_types": [ "misconfiguration", "attack_path" ], "severities": [ "critical" ], "trigger_source": "security_findings" }, "targets": [ "@john.doe@email.com" ], "time_aggregation": 86400 }, "type": "notification_rules" } } EOF ##### ```go // Create a new vulnerability-based notification rule returns "Successfully created the notification rule." response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.CreateNotificationRuleParameters{ Data: &datadogV2.CreateNotificationRuleParametersData{ Attributes: datadogV2.CreateNotificationRuleParametersDataAttributes{ Enabled: datadog.PtrBool(true), Name: "Rule 1", Selectors: datadogV2.Selectors{ Query: datadog.PtrString("(source:production_service OR env:prod)"), RuleTypes: []datadogV2.RuleTypesItems{ datadogV2.RULETYPESITEMS_MISCONFIGURATION, datadogV2.RULETYPESITEMS_ATTACK_PATH, }, Severities: []datadogV2.RuleSeverity{ datadogV2.RULESEVERITY_CRITICAL, }, TriggerSource: datadogV2.TRIGGERSOURCE_SECURITY_FINDINGS, }, Targets: []string{ "@john.doe@email.com", }, TimeAggregation: datadog.PtrInt64(86400), }, Type: datadogV2.NOTIFICATIONRULESTYPE_NOTIFICATION_RULES, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.CreateVulnerabilityNotificationRule(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateVulnerabilityNotificationRule`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateVulnerabilityNotificationRule`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Create a new vulnerability-based notification rule returns "Successfully created the notification // rule." response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.CreateNotificationRuleParameters; import com.datadog.api.client.v2.model.CreateNotificationRuleParametersData; import com.datadog.api.client.v2.model.CreateNotificationRuleParametersDataAttributes; import com.datadog.api.client.v2.model.NotificationRuleResponse; import com.datadog.api.client.v2.model.NotificationRulesType; import com.datadog.api.client.v2.model.RuleSeverity; import com.datadog.api.client.v2.model.RuleTypesItems; import com.datadog.api.client.v2.model.Selectors; import com.datadog.api.client.v2.model.TriggerSource; import java.util.Arrays; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); CreateNotificationRuleParameters body = new CreateNotificationRuleParameters() .data( new CreateNotificationRuleParametersData() .attributes( new CreateNotificationRuleParametersDataAttributes() .enabled(true) .name("Rule 1") .selectors( new Selectors() .query("(source:production_service OR env:prod)") .ruleTypes( Arrays.asList( RuleTypesItems.MISCONFIGURATION, RuleTypesItems.ATTACK_PATH)) .severities(Collections.singletonList(RuleSeverity.CRITICAL)) .triggerSource(TriggerSource.SECURITY_FINDINGS)) .targets(Collections.singletonList("@john.doe@email.com")) .timeAggregation(86400L)) .type(NotificationRulesType.NOTIFICATION_RULES)); try { NotificationRuleResponse result = apiInstance.createVulnerabilityNotificationRule(body); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#createVulnerabilityNotificationRule"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Create a new vulnerability-based notification rule returns "Successfully created the notification rule." response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.create_notification_rule_parameters import CreateNotificationRuleParameters from datadog_api_client.v2.model.create_notification_rule_parameters_data import CreateNotificationRuleParametersData from datadog_api_client.v2.model.create_notification_rule_parameters_data_attributes import ( CreateNotificationRuleParametersDataAttributes, ) from datadog_api_client.v2.model.notification_rules_type import NotificationRulesType from datadog_api_client.v2.model.rule_severity import RuleSeverity from datadog_api_client.v2.model.rule_types_items import RuleTypesItems from datadog_api_client.v2.model.selectors import Selectors from datadog_api_client.v2.model.trigger_source import TriggerSource body = CreateNotificationRuleParameters( data=CreateNotificationRuleParametersData( attributes=CreateNotificationRuleParametersDataAttributes( enabled=True, name="Rule 1", selectors=Selectors( query="(source:production_service OR env:prod)", rule_types=[ RuleTypesItems.MISCONFIGURATION, RuleTypesItems.ATTACK_PATH, ], severities=[ RuleSeverity.CRITICAL, ], trigger_source=TriggerSource.SECURITY_FINDINGS, ), targets=[ "@john.doe@email.com", ], time_aggregation=86400, ), type=NotificationRulesType.NOTIFICATION_RULES, ), ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.create_vulnerability_notification_rule(body=body) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Create a new vulnerability-based notification rule returns "Successfully created the notification rule." response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::CreateNotificationRuleParameters.new({ data: DatadogAPIClient::V2::CreateNotificationRuleParametersData.new({ attributes: DatadogAPIClient::V2::CreateNotificationRuleParametersDataAttributes.new({ enabled: true, name: "Rule 1", selectors: DatadogAPIClient::V2::Selectors.new({ query: "(source:production_service OR env:prod)", rule_types: [ DatadogAPIClient::V2::RuleTypesItems::MISCONFIGURATION, DatadogAPIClient::V2::RuleTypesItems::ATTACK_PATH, ], severities: [ DatadogAPIClient::V2::RuleSeverity::CRITICAL, ], trigger_source: DatadogAPIClient::V2::TriggerSource::SECURITY_FINDINGS, }), targets: [ "@john.doe@email.com", ], time_aggregation: 86400, }), type: DatadogAPIClient::V2::NotificationRulesType::NOTIFICATION_RULES, }), }) p api_instance.create_vulnerability_notification_rule(body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Create a new vulnerability-based notification rule returns "Successfully // created the notification rule." response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::CreateNotificationRuleParameters; use datadog_api_client::datadogV2::model::CreateNotificationRuleParametersData; use datadog_api_client::datadogV2::model::CreateNotificationRuleParametersDataAttributes; use datadog_api_client::datadogV2::model::NotificationRulesType; use datadog_api_client::datadogV2::model::RuleSeverity; use datadog_api_client::datadogV2::model::RuleTypesItems; use datadog_api_client::datadogV2::model::Selectors; use datadog_api_client::datadogV2::model::TriggerSource; #[tokio::main] async fn main() { let body = CreateNotificationRuleParameters::new().data(CreateNotificationRuleParametersData::new( CreateNotificationRuleParametersDataAttributes::new( "Rule 1".to_string(), Selectors::new(TriggerSource::SECURITY_FINDINGS) .query("(source:production_service OR env:prod)".to_string()) .rule_types(vec![ RuleTypesItems::MISCONFIGURATION, RuleTypesItems::ATTACK_PATH, ]) .severities(vec![RuleSeverity::CRITICAL]), vec!["@john.doe@email.com".to_string()], ) .enabled(true) .time_aggregation(86400), NotificationRulesType::NOTIFICATION_RULES, )); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.create_vulnerability_notification_rule(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Create a new vulnerability-based notification rule returns "Successfully created the notification rule." response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiCreateVulnerabilityNotificationRuleRequest = { body: { data: { attributes: { enabled: true, name: "Rule 1", selectors: { query: "(source:production_service OR env:prod)", ruleTypes: ["misconfiguration", "attack_path"], severities: ["critical"], triggerSource: "security_findings", }, targets: ["@john.doe@email.com"], timeAggregation: 86400, }, type: "notification_rules", }, }, }; apiInstance .createVulnerabilityNotificationRule(params) .then((data: v2.NotificationRuleResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Get details of a vulnerability notification rule{% #get-details-of-a-vulnerability-notification-rule %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ----------------------------------------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/security/vulnerabilities/notification_rules/{id} | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/security/vulnerabilities/notification_rules/{id} | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/security/vulnerabilities/notification_rules/{id} | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/security/vulnerabilities/notification_rules/{id} | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/security/vulnerabilities/notification_rules/{id} | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/security/vulnerabilities/notification_rules/{id} | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/security/vulnerabilities/notification_rules/{id} | ### Overview Get the details of a notification rule for security vulnerabilities. This endpoint requires the `security_monitoring_notification_profiles_read` permission. ### Arguments #### Path Parameters | Name | Type | Description | | -------------------- | ------ | ---------------------------- | | id [*required*] | string | ID of the notification rule. | ### Response {% tab title="200" %} Notification rule details. {% tab title="Model" %} Response object which includes a notification rule. | Parent field | Field | Type | Description | | ------------ | -------------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data | object | Notification rules allow full control over notifications generated by the various Datadog security products. They allow users to define the conditions under which a notification should be generated (based on rule severities, rule types, rule tags, and so on), and the targets to notify. A notification rule is composed of a rule ID, a rule type, and the rule attributes. All fields are required. | | data | attributes [*required*] | object | Attributes of the notification rule. | | attributes | created_at [*required*] | int64 | Date as Unix timestamp in milliseconds. | | attributes | created_by [*required*] | object | User creating or modifying a rule. | | created_by | handle | string | The user handle. | | created_by | name | string | The user name. | | attributes | enabled [*required*] | boolean | Field used to enable or disable the rule. | | attributes | modified_at [*required*] | int64 | Date as Unix timestamp in milliseconds. | | attributes | modified_by [*required*] | object | User creating or modifying a rule. | | modified_by | handle | string | The user handle. | | modified_by | name | string | The user name. | | attributes | name [*required*] | string | Name of the notification rule. | | attributes | selectors [*required*] | object | Selectors are used to filter security issues for which notifications should be generated. Users can specify rule severities, rule types, a query to filter security issues on tags and attributes, and the trigger source. Only the trigger_source field is required. | | selectors | query | string | The query is composed of one or several key:value pairs, which can be used to filter security issues on tags and attributes. | | selectors | rule_types | [string] | Security rule types used as filters in security rules. | | selectors | severities | [string] | The security rules severities to consider. | | selectors | trigger_source [*required*] | enum | The type of security issues on which the rule applies. Notification rules based on security signals need to use the trigger source "security_signals", while notification rules based on security vulnerabilities need to use the trigger source "security_findings". Allowed enum values: `security_findings,security_signals` | | attributes | targets [*required*] | [string] | List of recipients to notify when a notification rule is triggered. Many different target types are supported, such as email addresses, Slack channels, and PagerDuty services. The appropriate integrations need to be properly configured to send notifications to the specified targets. | | attributes | time_aggregation | int64 | Time aggregation period (in seconds) is used to aggregate the results of the notification rule evaluation. Results are aggregated over a selected time frame using a rolling window, which updates with each new evaluation. Notifications are only sent for new issues discovered during the window. Time aggregation is only available for vulnerability-based notification rules. When omitted or set to 0, no aggregation is done. | | attributes | version [*required*] | int64 | Version of the notification rule. It is updated when the rule is modified. | | data | id [*required*] | string | The ID of a notification rule. | | data | type [*required*] | enum | The rule type associated to notification rules. Allowed enum values: `notification_rules` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "created_at": 1722439510282, "created_by": { "handle": "john.doe@domain.com", "name": "John Doe" }, "enabled": true, "modified_at": 1722439510282, "modified_by": { "handle": "john.doe@domain.com", "name": "John Doe" }, "name": "Rule 1", "selectors": { "query": "(source:production_service OR env:prod)", "rule_types": [ "misconfiguration", "attack_path" ], "severities": [ "critical" ], "trigger_source": "security_findings" }, "targets": [ "@john.doe@email.com" ], "time_aggregation": 86400, "version": 1 }, "id": "aaa-bbb-ccc", "type": "notification_rules" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Forbidden {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport id="CHANGE_ME"\# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/vulnerabilities/notification_rules/${id}" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Get details of a vulnerability notification rule returns "Notification rule details." response """ from os import environ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi # there is a valid "valid_vulnerability_notification_rule" in the system VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID = environ["VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID"] configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.get_vulnerability_notification_rule( id=VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID, ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Get details of a vulnerability notification rule returns "Notification rule details." response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new # there is a valid "valid_vulnerability_notification_rule" in the system VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID = ENV["VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID"] p api_instance.get_vulnerability_notification_rule(VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Get details of a vulnerability notification rule returns "Notification rule details." response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { // there is a valid "valid_vulnerability_notification_rule" in the system ValidVulnerabilityNotificationRuleDataID := os.Getenv("VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID") ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.GetVulnerabilityNotificationRule(ctx, ValidVulnerabilityNotificationRuleDataID) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetVulnerabilityNotificationRule`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetVulnerabilityNotificationRule`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Get details of a vulnerability notification rule returns "Notification rule details." response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.NotificationRuleResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); // there is a valid "valid_vulnerability_notification_rule" in the system String VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID = System.getenv("VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID"); try { NotificationRuleResponse result = apiInstance.getVulnerabilityNotificationRule( VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#getVulnerabilityNotificationRule"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Get details of a vulnerability notification rule returns "Notification rule // details." response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { // there is a valid "valid_vulnerability_notification_rule" in the system let valid_vulnerability_notification_rule_data_id = std::env::var("VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID").unwrap(); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .get_vulnerability_notification_rule(valid_vulnerability_notification_rule_data_id.clone()) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Get details of a vulnerability notification rule returns "Notification rule details." response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); // there is a valid "valid_vulnerability_notification_rule" in the system const VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID = process.env .VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID as string; const params: v2.SecurityMonitoringApiGetVulnerabilityNotificationRuleRequest = { id: VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID, }; apiInstance .getVulnerabilityNotificationRule(params) .then((data: v2.NotificationRuleResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Delete a vulnerability-based notification rule{% #delete-a-vulnerability-based-notification-rule %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | -------------------------------------------------------------------------------------------- | | ap1.datadoghq.com | DELETE https://api.ap1.datadoghq.com/api/v2/security/vulnerabilities/notification_rules/{id} | | ap2.datadoghq.com | DELETE https://api.ap2.datadoghq.com/api/v2/security/vulnerabilities/notification_rules/{id} | | app.datadoghq.eu | DELETE https://api.datadoghq.eu/api/v2/security/vulnerabilities/notification_rules/{id} | | app.ddog-gov.com | DELETE https://api.ddog-gov.com/api/v2/security/vulnerabilities/notification_rules/{id} | | app.datadoghq.com | DELETE https://api.datadoghq.com/api/v2/security/vulnerabilities/notification_rules/{id} | | us3.datadoghq.com | DELETE https://api.us3.datadoghq.com/api/v2/security/vulnerabilities/notification_rules/{id} | | us5.datadoghq.com | DELETE https://api.us5.datadoghq.com/api/v2/security/vulnerabilities/notification_rules/{id} | ### Overview Delete a notification rule for security vulnerabilities. This endpoint requires the `security_monitoring_notification_profiles_write` permission. ### Arguments #### Path Parameters | Name | Type | Description | | -------------------- | ------ | ---------------------------- | | id [*required*] | string | ID of the notification rule. | ### Response {% tab title="204" %} Rule successfully deleted. {% /tab %} {% tab title="403" %} Forbidden {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport id="CHANGE_ME"\# Curl commandcurl -X DELETE "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/vulnerabilities/notification_rules/${id}" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Delete a vulnerability-based notification rule returns "Rule successfully deleted." response """ from os import environ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi # there is a valid "valid_vulnerability_notification_rule" in the system VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID = environ["VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID"] configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) api_instance.delete_vulnerability_notification_rule( id=VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID, ) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Delete a vulnerability-based notification rule returns "Rule successfully deleted." response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new # there is a valid "valid_vulnerability_notification_rule" in the system VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID = ENV["VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID"] api_instance.delete_vulnerability_notification_rule(VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Delete a vulnerability-based notification rule returns "Rule successfully deleted." response package main import ( "context" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { // there is a valid "valid_vulnerability_notification_rule" in the system ValidVulnerabilityNotificationRuleDataID := os.Getenv("VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID") ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) r, err := api.DeleteVulnerabilityNotificationRule(ctx, ValidVulnerabilityNotificationRuleDataID) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.DeleteVulnerabilityNotificationRule`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Delete a vulnerability-based notification rule returns "Rule successfully deleted." response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); // there is a valid "valid_vulnerability_notification_rule" in the system String VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID = System.getenv("VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID"); try { apiInstance.deleteVulnerabilityNotificationRule( VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#deleteVulnerabilityNotificationRule"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Delete a vulnerability-based notification rule returns "Rule successfully // deleted." response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { // there is a valid "valid_vulnerability_notification_rule" in the system let valid_vulnerability_notification_rule_data_id = std::env::var("VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID").unwrap(); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .delete_vulnerability_notification_rule( valid_vulnerability_notification_rule_data_id.clone(), ) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Delete a vulnerability-based notification rule returns "Rule successfully deleted." response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); // there is a valid "valid_vulnerability_notification_rule" in the system const VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID = process.env .VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID as string; const params: v2.SecurityMonitoringApiDeleteVulnerabilityNotificationRuleRequest = { id: VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID, }; apiInstance .deleteVulnerabilityNotificationRule(params) .then((data: any) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Patch a vulnerability-based notification rule{% #patch-a-vulnerability-based-notification-rule %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------------------------- | | ap1.datadoghq.com | PATCH https://api.ap1.datadoghq.com/api/v2/security/vulnerabilities/notification_rules/{id} | | ap2.datadoghq.com | PATCH https://api.ap2.datadoghq.com/api/v2/security/vulnerabilities/notification_rules/{id} | | app.datadoghq.eu | PATCH https://api.datadoghq.eu/api/v2/security/vulnerabilities/notification_rules/{id} | | app.ddog-gov.com | PATCH https://api.ddog-gov.com/api/v2/security/vulnerabilities/notification_rules/{id} | | app.datadoghq.com | PATCH https://api.datadoghq.com/api/v2/security/vulnerabilities/notification_rules/{id} | | us3.datadoghq.com | PATCH https://api.us3.datadoghq.com/api/v2/security/vulnerabilities/notification_rules/{id} | | us5.datadoghq.com | PATCH https://api.us5.datadoghq.com/api/v2/security/vulnerabilities/notification_rules/{id} | ### Overview Partially update the notification rule. All fields are optional; if a field is not provided, it is not updated. This endpoint requires the `security_monitoring_notification_profiles_write` permission. ### Arguments #### Path Parameters | Name | Type | Description | | -------------------- | ------ | ---------------------------- | | id [*required*] | string | ID of the notification rule. | ### Request #### Body Data (required) {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------ | -------------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data | object | Data of the notification rule patch request: the rule ID, the rule type, and the rule attributes. All fields are required. | | data | attributes [*required*] | object | Attributes of the notification rule patch request. It is required to update the version of the rule when patching it. | | attributes | enabled | boolean | Field used to enable or disable the rule. | | attributes | name | string | Name of the notification rule. | | attributes | selectors | object | Selectors are used to filter security issues for which notifications should be generated. Users can specify rule severities, rule types, a query to filter security issues on tags and attributes, and the trigger source. Only the trigger_source field is required. | | selectors | query | string | The query is composed of one or several key:value pairs, which can be used to filter security issues on tags and attributes. | | selectors | rule_types | [string] | Security rule types used as filters in security rules. | | selectors | severities | [string] | The security rules severities to consider. | | selectors | trigger_source [*required*] | enum | The type of security issues on which the rule applies. Notification rules based on security signals need to use the trigger source "security_signals", while notification rules based on security vulnerabilities need to use the trigger source "security_findings". Allowed enum values: `security_findings,security_signals` | | attributes | targets | [string] | List of recipients to notify when a notification rule is triggered. Many different target types are supported, such as email addresses, Slack channels, and PagerDuty services. The appropriate integrations need to be properly configured to send notifications to the specified targets. | | attributes | time_aggregation | int64 | Time aggregation period (in seconds) is used to aggregate the results of the notification rule evaluation. Results are aggregated over a selected time frame using a rolling window, which updates with each new evaluation. Notifications are only sent for new issues discovered during the window. Time aggregation is only available for vulnerability-based notification rules. When omitted or set to 0, no aggregation is done. | | attributes | version | int64 | Version of the notification rule. It is updated when the rule is modified. | | data | id [*required*] | string | The ID of a notification rule. | | data | type [*required*] | enum | The rule type associated to notification rules. Allowed enum values: `notification_rules` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "enabled": true, "name": "Rule 1", "selectors": { "query": "(source:production_service OR env:prod)", "rule_types": [ "misconfiguration", "attack_path" ], "severities": [ "critical" ], "trigger_source": "security_findings" }, "targets": [ "@john.doe@email.com" ], "time_aggregation": 86400, "version": 1 }, "id": "aaa-bbb-ccc", "type": "notification_rules" } } ``` {% /tab %} ### Response {% tab title="200" %} Notification rule successfully patched. {% tab title="Model" %} Response object which includes a notification rule. | Parent field | Field | Type | Description | | ------------ | -------------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data | object | Notification rules allow full control over notifications generated by the various Datadog security products. They allow users to define the conditions under which a notification should be generated (based on rule severities, rule types, rule tags, and so on), and the targets to notify. A notification rule is composed of a rule ID, a rule type, and the rule attributes. All fields are required. | | data | attributes [*required*] | object | Attributes of the notification rule. | | attributes | created_at [*required*] | int64 | Date as Unix timestamp in milliseconds. | | attributes | created_by [*required*] | object | User creating or modifying a rule. | | created_by | handle | string | The user handle. | | created_by | name | string | The user name. | | attributes | enabled [*required*] | boolean | Field used to enable or disable the rule. | | attributes | modified_at [*required*] | int64 | Date as Unix timestamp in milliseconds. | | attributes | modified_by [*required*] | object | User creating or modifying a rule. | | modified_by | handle | string | The user handle. | | modified_by | name | string | The user name. | | attributes | name [*required*] | string | Name of the notification rule. | | attributes | selectors [*required*] | object | Selectors are used to filter security issues for which notifications should be generated. Users can specify rule severities, rule types, a query to filter security issues on tags and attributes, and the trigger source. Only the trigger_source field is required. | | selectors | query | string | The query is composed of one or several key:value pairs, which can be used to filter security issues on tags and attributes. | | selectors | rule_types | [string] | Security rule types used as filters in security rules. | | selectors | severities | [string] | The security rules severities to consider. | | selectors | trigger_source [*required*] | enum | The type of security issues on which the rule applies. Notification rules based on security signals need to use the trigger source "security_signals", while notification rules based on security vulnerabilities need to use the trigger source "security_findings". Allowed enum values: `security_findings,security_signals` | | attributes | targets [*required*] | [string] | List of recipients to notify when a notification rule is triggered. Many different target types are supported, such as email addresses, Slack channels, and PagerDuty services. The appropriate integrations need to be properly configured to send notifications to the specified targets. | | attributes | time_aggregation | int64 | Time aggregation period (in seconds) is used to aggregate the results of the notification rule evaluation. Results are aggregated over a selected time frame using a rolling window, which updates with each new evaluation. Notifications are only sent for new issues discovered during the window. Time aggregation is only available for vulnerability-based notification rules. When omitted or set to 0, no aggregation is done. | | attributes | version [*required*] | int64 | Version of the notification rule. It is updated when the rule is modified. | | data | id [*required*] | string | The ID of a notification rule. | | data | type [*required*] | enum | The rule type associated to notification rules. Allowed enum values: `notification_rules` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "created_at": 1722439510282, "created_by": { "handle": "john.doe@domain.com", "name": "John Doe" }, "enabled": true, "modified_at": 1722439510282, "modified_by": { "handle": "john.doe@domain.com", "name": "John Doe" }, "name": "Rule 1", "selectors": { "query": "(source:production_service OR env:prod)", "rule_types": [ "misconfiguration", "attack_path" ], "severities": [ "critical" ], "trigger_source": "security_findings" }, "targets": [ "@john.doe@email.com" ], "time_aggregation": 86400, "version": 1 }, "id": "aaa-bbb-ccc", "type": "notification_rules" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Forbidden {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="422" %} The server cannot process the request because it contains invalid data. {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport id="CHANGE_ME"\# Curl commandcurl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/vulnerabilities/notification_rules/${id}" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "attributes": { "enabled": true, "name": "Rule 1", "selectors": { "query": "(source:production_service OR env:prod)", "rule_types": [ "misconfiguration", "attack_path" ], "severities": [ "critical" ], "trigger_source": "security_findings" }, "targets": [ "@john.doe@email.com" ], "time_aggregation": 86400, "version": 1 }, "id": "aaa-bbb-ccc", "type": "notification_rules" } } EOF ##### ```go // Patch a vulnerability-based notification rule returns "Notification rule successfully patched." response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { // there is a valid "valid_vulnerability_notification_rule" in the system ValidVulnerabilityNotificationRuleDataID := os.Getenv("VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID") body := datadogV2.PatchNotificationRuleParameters{ Data: &datadogV2.PatchNotificationRuleParametersData{ Attributes: datadogV2.PatchNotificationRuleParametersDataAttributes{ Enabled: datadog.PtrBool(true), Name: datadog.PtrString("Rule 1"), Selectors: &datadogV2.Selectors{ Query: datadog.PtrString("(source:production_service OR env:prod)"), RuleTypes: []datadogV2.RuleTypesItems{ datadogV2.RULETYPESITEMS_MISCONFIGURATION, datadogV2.RULETYPESITEMS_ATTACK_PATH, }, Severities: []datadogV2.RuleSeverity{ datadogV2.RULESEVERITY_CRITICAL, }, TriggerSource: datadogV2.TRIGGERSOURCE_SECURITY_FINDINGS, }, Targets: []string{ "@john.doe@email.com", }, TimeAggregation: datadog.PtrInt64(86400), Version: datadog.PtrInt64(1), }, Id: ValidVulnerabilityNotificationRuleDataID, Type: datadogV2.NOTIFICATIONRULESTYPE_NOTIFICATION_RULES, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.PatchVulnerabilityNotificationRule(ctx, ValidVulnerabilityNotificationRuleDataID, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.PatchVulnerabilityNotificationRule`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.PatchVulnerabilityNotificationRule`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Patch a vulnerability-based notification rule returns "Notification rule successfully patched." // response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.NotificationRuleResponse; import com.datadog.api.client.v2.model.NotificationRulesType; import com.datadog.api.client.v2.model.PatchNotificationRuleParameters; import com.datadog.api.client.v2.model.PatchNotificationRuleParametersData; import com.datadog.api.client.v2.model.PatchNotificationRuleParametersDataAttributes; import com.datadog.api.client.v2.model.RuleSeverity; import com.datadog.api.client.v2.model.RuleTypesItems; import com.datadog.api.client.v2.model.Selectors; import com.datadog.api.client.v2.model.TriggerSource; import java.util.Arrays; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); // there is a valid "valid_vulnerability_notification_rule" in the system String VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID = System.getenv("VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID"); PatchNotificationRuleParameters body = new PatchNotificationRuleParameters() .data( new PatchNotificationRuleParametersData() .attributes( new PatchNotificationRuleParametersDataAttributes() .enabled(true) .name("Rule 1") .selectors( new Selectors() .query("(source:production_service OR env:prod)") .ruleTypes( Arrays.asList( RuleTypesItems.MISCONFIGURATION, RuleTypesItems.ATTACK_PATH)) .severities(Collections.singletonList(RuleSeverity.CRITICAL)) .triggerSource(TriggerSource.SECURITY_FINDINGS)) .targets(Collections.singletonList("@john.doe@email.com")) .timeAggregation(86400L) .version(1L)) .id(VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID) .type(NotificationRulesType.NOTIFICATION_RULES)); try { NotificationRuleResponse result = apiInstance.patchVulnerabilityNotificationRule( VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID, body); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#patchVulnerabilityNotificationRule"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Patch a vulnerability-based notification rule returns "Notification rule successfully patched." response """ from os import environ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.notification_rules_type import NotificationRulesType from datadog_api_client.v2.model.patch_notification_rule_parameters import PatchNotificationRuleParameters from datadog_api_client.v2.model.patch_notification_rule_parameters_data import PatchNotificationRuleParametersData from datadog_api_client.v2.model.patch_notification_rule_parameters_data_attributes import ( PatchNotificationRuleParametersDataAttributes, ) from datadog_api_client.v2.model.rule_severity import RuleSeverity from datadog_api_client.v2.model.rule_types_items import RuleTypesItems from datadog_api_client.v2.model.selectors import Selectors from datadog_api_client.v2.model.trigger_source import TriggerSource # there is a valid "valid_vulnerability_notification_rule" in the system VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID = environ["VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID"] body = PatchNotificationRuleParameters( data=PatchNotificationRuleParametersData( attributes=PatchNotificationRuleParametersDataAttributes( enabled=True, name="Rule 1", selectors=Selectors( query="(source:production_service OR env:prod)", rule_types=[ RuleTypesItems.MISCONFIGURATION, RuleTypesItems.ATTACK_PATH, ], severities=[ RuleSeverity.CRITICAL, ], trigger_source=TriggerSource.SECURITY_FINDINGS, ), targets=[ "@john.doe@email.com", ], time_aggregation=86400, version=1, ), id=VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID, type=NotificationRulesType.NOTIFICATION_RULES, ), ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.patch_vulnerability_notification_rule( id=VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID, body=body ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Patch a vulnerability-based notification rule returns "Notification rule successfully patched." response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new # there is a valid "valid_vulnerability_notification_rule" in the system VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID = ENV["VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID"] body = DatadogAPIClient::V2::PatchNotificationRuleParameters.new({ data: DatadogAPIClient::V2::PatchNotificationRuleParametersData.new({ attributes: DatadogAPIClient::V2::PatchNotificationRuleParametersDataAttributes.new({ enabled: true, name: "Rule 1", selectors: DatadogAPIClient::V2::Selectors.new({ query: "(source:production_service OR env:prod)", rule_types: [ DatadogAPIClient::V2::RuleTypesItems::MISCONFIGURATION, DatadogAPIClient::V2::RuleTypesItems::ATTACK_PATH, ], severities: [ DatadogAPIClient::V2::RuleSeverity::CRITICAL, ], trigger_source: DatadogAPIClient::V2::TriggerSource::SECURITY_FINDINGS, }), targets: [ "@john.doe@email.com", ], time_aggregation: 86400, version: 1, }), id: VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID, type: DatadogAPIClient::V2::NotificationRulesType::NOTIFICATION_RULES, }), }) p api_instance.patch_vulnerability_notification_rule(VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID, body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Patch a vulnerability-based notification rule returns "Notification rule // successfully patched." response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::NotificationRulesType; use datadog_api_client::datadogV2::model::PatchNotificationRuleParameters; use datadog_api_client::datadogV2::model::PatchNotificationRuleParametersData; use datadog_api_client::datadogV2::model::PatchNotificationRuleParametersDataAttributes; use datadog_api_client::datadogV2::model::RuleSeverity; use datadog_api_client::datadogV2::model::RuleTypesItems; use datadog_api_client::datadogV2::model::Selectors; use datadog_api_client::datadogV2::model::TriggerSource; #[tokio::main] async fn main() { // there is a valid "valid_vulnerability_notification_rule" in the system let valid_vulnerability_notification_rule_data_id = std::env::var("VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID").unwrap(); let body = PatchNotificationRuleParameters::new().data(PatchNotificationRuleParametersData::new( PatchNotificationRuleParametersDataAttributes::new() .enabled(true) .name("Rule 1".to_string()) .selectors( Selectors::new(TriggerSource::SECURITY_FINDINGS) .query("(source:production_service OR env:prod)".to_string()) .rule_types(vec![ RuleTypesItems::MISCONFIGURATION, RuleTypesItems::ATTACK_PATH, ]) .severities(vec![RuleSeverity::CRITICAL]), ) .targets(vec!["@john.doe@email.com".to_string()]) .time_aggregation(86400) .version(1), valid_vulnerability_notification_rule_data_id.clone(), NotificationRulesType::NOTIFICATION_RULES, )); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .patch_vulnerability_notification_rule( valid_vulnerability_notification_rule_data_id.clone(), body, ) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Patch a vulnerability-based notification rule returns "Notification rule successfully patched." response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); // there is a valid "valid_vulnerability_notification_rule" in the system const VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID = process.env .VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID as string; const params: v2.SecurityMonitoringApiPatchVulnerabilityNotificationRuleRequest = { body: { data: { attributes: { enabled: true, name: "Rule 1", selectors: { query: "(source:production_service OR env:prod)", ruleTypes: ["misconfiguration", "attack_path"], severities: ["critical"], triggerSource: "security_findings", }, targets: ["@john.doe@email.com"], timeAggregation: 86400, version: 1, }, id: VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID, type: "notification_rules", }, }, id: VALID_VULNERABILITY_NOTIFICATION_RULE_DATA_ID, }; apiInstance .patchVulnerabilityNotificationRule(params) .then((data: v2.NotificationRuleResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Get the list of signal-based notification rules{% #get-the-list-of-signal-based-notification-rules %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ---------------------------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/security/signals/notification_rules | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/security/signals/notification_rules | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/security/signals/notification_rules | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/security/signals/notification_rules | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/security/signals/notification_rules | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/security/signals/notification_rules | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/security/signals/notification_rules | ### Overview Returns the list of notification rules for security signals. This endpoint requires the `security_monitoring_notification_profiles_read` permission. ### Response {% tab title="200" %} The list of notification rules. {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------ | -------------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data | [object] | | data | attributes [*required*] | object | Attributes of the notification rule. | | attributes | created_at [*required*] | int64 | Date as Unix timestamp in milliseconds. | | attributes | created_by [*required*] | object | User creating or modifying a rule. | | created_by | handle | string | The user handle. | | created_by | name | string | The user name. | | attributes | enabled [*required*] | boolean | Field used to enable or disable the rule. | | attributes | modified_at [*required*] | int64 | Date as Unix timestamp in milliseconds. | | attributes | modified_by [*required*] | object | User creating or modifying a rule. | | modified_by | handle | string | The user handle. | | modified_by | name | string | The user name. | | attributes | name [*required*] | string | Name of the notification rule. | | attributes | selectors [*required*] | object | Selectors are used to filter security issues for which notifications should be generated. Users can specify rule severities, rule types, a query to filter security issues on tags and attributes, and the trigger source. Only the trigger_source field is required. | | selectors | query | string | The query is composed of one or several key:value pairs, which can be used to filter security issues on tags and attributes. | | selectors | rule_types | [string] | Security rule types used as filters in security rules. | | selectors | severities | [string] | The security rules severities to consider. | | selectors | trigger_source [*required*] | enum | The type of security issues on which the rule applies. Notification rules based on security signals need to use the trigger source "security_signals", while notification rules based on security vulnerabilities need to use the trigger source "security_findings". Allowed enum values: `security_findings,security_signals` | | attributes | targets [*required*] | [string] | List of recipients to notify when a notification rule is triggered. Many different target types are supported, such as email addresses, Slack channels, and PagerDuty services. The appropriate integrations need to be properly configured to send notifications to the specified targets. | | attributes | time_aggregation | int64 | Time aggregation period (in seconds) is used to aggregate the results of the notification rule evaluation. Results are aggregated over a selected time frame using a rolling window, which updates with each new evaluation. Notifications are only sent for new issues discovered during the window. Time aggregation is only available for vulnerability-based notification rules. When omitted or set to 0, no aggregation is done. | | attributes | version [*required*] | int64 | Version of the notification rule. It is updated when the rule is modified. | | data | id [*required*] | string | The ID of a notification rule. | | data | type [*required*] | enum | The rule type associated to notification rules. Allowed enum values: `notification_rules` | {% /tab %} {% tab title="Example" %} ```json { "data": [ { "attributes": { "created_at": 1722439510282, "created_by": { "handle": "john.doe@domain.com", "name": "John Doe" }, "enabled": true, "modified_at": 1722439510282, "modified_by": { "handle": "john.doe@domain.com", "name": "John Doe" }, "name": "Rule 1", "selectors": { "query": "(source:production_service OR env:prod)", "rule_types": [ "misconfiguration", "attack_path" ], "severities": [ "critical" ], "trigger_source": "security_findings" }, "targets": [ "@john.doe@email.com" ], "time_aggregation": 86400, "version": 1 }, "id": "aaa-bbb-ccc", "type": "notification_rules" } ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Forbidden {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/signals/notification_rules" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Get the list of signal-based notification rules returns "The list of notification rules." response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.get_signal_notification_rules() print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Get the list of signal-based notification rules returns "The list of notification rules." response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new p api_instance.get_signal_notification_rules() ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Get the list of signal-based notification rules returns "The list of notification rules." response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.GetSignalNotificationRules(ctx) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSignalNotificationRules`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSignalNotificationRules`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Get the list of signal-based notification rules returns "The list of notification rules." // response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { apiInstance.getSignalNotificationRules(); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#getSignalNotificationRules"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Get the list of signal-based notification rules returns "The list of // notification rules." response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.get_signal_notification_rules().await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Get the list of signal-based notification rules returns "The list of notification rules." response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); apiInstance .getSignalNotificationRules() .then((data: any) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Create a new signal-based notification rule{% #create-a-new-signal-based-notification-rule %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ----------------------------------------------------------------------------- | | ap1.datadoghq.com | POST https://api.ap1.datadoghq.com/api/v2/security/signals/notification_rules | | ap2.datadoghq.com | POST https://api.ap2.datadoghq.com/api/v2/security/signals/notification_rules | | app.datadoghq.eu | POST https://api.datadoghq.eu/api/v2/security/signals/notification_rules | | app.ddog-gov.com | POST https://api.ddog-gov.com/api/v2/security/signals/notification_rules | | app.datadoghq.com | POST https://api.datadoghq.com/api/v2/security/signals/notification_rules | | us3.datadoghq.com | POST https://api.us3.datadoghq.com/api/v2/security/signals/notification_rules | | us5.datadoghq.com | POST https://api.us5.datadoghq.com/api/v2/security/signals/notification_rules | ### Overview Create a new notification rule for security signals and return the created rule. This endpoint requires the `security_monitoring_notification_profiles_write` permission. ### Request #### Body Data (required) The body of the create notification rule request is composed of the rule type and the rule attributes: the rule name, the selectors, the notification targets, and the rule enabled status. {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------ | -------------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data | object | Data of the notification rule create request: the rule type, and the rule attributes. All fields are required. | | data | attributes [*required*] | object | Attributes of the notification rule create request. | | attributes | enabled | boolean | Field used to enable or disable the rule. | | attributes | name [*required*] | string | Name of the notification rule. | | attributes | selectors [*required*] | object | Selectors are used to filter security issues for which notifications should be generated. Users can specify rule severities, rule types, a query to filter security issues on tags and attributes, and the trigger source. Only the trigger_source field is required. | | selectors | query | string | The query is composed of one or several key:value pairs, which can be used to filter security issues on tags and attributes. | | selectors | rule_types | [string] | Security rule types used as filters in security rules. | | selectors | severities | [string] | The security rules severities to consider. | | selectors | trigger_source [*required*] | enum | The type of security issues on which the rule applies. Notification rules based on security signals need to use the trigger source "security_signals", while notification rules based on security vulnerabilities need to use the trigger source "security_findings". Allowed enum values: `security_findings,security_signals` | | attributes | targets [*required*] | [string] | List of recipients to notify when a notification rule is triggered. Many different target types are supported, such as email addresses, Slack channels, and PagerDuty services. The appropriate integrations need to be properly configured to send notifications to the specified targets. | | attributes | time_aggregation | int64 | Time aggregation period (in seconds) is used to aggregate the results of the notification rule evaluation. Results are aggregated over a selected time frame using a rolling window, which updates with each new evaluation. Notifications are only sent for new issues discovered during the window. Time aggregation is only available for vulnerability-based notification rules. When omitted or set to 0, no aggregation is done. | | data | type [*required*] | enum | The rule type associated to notification rules. Allowed enum values: `notification_rules` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "enabled": true, "name": "Rule 1", "selectors": { "query": "(source:production_service OR env:prod)", "rule_types": [ "misconfiguration", "attack_path" ], "severities": [ "critical" ], "trigger_source": "security_findings" }, "targets": [ "@john.doe@email.com" ], "time_aggregation": 86400 }, "type": "notification_rules" } } ``` {% /tab %} ### Response {% tab title="201" %} Successfully created the notification rule. {% tab title="Model" %} Response object which includes a notification rule. | Parent field | Field | Type | Description | | ------------ | -------------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data | object | Notification rules allow full control over notifications generated by the various Datadog security products. They allow users to define the conditions under which a notification should be generated (based on rule severities, rule types, rule tags, and so on), and the targets to notify. A notification rule is composed of a rule ID, a rule type, and the rule attributes. All fields are required. | | data | attributes [*required*] | object | Attributes of the notification rule. | | attributes | created_at [*required*] | int64 | Date as Unix timestamp in milliseconds. | | attributes | created_by [*required*] | object | User creating or modifying a rule. | | created_by | handle | string | The user handle. | | created_by | name | string | The user name. | | attributes | enabled [*required*] | boolean | Field used to enable or disable the rule. | | attributes | modified_at [*required*] | int64 | Date as Unix timestamp in milliseconds. | | attributes | modified_by [*required*] | object | User creating or modifying a rule. | | modified_by | handle | string | The user handle. | | modified_by | name | string | The user name. | | attributes | name [*required*] | string | Name of the notification rule. | | attributes | selectors [*required*] | object | Selectors are used to filter security issues for which notifications should be generated. Users can specify rule severities, rule types, a query to filter security issues on tags and attributes, and the trigger source. Only the trigger_source field is required. | | selectors | query | string | The query is composed of one or several key:value pairs, which can be used to filter security issues on tags and attributes. | | selectors | rule_types | [string] | Security rule types used as filters in security rules. | | selectors | severities | [string] | The security rules severities to consider. | | selectors | trigger_source [*required*] | enum | The type of security issues on which the rule applies. Notification rules based on security signals need to use the trigger source "security_signals", while notification rules based on security vulnerabilities need to use the trigger source "security_findings". Allowed enum values: `security_findings,security_signals` | | attributes | targets [*required*] | [string] | List of recipients to notify when a notification rule is triggered. Many different target types are supported, such as email addresses, Slack channels, and PagerDuty services. The appropriate integrations need to be properly configured to send notifications to the specified targets. | | attributes | time_aggregation | int64 | Time aggregation period (in seconds) is used to aggregate the results of the notification rule evaluation. Results are aggregated over a selected time frame using a rolling window, which updates with each new evaluation. Notifications are only sent for new issues discovered during the window. Time aggregation is only available for vulnerability-based notification rules. When omitted or set to 0, no aggregation is done. | | attributes | version [*required*] | int64 | Version of the notification rule. It is updated when the rule is modified. | | data | id [*required*] | string | The ID of a notification rule. | | data | type [*required*] | enum | The rule type associated to notification rules. Allowed enum values: `notification_rules` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "created_at": 1722439510282, "created_by": { "handle": "john.doe@domain.com", "name": "John Doe" }, "enabled": true, "modified_at": 1722439510282, "modified_by": { "handle": "john.doe@domain.com", "name": "John Doe" }, "name": "Rule 1", "selectors": { "query": "(source:production_service OR env:prod)", "rule_types": [ "misconfiguration", "attack_path" ], "severities": [ "critical" ], "trigger_source": "security_findings" }, "targets": [ "@john.doe@email.com" ], "time_aggregation": 86400, "version": 1 }, "id": "aaa-bbb-ccc", "type": "notification_rules" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Forbidden {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/signals/notification_rules" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "attributes": { "enabled": true, "name": "Rule 1", "selectors": { "query": "(source:production_service OR env:prod)", "rule_types": [ "misconfiguration", "attack_path" ], "severities": [ "critical" ], "trigger_source": "security_findings" }, "targets": [ "@john.doe@email.com" ], "time_aggregation": 86400 }, "type": "notification_rules" } } EOF ##### ```go // Create a new signal-based notification rule returns "Successfully created the notification rule." response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.CreateNotificationRuleParameters{ Data: &datadogV2.CreateNotificationRuleParametersData{ Attributes: datadogV2.CreateNotificationRuleParametersDataAttributes{ Enabled: datadog.PtrBool(true), Name: "Rule 1", Selectors: datadogV2.Selectors{ Query: datadog.PtrString("(source:production_service OR env:prod)"), RuleTypes: []datadogV2.RuleTypesItems{ datadogV2.RULETYPESITEMS_MISCONFIGURATION, datadogV2.RULETYPESITEMS_ATTACK_PATH, }, Severities: []datadogV2.RuleSeverity{ datadogV2.RULESEVERITY_CRITICAL, }, TriggerSource: datadogV2.TRIGGERSOURCE_SECURITY_FINDINGS, }, Targets: []string{ "@john.doe@email.com", }, TimeAggregation: datadog.PtrInt64(86400), }, Type: datadogV2.NOTIFICATIONRULESTYPE_NOTIFICATION_RULES, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.CreateSignalNotificationRule(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSignalNotificationRule`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSignalNotificationRule`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Create a new signal-based notification rule returns "Successfully created the notification rule." // response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.CreateNotificationRuleParameters; import com.datadog.api.client.v2.model.CreateNotificationRuleParametersData; import com.datadog.api.client.v2.model.CreateNotificationRuleParametersDataAttributes; import com.datadog.api.client.v2.model.NotificationRuleResponse; import com.datadog.api.client.v2.model.NotificationRulesType; import com.datadog.api.client.v2.model.RuleSeverity; import com.datadog.api.client.v2.model.RuleTypesItems; import com.datadog.api.client.v2.model.Selectors; import com.datadog.api.client.v2.model.TriggerSource; import java.util.Arrays; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); CreateNotificationRuleParameters body = new CreateNotificationRuleParameters() .data( new CreateNotificationRuleParametersData() .attributes( new CreateNotificationRuleParametersDataAttributes() .enabled(true) .name("Rule 1") .selectors( new Selectors() .query("(source:production_service OR env:prod)") .ruleTypes( Arrays.asList( RuleTypesItems.MISCONFIGURATION, RuleTypesItems.ATTACK_PATH)) .severities(Collections.singletonList(RuleSeverity.CRITICAL)) .triggerSource(TriggerSource.SECURITY_FINDINGS)) .targets(Collections.singletonList("@john.doe@email.com")) .timeAggregation(86400L)) .type(NotificationRulesType.NOTIFICATION_RULES)); try { NotificationRuleResponse result = apiInstance.createSignalNotificationRule(body); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#createSignalNotificationRule"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Create a new signal-based notification rule returns "Successfully created the notification rule." response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.create_notification_rule_parameters import CreateNotificationRuleParameters from datadog_api_client.v2.model.create_notification_rule_parameters_data import CreateNotificationRuleParametersData from datadog_api_client.v2.model.create_notification_rule_parameters_data_attributes import ( CreateNotificationRuleParametersDataAttributes, ) from datadog_api_client.v2.model.notification_rules_type import NotificationRulesType from datadog_api_client.v2.model.rule_severity import RuleSeverity from datadog_api_client.v2.model.rule_types_items import RuleTypesItems from datadog_api_client.v2.model.selectors import Selectors from datadog_api_client.v2.model.trigger_source import TriggerSource body = CreateNotificationRuleParameters( data=CreateNotificationRuleParametersData( attributes=CreateNotificationRuleParametersDataAttributes( enabled=True, name="Rule 1", selectors=Selectors( query="(source:production_service OR env:prod)", rule_types=[ RuleTypesItems.MISCONFIGURATION, RuleTypesItems.ATTACK_PATH, ], severities=[ RuleSeverity.CRITICAL, ], trigger_source=TriggerSource.SECURITY_FINDINGS, ), targets=[ "@john.doe@email.com", ], time_aggregation=86400, ), type=NotificationRulesType.NOTIFICATION_RULES, ), ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.create_signal_notification_rule(body=body) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Create a new signal-based notification rule returns "Successfully created the notification rule." response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::CreateNotificationRuleParameters.new({ data: DatadogAPIClient::V2::CreateNotificationRuleParametersData.new({ attributes: DatadogAPIClient::V2::CreateNotificationRuleParametersDataAttributes.new({ enabled: true, name: "Rule 1", selectors: DatadogAPIClient::V2::Selectors.new({ query: "(source:production_service OR env:prod)", rule_types: [ DatadogAPIClient::V2::RuleTypesItems::MISCONFIGURATION, DatadogAPIClient::V2::RuleTypesItems::ATTACK_PATH, ], severities: [ DatadogAPIClient::V2::RuleSeverity::CRITICAL, ], trigger_source: DatadogAPIClient::V2::TriggerSource::SECURITY_FINDINGS, }), targets: [ "@john.doe@email.com", ], time_aggregation: 86400, }), type: DatadogAPIClient::V2::NotificationRulesType::NOTIFICATION_RULES, }), }) p api_instance.create_signal_notification_rule(body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Create a new signal-based notification rule returns "Successfully created the // notification rule." response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::CreateNotificationRuleParameters; use datadog_api_client::datadogV2::model::CreateNotificationRuleParametersData; use datadog_api_client::datadogV2::model::CreateNotificationRuleParametersDataAttributes; use datadog_api_client::datadogV2::model::NotificationRulesType; use datadog_api_client::datadogV2::model::RuleSeverity; use datadog_api_client::datadogV2::model::RuleTypesItems; use datadog_api_client::datadogV2::model::Selectors; use datadog_api_client::datadogV2::model::TriggerSource; #[tokio::main] async fn main() { let body = CreateNotificationRuleParameters::new().data(CreateNotificationRuleParametersData::new( CreateNotificationRuleParametersDataAttributes::new( "Rule 1".to_string(), Selectors::new(TriggerSource::SECURITY_FINDINGS) .query("(source:production_service OR env:prod)".to_string()) .rule_types(vec![ RuleTypesItems::MISCONFIGURATION, RuleTypesItems::ATTACK_PATH, ]) .severities(vec![RuleSeverity::CRITICAL]), vec!["@john.doe@email.com".to_string()], ) .enabled(true) .time_aggregation(86400), NotificationRulesType::NOTIFICATION_RULES, )); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.create_signal_notification_rule(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Create a new signal-based notification rule returns "Successfully created the notification rule." response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiCreateSignalNotificationRuleRequest = { body: { data: { attributes: { enabled: true, name: "Rule 1", selectors: { query: "(source:production_service OR env:prod)", ruleTypes: ["misconfiguration", "attack_path"], severities: ["critical"], triggerSource: "security_findings", }, targets: ["@john.doe@email.com"], timeAggregation: 86400, }, type: "notification_rules", }, }, }; apiInstance .createSignalNotificationRule(params) .then((data: v2.NotificationRuleResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Get details of a signal-based notification rule{% #get-details-of-a-signal-based-notification-rule %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | --------------------------------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/security/signals/notification_rules/{id} | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/security/signals/notification_rules/{id} | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/security/signals/notification_rules/{id} | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/security/signals/notification_rules/{id} | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/security/signals/notification_rules/{id} | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/security/signals/notification_rules/{id} | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/security/signals/notification_rules/{id} | ### Overview Get the details of a notification rule for security signals. This endpoint requires the `security_monitoring_notification_profiles_read` permission. ### Arguments #### Path Parameters | Name | Type | Description | | -------------------- | ------ | ---------------------------- | | id [*required*] | string | ID of the notification rule. | ### Response {% tab title="200" %} Notification rule details. {% tab title="Model" %} Response object which includes a notification rule. | Parent field | Field | Type | Description | | ------------ | -------------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data | object | Notification rules allow full control over notifications generated by the various Datadog security products. They allow users to define the conditions under which a notification should be generated (based on rule severities, rule types, rule tags, and so on), and the targets to notify. A notification rule is composed of a rule ID, a rule type, and the rule attributes. All fields are required. | | data | attributes [*required*] | object | Attributes of the notification rule. | | attributes | created_at [*required*] | int64 | Date as Unix timestamp in milliseconds. | | attributes | created_by [*required*] | object | User creating or modifying a rule. | | created_by | handle | string | The user handle. | | created_by | name | string | The user name. | | attributes | enabled [*required*] | boolean | Field used to enable or disable the rule. | | attributes | modified_at [*required*] | int64 | Date as Unix timestamp in milliseconds. | | attributes | modified_by [*required*] | object | User creating or modifying a rule. | | modified_by | handle | string | The user handle. | | modified_by | name | string | The user name. | | attributes | name [*required*] | string | Name of the notification rule. | | attributes | selectors [*required*] | object | Selectors are used to filter security issues for which notifications should be generated. Users can specify rule severities, rule types, a query to filter security issues on tags and attributes, and the trigger source. Only the trigger_source field is required. | | selectors | query | string | The query is composed of one or several key:value pairs, which can be used to filter security issues on tags and attributes. | | selectors | rule_types | [string] | Security rule types used as filters in security rules. | | selectors | severities | [string] | The security rules severities to consider. | | selectors | trigger_source [*required*] | enum | The type of security issues on which the rule applies. Notification rules based on security signals need to use the trigger source "security_signals", while notification rules based on security vulnerabilities need to use the trigger source "security_findings". Allowed enum values: `security_findings,security_signals` | | attributes | targets [*required*] | [string] | List of recipients to notify when a notification rule is triggered. Many different target types are supported, such as email addresses, Slack channels, and PagerDuty services. The appropriate integrations need to be properly configured to send notifications to the specified targets. | | attributes | time_aggregation | int64 | Time aggregation period (in seconds) is used to aggregate the results of the notification rule evaluation. Results are aggregated over a selected time frame using a rolling window, which updates with each new evaluation. Notifications are only sent for new issues discovered during the window. Time aggregation is only available for vulnerability-based notification rules. When omitted or set to 0, no aggregation is done. | | attributes | version [*required*] | int64 | Version of the notification rule. It is updated when the rule is modified. | | data | id [*required*] | string | The ID of a notification rule. | | data | type [*required*] | enum | The rule type associated to notification rules. Allowed enum values: `notification_rules` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "created_at": 1722439510282, "created_by": { "handle": "john.doe@domain.com", "name": "John Doe" }, "enabled": true, "modified_at": 1722439510282, "modified_by": { "handle": "john.doe@domain.com", "name": "John Doe" }, "name": "Rule 1", "selectors": { "query": "(source:production_service OR env:prod)", "rule_types": [ "misconfiguration", "attack_path" ], "severities": [ "critical" ], "trigger_source": "security_findings" }, "targets": [ "@john.doe@email.com" ], "time_aggregation": 86400, "version": 1 }, "id": "aaa-bbb-ccc", "type": "notification_rules" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Forbidden {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport id="CHANGE_ME"\# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/signals/notification_rules/${id}" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Get details of a signal-based notification rule returns "Notification rule details." response """ from os import environ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi # there is a valid "valid_signal_notification_rule" in the system VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID = environ["VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID"] configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.get_signal_notification_rule( id=VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID, ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Get details of a signal-based notification rule returns "Notification rule details." response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new # there is a valid "valid_signal_notification_rule" in the system VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID = ENV["VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID"] p api_instance.get_signal_notification_rule(VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Get details of a signal-based notification rule returns "Notification rule details." response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { // there is a valid "valid_signal_notification_rule" in the system ValidSignalNotificationRuleDataID := os.Getenv("VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID") ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.GetSignalNotificationRule(ctx, ValidSignalNotificationRuleDataID) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSignalNotificationRule`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSignalNotificationRule`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Get details of a signal-based notification rule returns "Notification rule details." response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.NotificationRuleResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); // there is a valid "valid_signal_notification_rule" in the system String VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID = System.getenv("VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID"); try { NotificationRuleResponse result = apiInstance.getSignalNotificationRule(VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#getSignalNotificationRule"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Get details of a signal-based notification rule returns "Notification rule // details." response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { // there is a valid "valid_signal_notification_rule" in the system let valid_signal_notification_rule_data_id = std::env::var("VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID").unwrap(); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .get_signal_notification_rule(valid_signal_notification_rule_data_id.clone()) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Get details of a signal-based notification rule returns "Notification rule details." response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); // there is a valid "valid_signal_notification_rule" in the system const VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID = process.env .VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID as string; const params: v2.SecurityMonitoringApiGetSignalNotificationRuleRequest = { id: VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID, }; apiInstance .getSignalNotificationRule(params) .then((data: v2.NotificationRuleResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Delete a signal-based notification rule{% #delete-a-signal-based-notification-rule %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------------------ | | ap1.datadoghq.com | DELETE https://api.ap1.datadoghq.com/api/v2/security/signals/notification_rules/{id} | | ap2.datadoghq.com | DELETE https://api.ap2.datadoghq.com/api/v2/security/signals/notification_rules/{id} | | app.datadoghq.eu | DELETE https://api.datadoghq.eu/api/v2/security/signals/notification_rules/{id} | | app.ddog-gov.com | DELETE https://api.ddog-gov.com/api/v2/security/signals/notification_rules/{id} | | app.datadoghq.com | DELETE https://api.datadoghq.com/api/v2/security/signals/notification_rules/{id} | | us3.datadoghq.com | DELETE https://api.us3.datadoghq.com/api/v2/security/signals/notification_rules/{id} | | us5.datadoghq.com | DELETE https://api.us5.datadoghq.com/api/v2/security/signals/notification_rules/{id} | ### Overview Delete a notification rule for security signals. This endpoint requires the `security_monitoring_notification_profiles_write` permission. ### Arguments #### Path Parameters | Name | Type | Description | | -------------------- | ------ | ---------------------------- | | id [*required*] | string | ID of the notification rule. | ### Response {% tab title="204" %} Rule successfully deleted. {% /tab %} {% tab title="403" %} Forbidden {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport id="CHANGE_ME"\# Curl commandcurl -X DELETE "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/signals/notification_rules/${id}" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Delete a signal-based notification rule returns "Rule successfully deleted." response """ from os import environ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi # there is a valid "valid_signal_notification_rule" in the system VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID = environ["VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID"] configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) api_instance.delete_signal_notification_rule( id=VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID, ) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Delete a signal-based notification rule returns "Rule successfully deleted." response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new # there is a valid "valid_signal_notification_rule" in the system VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID = ENV["VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID"] api_instance.delete_signal_notification_rule(VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Delete a signal-based notification rule returns "Rule successfully deleted." response package main import ( "context" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { // there is a valid "valid_signal_notification_rule" in the system ValidSignalNotificationRuleDataID := os.Getenv("VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID") ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) r, err := api.DeleteSignalNotificationRule(ctx, ValidSignalNotificationRuleDataID) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.DeleteSignalNotificationRule`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Delete a signal-based notification rule returns "Rule successfully deleted." response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); // there is a valid "valid_signal_notification_rule" in the system String VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID = System.getenv("VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID"); try { apiInstance.deleteSignalNotificationRule(VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#deleteSignalNotificationRule"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Delete a signal-based notification rule returns "Rule successfully deleted." // response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { // there is a valid "valid_signal_notification_rule" in the system let valid_signal_notification_rule_data_id = std::env::var("VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID").unwrap(); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .delete_signal_notification_rule(valid_signal_notification_rule_data_id.clone()) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Delete a signal-based notification rule returns "Rule successfully deleted." response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); // there is a valid "valid_signal_notification_rule" in the system const VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID = process.env .VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID as string; const params: v2.SecurityMonitoringApiDeleteSignalNotificationRuleRequest = { id: VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID, }; apiInstance .deleteSignalNotificationRule(params) .then((data: any) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Patch a signal-based notification rule{% #patch-a-signal-based-notification-rule %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ----------------------------------------------------------------------------------- | | ap1.datadoghq.com | PATCH https://api.ap1.datadoghq.com/api/v2/security/signals/notification_rules/{id} | | ap2.datadoghq.com | PATCH https://api.ap2.datadoghq.com/api/v2/security/signals/notification_rules/{id} | | app.datadoghq.eu | PATCH https://api.datadoghq.eu/api/v2/security/signals/notification_rules/{id} | | app.ddog-gov.com | PATCH https://api.ddog-gov.com/api/v2/security/signals/notification_rules/{id} | | app.datadoghq.com | PATCH https://api.datadoghq.com/api/v2/security/signals/notification_rules/{id} | | us3.datadoghq.com | PATCH https://api.us3.datadoghq.com/api/v2/security/signals/notification_rules/{id} | | us5.datadoghq.com | PATCH https://api.us5.datadoghq.com/api/v2/security/signals/notification_rules/{id} | ### Overview Partially update the notification rule. All fields are optional; if a field is not provided, it is not updated. This endpoint requires the `security_monitoring_notification_profiles_write` permission. ### Arguments #### Path Parameters | Name | Type | Description | | -------------------- | ------ | ---------------------------- | | id [*required*] | string | ID of the notification rule. | ### Request #### Body Data (required) {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------ | -------------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data | object | Data of the notification rule patch request: the rule ID, the rule type, and the rule attributes. All fields are required. | | data | attributes [*required*] | object | Attributes of the notification rule patch request. It is required to update the version of the rule when patching it. | | attributes | enabled | boolean | Field used to enable or disable the rule. | | attributes | name | string | Name of the notification rule. | | attributes | selectors | object | Selectors are used to filter security issues for which notifications should be generated. Users can specify rule severities, rule types, a query to filter security issues on tags and attributes, and the trigger source. Only the trigger_source field is required. | | selectors | query | string | The query is composed of one or several key:value pairs, which can be used to filter security issues on tags and attributes. | | selectors | rule_types | [string] | Security rule types used as filters in security rules. | | selectors | severities | [string] | The security rules severities to consider. | | selectors | trigger_source [*required*] | enum | The type of security issues on which the rule applies. Notification rules based on security signals need to use the trigger source "security_signals", while notification rules based on security vulnerabilities need to use the trigger source "security_findings". Allowed enum values: `security_findings,security_signals` | | attributes | targets | [string] | List of recipients to notify when a notification rule is triggered. Many different target types are supported, such as email addresses, Slack channels, and PagerDuty services. The appropriate integrations need to be properly configured to send notifications to the specified targets. | | attributes | time_aggregation | int64 | Time aggregation period (in seconds) is used to aggregate the results of the notification rule evaluation. Results are aggregated over a selected time frame using a rolling window, which updates with each new evaluation. Notifications are only sent for new issues discovered during the window. Time aggregation is only available for vulnerability-based notification rules. When omitted or set to 0, no aggregation is done. | | attributes | version | int64 | Version of the notification rule. It is updated when the rule is modified. | | data | id [*required*] | string | The ID of a notification rule. | | data | type [*required*] | enum | The rule type associated to notification rules. Allowed enum values: `notification_rules` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "enabled": true, "name": "Rule 1", "selectors": { "query": "(source:production_service OR env:prod)", "rule_types": [ "misconfiguration", "attack_path" ], "severities": [ "critical" ], "trigger_source": "security_findings" }, "targets": [ "@john.doe@email.com" ], "time_aggregation": 86400, "version": 1 }, "id": "aaa-bbb-ccc", "type": "notification_rules" } } ``` {% /tab %} ### Response {% tab title="200" %} Notification rule successfully patched. {% tab title="Model" %} Response object which includes a notification rule. | Parent field | Field | Type | Description | | ------------ | -------------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data | object | Notification rules allow full control over notifications generated by the various Datadog security products. They allow users to define the conditions under which a notification should be generated (based on rule severities, rule types, rule tags, and so on), and the targets to notify. A notification rule is composed of a rule ID, a rule type, and the rule attributes. All fields are required. | | data | attributes [*required*] | object | Attributes of the notification rule. | | attributes | created_at [*required*] | int64 | Date as Unix timestamp in milliseconds. | | attributes | created_by [*required*] | object | User creating or modifying a rule. | | created_by | handle | string | The user handle. | | created_by | name | string | The user name. | | attributes | enabled [*required*] | boolean | Field used to enable or disable the rule. | | attributes | modified_at [*required*] | int64 | Date as Unix timestamp in milliseconds. | | attributes | modified_by [*required*] | object | User creating or modifying a rule. | | modified_by | handle | string | The user handle. | | modified_by | name | string | The user name. | | attributes | name [*required*] | string | Name of the notification rule. | | attributes | selectors [*required*] | object | Selectors are used to filter security issues for which notifications should be generated. Users can specify rule severities, rule types, a query to filter security issues on tags and attributes, and the trigger source. Only the trigger_source field is required. | | selectors | query | string | The query is composed of one or several key:value pairs, which can be used to filter security issues on tags and attributes. | | selectors | rule_types | [string] | Security rule types used as filters in security rules. | | selectors | severities | [string] | The security rules severities to consider. | | selectors | trigger_source [*required*] | enum | The type of security issues on which the rule applies. Notification rules based on security signals need to use the trigger source "security_signals", while notification rules based on security vulnerabilities need to use the trigger source "security_findings". Allowed enum values: `security_findings,security_signals` | | attributes | targets [*required*] | [string] | List of recipients to notify when a notification rule is triggered. Many different target types are supported, such as email addresses, Slack channels, and PagerDuty services. The appropriate integrations need to be properly configured to send notifications to the specified targets. | | attributes | time_aggregation | int64 | Time aggregation period (in seconds) is used to aggregate the results of the notification rule evaluation. Results are aggregated over a selected time frame using a rolling window, which updates with each new evaluation. Notifications are only sent for new issues discovered during the window. Time aggregation is only available for vulnerability-based notification rules. When omitted or set to 0, no aggregation is done. | | attributes | version [*required*] | int64 | Version of the notification rule. It is updated when the rule is modified. | | data | id [*required*] | string | The ID of a notification rule. | | data | type [*required*] | enum | The rule type associated to notification rules. Allowed enum values: `notification_rules` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "created_at": 1722439510282, "created_by": { "handle": "john.doe@domain.com", "name": "John Doe" }, "enabled": true, "modified_at": 1722439510282, "modified_by": { "handle": "john.doe@domain.com", "name": "John Doe" }, "name": "Rule 1", "selectors": { "query": "(source:production_service OR env:prod)", "rule_types": [ "misconfiguration", "attack_path" ], "severities": [ "critical" ], "trigger_source": "security_findings" }, "targets": [ "@john.doe@email.com" ], "time_aggregation": 86400, "version": 1 }, "id": "aaa-bbb-ccc", "type": "notification_rules" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Forbidden {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="422" %} The server cannot process the request because it contains invalid data. {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport id="CHANGE_ME"\# Curl commandcurl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/signals/notification_rules/${id}" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "attributes": { "enabled": true, "name": "Rule 1", "selectors": { "query": "(source:production_service OR env:prod)", "rule_types": [ "misconfiguration", "attack_path" ], "severities": [ "critical" ], "trigger_source": "security_findings" }, "targets": [ "@john.doe@email.com" ], "time_aggregation": 86400, "version": 1 }, "id": "aaa-bbb-ccc", "type": "notification_rules" } } EOF ##### ```go // Patch a signal-based notification rule returns "Notification rule successfully patched." response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { // there is a valid "valid_signal_notification_rule" in the system ValidSignalNotificationRuleDataID := os.Getenv("VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID") body := datadogV2.PatchNotificationRuleParameters{ Data: &datadogV2.PatchNotificationRuleParametersData{ Attributes: datadogV2.PatchNotificationRuleParametersDataAttributes{ Enabled: datadog.PtrBool(true), Name: datadog.PtrString("Rule 1"), Selectors: &datadogV2.Selectors{ Query: datadog.PtrString("(source:production_service OR env:prod)"), RuleTypes: []datadogV2.RuleTypesItems{ datadogV2.RULETYPESITEMS_MISCONFIGURATION, datadogV2.RULETYPESITEMS_ATTACK_PATH, }, Severities: []datadogV2.RuleSeverity{ datadogV2.RULESEVERITY_CRITICAL, }, TriggerSource: datadogV2.TRIGGERSOURCE_SECURITY_FINDINGS, }, Targets: []string{ "@john.doe@email.com", }, TimeAggregation: datadog.PtrInt64(86400), Version: datadog.PtrInt64(1), }, Id: ValidSignalNotificationRuleDataID, Type: datadogV2.NOTIFICATIONRULESTYPE_NOTIFICATION_RULES, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.PatchSignalNotificationRule(ctx, ValidSignalNotificationRuleDataID, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.PatchSignalNotificationRule`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.PatchSignalNotificationRule`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Patch a signal-based notification rule returns "Notification rule successfully patched." response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.NotificationRuleResponse; import com.datadog.api.client.v2.model.NotificationRulesType; import com.datadog.api.client.v2.model.PatchNotificationRuleParameters; import com.datadog.api.client.v2.model.PatchNotificationRuleParametersData; import com.datadog.api.client.v2.model.PatchNotificationRuleParametersDataAttributes; import com.datadog.api.client.v2.model.RuleSeverity; import com.datadog.api.client.v2.model.RuleTypesItems; import com.datadog.api.client.v2.model.Selectors; import com.datadog.api.client.v2.model.TriggerSource; import java.util.Arrays; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); // there is a valid "valid_signal_notification_rule" in the system String VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID = System.getenv("VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID"); PatchNotificationRuleParameters body = new PatchNotificationRuleParameters() .data( new PatchNotificationRuleParametersData() .attributes( new PatchNotificationRuleParametersDataAttributes() .enabled(true) .name("Rule 1") .selectors( new Selectors() .query("(source:production_service OR env:prod)") .ruleTypes( Arrays.asList( RuleTypesItems.MISCONFIGURATION, RuleTypesItems.ATTACK_PATH)) .severities(Collections.singletonList(RuleSeverity.CRITICAL)) .triggerSource(TriggerSource.SECURITY_FINDINGS)) .targets(Collections.singletonList("@john.doe@email.com")) .timeAggregation(86400L) .version(1L)) .id(VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID) .type(NotificationRulesType.NOTIFICATION_RULES)); try { NotificationRuleResponse result = apiInstance.patchSignalNotificationRule(VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID, body); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#patchSignalNotificationRule"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Patch a signal-based notification rule returns "Notification rule successfully patched." response """ from os import environ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.notification_rules_type import NotificationRulesType from datadog_api_client.v2.model.patch_notification_rule_parameters import PatchNotificationRuleParameters from datadog_api_client.v2.model.patch_notification_rule_parameters_data import PatchNotificationRuleParametersData from datadog_api_client.v2.model.patch_notification_rule_parameters_data_attributes import ( PatchNotificationRuleParametersDataAttributes, ) from datadog_api_client.v2.model.rule_severity import RuleSeverity from datadog_api_client.v2.model.rule_types_items import RuleTypesItems from datadog_api_client.v2.model.selectors import Selectors from datadog_api_client.v2.model.trigger_source import TriggerSource # there is a valid "valid_signal_notification_rule" in the system VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID = environ["VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID"] body = PatchNotificationRuleParameters( data=PatchNotificationRuleParametersData( attributes=PatchNotificationRuleParametersDataAttributes( enabled=True, name="Rule 1", selectors=Selectors( query="(source:production_service OR env:prod)", rule_types=[ RuleTypesItems.MISCONFIGURATION, RuleTypesItems.ATTACK_PATH, ], severities=[ RuleSeverity.CRITICAL, ], trigger_source=TriggerSource.SECURITY_FINDINGS, ), targets=[ "@john.doe@email.com", ], time_aggregation=86400, version=1, ), id=VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID, type=NotificationRulesType.NOTIFICATION_RULES, ), ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.patch_signal_notification_rule(id=VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID, body=body) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Patch a signal-based notification rule returns "Notification rule successfully patched." response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new # there is a valid "valid_signal_notification_rule" in the system VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID = ENV["VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID"] body = DatadogAPIClient::V2::PatchNotificationRuleParameters.new({ data: DatadogAPIClient::V2::PatchNotificationRuleParametersData.new({ attributes: DatadogAPIClient::V2::PatchNotificationRuleParametersDataAttributes.new({ enabled: true, name: "Rule 1", selectors: DatadogAPIClient::V2::Selectors.new({ query: "(source:production_service OR env:prod)", rule_types: [ DatadogAPIClient::V2::RuleTypesItems::MISCONFIGURATION, DatadogAPIClient::V2::RuleTypesItems::ATTACK_PATH, ], severities: [ DatadogAPIClient::V2::RuleSeverity::CRITICAL, ], trigger_source: DatadogAPIClient::V2::TriggerSource::SECURITY_FINDINGS, }), targets: [ "@john.doe@email.com", ], time_aggregation: 86400, version: 1, }), id: VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID, type: DatadogAPIClient::V2::NotificationRulesType::NOTIFICATION_RULES, }), }) p api_instance.patch_signal_notification_rule(VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID, body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Patch a signal-based notification rule returns "Notification rule successfully // patched." response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::NotificationRulesType; use datadog_api_client::datadogV2::model::PatchNotificationRuleParameters; use datadog_api_client::datadogV2::model::PatchNotificationRuleParametersData; use datadog_api_client::datadogV2::model::PatchNotificationRuleParametersDataAttributes; use datadog_api_client::datadogV2::model::RuleSeverity; use datadog_api_client::datadogV2::model::RuleTypesItems; use datadog_api_client::datadogV2::model::Selectors; use datadog_api_client::datadogV2::model::TriggerSource; #[tokio::main] async fn main() { // there is a valid "valid_signal_notification_rule" in the system let valid_signal_notification_rule_data_id = std::env::var("VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID").unwrap(); let body = PatchNotificationRuleParameters::new().data(PatchNotificationRuleParametersData::new( PatchNotificationRuleParametersDataAttributes::new() .enabled(true) .name("Rule 1".to_string()) .selectors( Selectors::new(TriggerSource::SECURITY_FINDINGS) .query("(source:production_service OR env:prod)".to_string()) .rule_types(vec![ RuleTypesItems::MISCONFIGURATION, RuleTypesItems::ATTACK_PATH, ]) .severities(vec![RuleSeverity::CRITICAL]), ) .targets(vec!["@john.doe@email.com".to_string()]) .time_aggregation(86400) .version(1), valid_signal_notification_rule_data_id.clone(), NotificationRulesType::NOTIFICATION_RULES, )); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .patch_signal_notification_rule(valid_signal_notification_rule_data_id.clone(), body) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Patch a signal-based notification rule returns "Notification rule successfully patched." response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); // there is a valid "valid_signal_notification_rule" in the system const VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID = process.env .VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID as string; const params: v2.SecurityMonitoringApiPatchSignalNotificationRuleRequest = { body: { data: { attributes: { enabled: true, name: "Rule 1", selectors: { query: "(source:production_service OR env:prod)", ruleTypes: ["misconfiguration", "attack_path"], severities: ["critical"], triggerSource: "security_findings", }, targets: ["@john.doe@email.com"], timeAggregation: 86400, version: 1, }, id: VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID, type: "notification_rules", }, }, id: VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID, }; apiInstance .patchSignalNotificationRule(params) .then((data: v2.NotificationRuleResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## List security findings{% #list-security-findings %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ---------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/security/findings | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/security/findings | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/security/findings | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/security/findings | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/security/findings | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/security/findings | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/security/findings | ### Overview Get a list of security findings that match a search query. [See the schema for security findings](https://docs.datadoghq.com/security/guide/findings-schema/). ### Query Syntax{% #query-syntax %} This endpoint uses the logs query syntax. Findings attributes (living in the attributes.attributes. namespace) are prefixed by @ when queried. Tags are queried without a prefix. Example: `@severity:(critical OR high) @status:open team:platform` This endpoint requires any of the following permissions:`security_monitoring_findings_read``appsec_vm_read` OAuth apps require the `security_monitoring_findings_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Arguments #### Query Strings | Name | Type | Description | | ------------- | ------- | --------------------------------------------------------------------------------------------------- | | filter[query] | string | The search query following log search syntax. | | page[cursor] | string | Get the next page of results with a cursor provided in the previous query. | | page[limit] | integer | The maximum number of findings in the response. | | sort | enum | Sorts by @detection_changed_at.Allowed enum values: `@detection_changed_at, -@detection_changed_at` | ### Response {% tab title="200" %} OK {% tab title="Model" %} The expected response schema when listing security findings. | Parent field | Field | Type | Description | | ------------ | ---------- | -------- | --------------------------------------------------------------------------------------------------------- | | | data | [object] | Array of security findings matching the search query. | | data | attributes | object | The JSON object containing all attributes of the security finding. | | attributes | attributes | object | The custom attributes of the security finding. | | attributes | tags | [string] | List of tags associated with the security finding. | | attributes | timestamp | int64 | The Unix timestamp at which the detection changed for the resource. Same value as @detection_changed_at. | | data | id | string | The unique ID of the security finding. | | data | type | enum | The type of the security finding resource. Allowed enum values: `finding` | | | links | object | Links for pagination. | | links | next | string | Link for the next page of results. Note that paginated requests can also be made using the POST endpoint. | | | meta | object | Metadata about the response. | | meta | elapsed | int64 | The time elapsed in milliseconds. | | meta | page | object | Pagination information. | | page | after | string | The cursor used to get the next page of results. | | meta | request_id | string | The identifier of the request. | | meta | status | enum | The status of the response. Allowed enum values: `done,timeout` | {% /tab %} {% tab title="Example" %} ```json { "data": [ { "attributes": { "attributes": { "severity": "high", "status": "open" }, "tags": [ "team:platform", "env:prod" ], "timestamp": 1765901760 }, "id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==", "type": "finding" } ], "links": { "next": "https://app.datadoghq.com/api/v2/security/findings?page[cursor]=eyJhZnRlciI6IkF3QUFBWnPcm1pd0FBQUJbVlBQUKBa1pqRTVdZUzSTBNemN0YWiIsLTE3Mjk0MzYwMjFdfQ==\u0026page[limit]=25" }, "meta": { "elapsed": 548, "page": { "after": "eyJhZnRlciI6IkFRQUFBWWJiaEJXQS1OY1dqUUFBQUFCQldXSmlhRUpYUVVGQlJFSktkbTlDTUdaWFRVbDNRVUUiLCJ2YWx1ZXMiOlsiY3JpdGljYWwiXX0=" }, "request_id": "pddv1ChZwVlMxMUdYRFRMQ1lyb3B4MGNYbFlnIi0KHQu35LDbucx", "status": "done" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Forbidden {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/findings" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ List security findings returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.list_security_findings() print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # List security findings returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new p api_instance.list_security_findings() ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // List security findings returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.ListSecurityFindings(ctx, *datadogV2.NewListSecurityFindingsOptionalParameters()) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListSecurityFindings`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListSecurityFindings`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // List security findings returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.ListSecurityFindingsResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { ListSecurityFindingsResponse result = apiInstance.listSecurityFindings(); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#listSecurityFindings"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // List security findings returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::ListSecurityFindingsOptionalParams; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .list_security_findings(ListSecurityFindingsOptionalParams::default()) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * List security findings returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); apiInstance .listSecurityFindings() .then((data: v2.ListSecurityFindingsResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Search security findings{% #search-security-findings %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------ | | ap1.datadoghq.com | POST https://api.ap1.datadoghq.com/api/v2/security/findings/search | | ap2.datadoghq.com | POST https://api.ap2.datadoghq.com/api/v2/security/findings/search | | app.datadoghq.eu | POST https://api.datadoghq.eu/api/v2/security/findings/search | | app.ddog-gov.com | POST https://api.ddog-gov.com/api/v2/security/findings/search | | app.datadoghq.com | POST https://api.datadoghq.com/api/v2/security/findings/search | | us3.datadoghq.com | POST https://api.us3.datadoghq.com/api/v2/security/findings/search | | us5.datadoghq.com | POST https://api.us5.datadoghq.com/api/v2/security/findings/search | ### Overview Get a list of security findings that match a search query. [See the schema for security findings](https://docs.datadoghq.com/security/guide/findings-schema/). ### Query Syntax{% #query-syntax %} The API uses the logs query syntax. Findings attributes (living in the attributes.attributes. namespace) are prefixed by @ when queried. Tags are queried without a prefix. Example: `@severity:(critical OR high) @status:open team:platform` This endpoint requires any of the following permissions:`security_monitoring_findings_read``appsec_vm_read` OAuth apps require the `security_monitoring_findings_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Request #### Body Data (required) {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------ | ---------- | ------ | ------------------------------------------------------------------------------------------------------------------------ | | | data | object | Request data for searching security findings. | | data | attributes | object | Request attributes for searching security findings. | | attributes | filter | string | The search query following log search syntax. | | attributes | page | object | Pagination attributes for the search request. | | page | cursor | string | Get the next page of results with a cursor provided in the previous query. | | page | limit | int64 | The maximum number of security findings in the response. | | attributes | sort | enum | The sort parameters when querying security findings. Allowed enum values: `@detection_changed_at,-@detection_changed_at` | {% /tab %} {% tab title="Example" %} ##### ```json { "data": { "attributes": { "filter": "@severity:(critical OR high)" } } } ``` ##### ```json { "data": { "attributes": { "filter": "@severity:(critical OR high)", "page": { "limit": 1 } } } } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} The expected response schema when listing security findings. | Parent field | Field | Type | Description | | ------------ | ---------- | -------- | --------------------------------------------------------------------------------------------------------- | | | data | [object] | Array of security findings matching the search query. | | data | attributes | object | The JSON object containing all attributes of the security finding. | | attributes | attributes | object | The custom attributes of the security finding. | | attributes | tags | [string] | List of tags associated with the security finding. | | attributes | timestamp | int64 | The Unix timestamp at which the detection changed for the resource. Same value as @detection_changed_at. | | data | id | string | The unique ID of the security finding. | | data | type | enum | The type of the security finding resource. Allowed enum values: `finding` | | | links | object | Links for pagination. | | links | next | string | Link for the next page of results. Note that paginated requests can also be made using the POST endpoint. | | | meta | object | Metadata about the response. | | meta | elapsed | int64 | The time elapsed in milliseconds. | | meta | page | object | Pagination information. | | page | after | string | The cursor used to get the next page of results. | | meta | request_id | string | The identifier of the request. | | meta | status | enum | The status of the response. Allowed enum values: `done,timeout` | {% /tab %} {% tab title="Example" %} ```json { "data": [ { "attributes": { "attributes": { "severity": "high", "status": "open" }, "tags": [ "team:platform", "env:prod" ], "timestamp": 1765901760 }, "id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==", "type": "finding" } ], "links": { "next": "https://app.datadoghq.com/api/v2/security/findings?page[cursor]=eyJhZnRlciI6IkF3QUFBWnPcm1pd0FBQUJbVlBQUKBa1pqRTVdZUzSTBNemN0YWiIsLTE3Mjk0MzYwMjFdfQ==\u0026page[limit]=25" }, "meta": { "elapsed": 548, "page": { "after": "eyJhZnRlciI6IkFRQUFBWWJiaEJXQS1OY1dqUUFBQUFCQldXSmlhRUpYUVVGQlJFSktkbTlDTUdaWFRVbDNRVUUiLCJ2YWx1ZXMiOlsiY3JpdGljYWwiXX0=" }, "request_id": "pddv1ChZwVlMxMUdYRFRMQ1lyb3B4MGNYbFlnIi0KHQu35LDbucx", "status": "done" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Forbidden {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/findings/search" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "attributes": { "filter": "@severity:(critical OR high)" } } } EOF ##### \# Curl commandcurl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/findings/search" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "attributes": { "filter": "@severity:(critical OR high)", "page": { "limit": 1 } } } } EOF ##### ```go // Search security findings returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.SecurityFindingsSearchRequest{ Data: &datadogV2.SecurityFindingsSearchRequestData{ Attributes: &datadogV2.SecurityFindingsSearchRequestDataAttributes{ Filter: datadog.PtrString("@severity:(critical OR high)"), }, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.SearchSecurityFindings(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.SearchSecurityFindings`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.SearchSecurityFindings`:\n%s\n", responseContent) } ``` ##### ```go // Search security findings returns "OK" response with pagination package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.SecurityFindingsSearchRequest{ Data: &datadogV2.SecurityFindingsSearchRequestData{ Attributes: &datadogV2.SecurityFindingsSearchRequestDataAttributes{ Filter: datadog.PtrString("@severity:(critical OR high)"), Page: &datadogV2.SecurityFindingsSearchRequestPage{ Limit: datadog.PtrInt64(1), }, }, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.SearchSecurityFindings(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.SearchSecurityFindings`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.SearchSecurityFindings`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Search security findings returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.ListSecurityFindingsResponse; import com.datadog.api.client.v2.model.SecurityFindingsSearchRequest; import com.datadog.api.client.v2.model.SecurityFindingsSearchRequestData; import com.datadog.api.client.v2.model.SecurityFindingsSearchRequestDataAttributes; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); SecurityFindingsSearchRequest body = new SecurityFindingsSearchRequest() .data( new SecurityFindingsSearchRequestData() .attributes( new SecurityFindingsSearchRequestDataAttributes() .filter("@severity:(critical OR high)"))); try { ListSecurityFindingsResponse result = apiInstance.searchSecurityFindings(body); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#searchSecurityFindings"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` ##### ```java // Search security findings returns "OK" response with pagination import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.ListSecurityFindingsResponse; import com.datadog.api.client.v2.model.SecurityFindingsSearchRequest; import com.datadog.api.client.v2.model.SecurityFindingsSearchRequestData; import com.datadog.api.client.v2.model.SecurityFindingsSearchRequestDataAttributes; import com.datadog.api.client.v2.model.SecurityFindingsSearchRequestPage; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); SecurityFindingsSearchRequest body = new SecurityFindingsSearchRequest() .data( new SecurityFindingsSearchRequestData() .attributes( new SecurityFindingsSearchRequestDataAttributes() .filter("@severity:(critical OR high)") .page(new SecurityFindingsSearchRequestPage().limit(1L)))); try { ListSecurityFindingsResponse result = apiInstance.searchSecurityFindings(body); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#searchSecurityFindings"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Search security findings returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.security_findings_search_request import SecurityFindingsSearchRequest from datadog_api_client.v2.model.security_findings_search_request_data import SecurityFindingsSearchRequestData from datadog_api_client.v2.model.security_findings_search_request_data_attributes import ( SecurityFindingsSearchRequestDataAttributes, ) body = SecurityFindingsSearchRequest( data=SecurityFindingsSearchRequestData( attributes=SecurityFindingsSearchRequestDataAttributes( filter="@severity:(critical OR high)", ), ), ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.search_security_findings(body=body) print(response) ``` ##### ```python """ Search security findings returns "OK" response with pagination """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.security_findings_search_request import SecurityFindingsSearchRequest from datadog_api_client.v2.model.security_findings_search_request_data import SecurityFindingsSearchRequestData from datadog_api_client.v2.model.security_findings_search_request_data_attributes import ( SecurityFindingsSearchRequestDataAttributes, ) from datadog_api_client.v2.model.security_findings_search_request_page import SecurityFindingsSearchRequestPage body = SecurityFindingsSearchRequest( data=SecurityFindingsSearchRequestData( attributes=SecurityFindingsSearchRequestDataAttributes( filter="@severity:(critical OR high)", page=SecurityFindingsSearchRequestPage( limit=1, ), ), ), ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.search_security_findings(body=body) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Search security findings returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::SecurityFindingsSearchRequest.new({ data: DatadogAPIClient::V2::SecurityFindingsSearchRequestData.new({ attributes: DatadogAPIClient::V2::SecurityFindingsSearchRequestDataAttributes.new({ filter: "@severity:(critical OR high)", }), }), }) p api_instance.search_security_findings(body) ``` ##### ```ruby # Search security findings returns "OK" response with pagination require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::SecurityFindingsSearchRequest.new({ data: DatadogAPIClient::V2::SecurityFindingsSearchRequestData.new({ attributes: DatadogAPIClient::V2::SecurityFindingsSearchRequestDataAttributes.new({ filter: "@severity:(critical OR high)", page: DatadogAPIClient::V2::SecurityFindingsSearchRequestPage.new({ limit: 1, }), }), }), }) p api_instance.search_security_findings(body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Search security findings returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::SecurityFindingsSearchRequest; use datadog_api_client::datadogV2::model::SecurityFindingsSearchRequestData; use datadog_api_client::datadogV2::model::SecurityFindingsSearchRequestDataAttributes; #[tokio::main] async fn main() { let body = SecurityFindingsSearchRequest::new().data( SecurityFindingsSearchRequestData::new().attributes( SecurityFindingsSearchRequestDataAttributes::new() .filter("@severity:(critical OR high)".to_string()), ), ); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.search_security_findings(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` ##### ```rust // Search security findings returns "OK" response with pagination use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::SecurityFindingsSearchRequest; use datadog_api_client::datadogV2::model::SecurityFindingsSearchRequestData; use datadog_api_client::datadogV2::model::SecurityFindingsSearchRequestDataAttributes; use datadog_api_client::datadogV2::model::SecurityFindingsSearchRequestPage; #[tokio::main] async fn main() { let body = SecurityFindingsSearchRequest::new().data( SecurityFindingsSearchRequestData::new().attributes( SecurityFindingsSearchRequestDataAttributes::new() .filter("@severity:(critical OR high)".to_string()) .page(SecurityFindingsSearchRequestPage::new().limit(1)), ), ); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.search_security_findings(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Search security findings returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiSearchSecurityFindingsRequest = { body: { data: { attributes: { filter: "@severity:(critical OR high)", }, }, }, }; apiInstance .searchSecurityFindings(params) .then((data: v2.ListSecurityFindingsResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` ##### ```typescript /** * Search security findings returns "OK" response with pagination */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiSearchSecurityFindingsRequest = { body: { data: { attributes: { filter: "@severity:(critical OR high)", page: { limit: 1, }, }, }, }, }; apiInstance .searchSecurityFindings(params) .then((data: v2.ListSecurityFindingsResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Create cases for security findings{% #create-cases-for-security-findings %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ----------------------------------------------------------------- | | ap1.datadoghq.com | POST https://api.ap1.datadoghq.com/api/v2/security/findings/cases | | ap2.datadoghq.com | POST https://api.ap2.datadoghq.com/api/v2/security/findings/cases | | app.datadoghq.eu | POST https://api.datadoghq.eu/api/v2/security/findings/cases | | app.ddog-gov.com | POST https://api.ddog-gov.com/api/v2/security/findings/cases | | app.datadoghq.com | POST https://api.datadoghq.com/api/v2/security/findings/cases | | us3.datadoghq.com | POST https://api.us3.datadoghq.com/api/v2/security/findings/cases | | us5.datadoghq.com | POST https://api.us5.datadoghq.com/api/v2/security/findings/cases | ### Overview Create cases for security findings. You can create up to 50 cases per request and associate up to 50 security findings per case. Security findings that are already attached to another case will be detached from their previous case and attached to the newly created case. This endpoint requires any of the following permissions: `security_monitoring_findings_write``appsec_vm_write` ### Request #### Body Data (required) {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------- | -------------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | | | data [*required*] | [object] | Array of case creation request data objects. | | data | attributes | object | Attributes of the case to create. | | attributes | assignee_id | string | Unique identifier of the user assigned to the case. | | attributes | description | string | Description of the case. If not provided, the description will be automatically generated. | | attributes | priority | enum | Priority of the case. If not provided, the priority will be automatically set to "NOT_DEFINED". Allowed enum values: `NOT_DEFINED,P1,P2,P3,P4,P5` | | attributes | title | string | Title of the case. If not provided, the title will be automatically generated. | | data | relationships | object | Relationships of the case to create. | | relationships | findings [*required*] | object | Security findings to create a case for. | | findings | data | [object] | Array of security finding data objects. | | data | id [*required*] | string | Unique identifier of the security finding. | | data | type [*required*] | enum | Security findings resource type. Allowed enum values: `findings` | | relationships | project [*required*] | object | Case management project in which the case will be created. | | project | data [*required*] | object | Data object representing a case management project. | | data | id [*required*] | string | Unique identifier of the case management project. | | data | type [*required*] | enum | Projects resource type. Allowed enum values: `projects` | | data | type [*required*] | enum | Cases resource type. Allowed enum values: `cases` | {% /tab %} {% tab title="Example" %} ##### ```json { "data": [ { "attributes": { "title": "A title", "description": "A description" }, "relationships": { "findings": { "data": [ { "id": "YjdhNDM3N2QyNTFjYmUwYTY3NDdhMTg0YTk2Yjg5MDl-ZjNmMzAwOTFkZDNhNGQzYzI0MzgxNTk4MjRjZmE2NzE=", "type": "findings" } ] }, "project": { "data": { "id": "959a6f71-bac8-4027-b1d3-2264f569296f", "type": "projects" } } }, "type": "cases" } ] } ``` ##### ```json { "data": [ { "attributes": { "title": "A title", "description": "A description" }, "relationships": { "findings": { "data": [ { "id": "ZTd5LWNuYi1seWV-aS0wMjI2NGZjZjRmZWQ5ODMyMg==", "type": "findings" }, { "id": "c2FuLXhyaS1kZnN-aS0wODM3MjVhMTM2MDExNzNkOQ==", "type": "findings" } ] }, "project": { "data": { "id": "959a6f71-bac8-4027-b1d3-2264f569296f", "type": "projects" } } }, "type": "cases" } ] } ``` ##### ```json { "data": [ { "attributes": { "title": "A title", "description": "A description" }, "relationships": { "findings": { "data": [ { "id": "YjdhNDM3N2QyNTFjYmUwYTY3NDdhMTg0YTk2Yjg5MDl-ZjNmMzAwOTFkZDNhNGQzYzI0MzgxNTk4MjRjZmE2NzE=", "type": "findings" } ] }, "project": { "data": { "id": "959a6f71-bac8-4027-b1d3-2264f569296f", "type": "projects" } } }, "type": "cases" }, { "attributes": { "title": "A title", "description": "A description" }, "relationships": { "findings": { "data": [ { "id": "OGRlMDIwYzk4MjFmZTZiNTQwMzk2ZjUxNzg0MDc0NjR-MTk3Yjk4MDI4ZDQ4YzI2ZGZiMWJmMTNhNDEwZGZkYWI=", "type": "findings" } ] }, "project": { "data": { "id": "959a6f71-bac8-4027-b1d3-2264f569296f", "type": "projects" } } }, "type": "cases" } ] } ``` {% /tab %} ### Response {% tab title="201" %} Created {% tab title="Model" %} List of case responses. | Parent field | Field | Type | Description | | -------------------- | ---------------------- | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | | | data [*required*] | [object] | Array of case response data objects. | | data | attributes | object | Attributes of the case. | | attributes | archived_at | date-time | Timestamp of when the case was archived. | | attributes | assigned_to | object | User assigned to the case. | | assigned_to | data [*required*] | object | Relationship to user object. | | data | id [*required*] | string | A unique identifier that represents the user. | | data | type [*required*] | enum | Users resource type. Allowed enum values: `users` | | attributes | attributes | object | Custom attributes associated with the case as key-value pairs where values are string arrays. | | additionalProperties | | [string] | | attributes | closed_at | date-time | Timestamp of when the case was closed. | | attributes | created_at | date-time | Timestamp of when the case was created. | | attributes | creation_source | string | Source of the case creation. | | attributes | description | string | Description of the case. | | attributes | due_date | string | Due date of the case. | | attributes | insights | [object] | Insights of the case. | | insights | ref | string | Reference of the insight. | | insights | resource_id | string | Unique identifier of the resource. For example, the unique identifier of a security finding. | | insights | type | string | Type of the resource. For example, the type of a security finding is "SECURITY_FINDING". | | attributes | jira_issue | object | Jira issue associated with the case. | | jira_issue | error_message | string | Error message if the Jira issue creation failed. | | jira_issue | result | object | Result of the Jira issue creation. | | result | account_id | string | Account ID of the Jira issue. | | result | issue_id | string | Unique identifier of the Jira issue. | | result | issue_key | string | Key of the Jira issue. | | result | issue_url | string | URL of the Jira issue. | | jira_issue | status | string | Status of the Jira issue creation. Can be "COMPLETED" if the Jira issue was created successfully, or "FAILED" if the Jira issue creation failed. | | attributes | key | string | Key of the case. | | attributes | modified_at | date-time | Timestamp of when the case was last modified. | | attributes | priority | string | Priority of the case. | | attributes | status | string | Status of the case. | | attributes | status_group | string | Status group of the case. | | attributes | status_name | string | Status name of the case. | | attributes | title | string | Title of the case. | | attributes | type | string | Type of the case. For security cases, this is always "SECURITY". | | data | id | string | Unique identifier of the case. | | data | relationships | object | Relationships of the case. | | relationships | created_by | object | User who created the case. | | created_by | data [*required*] | object | Relationship to user object. | | data | id [*required*] | string | A unique identifier that represents the user. | | data | type [*required*] | enum | Users resource type. Allowed enum values: `users` | | relationships | modified_by | object | User who last modified the case. | | modified_by | data [*required*] | object | Relationship to user object. | | data | id [*required*] | string | A unique identifier that represents the user. | | data | type [*required*] | enum | Users resource type. Allowed enum values: `users` | | relationships | project | object | Project in which the case was created. | | project | data [*required*] | object | Data object representing a case management project. | | data | id [*required*] | string | Unique identifier of the case management project. | | data | type [*required*] | enum | Projects resource type. Allowed enum values: `projects` | | data | type [*required*] | enum | Cases resource type. Allowed enum values: `cases` | {% /tab %} {% tab title="Example" %} ```json { "data": [ { "attributes": { "archived_at": "2025-01-01T00:00:00.000Z", "assigned_to": { "data": { "id": "00000000-0000-0000-2345-000000000000", "type": "users" } }, "attributes": { "": [] }, "closed_at": "2025-01-01T00:00:00.000Z", "created_at": "2025-01-01T00:00:00.000Z", "creation_source": "CS_SECURITY_FINDING", "description": "A description of the case.", "due_date": "2025-01-01", "insights": [ { "ref": "/security/appsec/vm/library/vulnerability/dfa027f7c037b2f77159adc027fecb56?detection=static", "resource_id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==", "type": "SECURITY_FINDING" } ], "jira_issue": { "error_message": "{\"errorMessages\":[\"An error occured.\"],\"errors\":{}}", "result": { "account_id": "463a8631-680e-455c-bfd3-3ed04d326eb7", "issue_id": "2871276", "issue_key": "PROJ-123", "issue_url": "https://domain.atlassian.net/browse/PROJ-123" }, "status": "COMPLETED" }, "key": "PROJ-123", "modified_at": "2025-01-01T00:00:00.000Z", "priority": "P4", "status": "OPEN", "status_group": "SG_OPEN", "status_name": "Open", "title": "A title for the case.", "type": "SECURITY" }, "id": "c1234567-89ab-cdef-0123-456789abcdef", "relationships": { "created_by": { "data": { "id": "00000000-0000-0000-2345-000000000000", "type": "users" } }, "modified_by": { "data": { "id": "00000000-0000-0000-2345-000000000000", "type": "users" } }, "project": { "data": { "id": "aeadc05e-98a8-11ec-ac2c-da7ad0900001", "type": "projects" } } }, "type": "cases" } ] } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/findings/cases" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": [ { "attributes": { "title": "A title", "description": "A description" }, "relationships": { "findings": { "data": [ { "id": "YjdhNDM3N2QyNTFjYmUwYTY3NDdhMTg0YTk2Yjg5MDl-ZjNmMzAwOTFkZDNhNGQzYzI0MzgxNTk4MjRjZmE2NzE=", "type": "findings" } ] }, "project": { "data": { "id": "959a6f71-bac8-4027-b1d3-2264f569296f", "type": "projects" } } }, "type": "cases" } ] } EOF ##### \# Curl commandcurl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/findings/cases" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": [ { "attributes": { "title": "A title", "description": "A description" }, "relationships": { "findings": { "data": [ { "id": "ZTd5LWNuYi1seWV-aS0wMjI2NGZjZjRmZWQ5ODMyMg==", "type": "findings" }, { "id": "c2FuLXhyaS1kZnN-aS0wODM3MjVhMTM2MDExNzNkOQ==", "type": "findings" } ] }, "project": { "data": { "id": "959a6f71-bac8-4027-b1d3-2264f569296f", "type": "projects" } } }, "type": "cases" } ] } EOF ##### \# Curl commandcurl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/findings/cases" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": [ { "attributes": { "title": "A title", "description": "A description" }, "relationships": { "findings": { "data": [ { "id": "YjdhNDM3N2QyNTFjYmUwYTY3NDdhMTg0YTk2Yjg5MDl-ZjNmMzAwOTFkZDNhNGQzYzI0MzgxNTk4MjRjZmE2NzE=", "type": "findings" } ] }, "project": { "data": { "id": "959a6f71-bac8-4027-b1d3-2264f569296f", "type": "projects" } } }, "type": "cases" }, { "attributes": { "title": "A title", "description": "A description" }, "relationships": { "findings": { "data": [ { "id": "OGRlMDIwYzk4MjFmZTZiNTQwMzk2ZjUxNzg0MDc0NjR-MTk3Yjk4MDI4ZDQ4YzI2ZGZiMWJmMTNhNDEwZGZkYWI=", "type": "findings" } ] }, "project": { "data": { "id": "959a6f71-bac8-4027-b1d3-2264f569296f", "type": "projects" } } }, "type": "cases" } ] } EOF ##### ```go // Create case for security finding returns "Created" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.CreateCaseRequestArray{ Data: []datadogV2.CreateCaseRequestData{ { Attributes: &datadogV2.CreateCaseRequestDataAttributes{ Title: datadog.PtrString("A title"), Description: datadog.PtrString("A description"), }, Relationships: &datadogV2.CreateCaseRequestDataRelationships{ Findings: datadogV2.Findings{ Data: []datadogV2.FindingData{ { Id: "YjdhNDM3N2QyNTFjYmUwYTY3NDdhMTg0YTk2Yjg5MDl-ZjNmMzAwOTFkZDNhNGQzYzI0MzgxNTk4MjRjZmE2NzE=", Type: datadogV2.FINDINGDATATYPE_FINDINGS, }, }, }, Project: datadogV2.CaseManagementProject{ Data: datadogV2.CaseManagementProjectData{ Id: "959a6f71-bac8-4027-b1d3-2264f569296f", Type: datadogV2.CASEMANAGEMENTPROJECTDATATYPE_PROJECTS, }, }, }, Type: datadogV2.CASEDATATYPE_CASES, }, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.CreateCases(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateCases`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateCases`:\n%s\n", responseContent) } ``` ##### ```go // Create case for security findings returns "Created" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.CreateCaseRequestArray{ Data: []datadogV2.CreateCaseRequestData{ { Attributes: &datadogV2.CreateCaseRequestDataAttributes{ Title: datadog.PtrString("A title"), Description: datadog.PtrString("A description"), }, Relationships: &datadogV2.CreateCaseRequestDataRelationships{ Findings: datadogV2.Findings{ Data: []datadogV2.FindingData{ { Id: "ZTd5LWNuYi1seWV-aS0wMjI2NGZjZjRmZWQ5ODMyMg==", Type: datadogV2.FINDINGDATATYPE_FINDINGS, }, { Id: "c2FuLXhyaS1kZnN-aS0wODM3MjVhMTM2MDExNzNkOQ==", Type: datadogV2.FINDINGDATATYPE_FINDINGS, }, }, }, Project: datadogV2.CaseManagementProject{ Data: datadogV2.CaseManagementProjectData{ Id: "959a6f71-bac8-4027-b1d3-2264f569296f", Type: datadogV2.CASEMANAGEMENTPROJECTDATATYPE_PROJECTS, }, }, }, Type: datadogV2.CASEDATATYPE_CASES, }, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.CreateCases(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateCases`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateCases`:\n%s\n", responseContent) } ``` ##### ```go // Create cases for security findings returns "Created" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.CreateCaseRequestArray{ Data: []datadogV2.CreateCaseRequestData{ { Attributes: &datadogV2.CreateCaseRequestDataAttributes{ Title: datadog.PtrString("A title"), Description: datadog.PtrString("A description"), }, Relationships: &datadogV2.CreateCaseRequestDataRelationships{ Findings: datadogV2.Findings{ Data: []datadogV2.FindingData{ { Id: "YjdhNDM3N2QyNTFjYmUwYTY3NDdhMTg0YTk2Yjg5MDl-ZjNmMzAwOTFkZDNhNGQzYzI0MzgxNTk4MjRjZmE2NzE=", Type: datadogV2.FINDINGDATATYPE_FINDINGS, }, }, }, Project: datadogV2.CaseManagementProject{ Data: datadogV2.CaseManagementProjectData{ Id: "959a6f71-bac8-4027-b1d3-2264f569296f", Type: datadogV2.CASEMANAGEMENTPROJECTDATATYPE_PROJECTS, }, }, }, Type: datadogV2.CASEDATATYPE_CASES, }, { Attributes: &datadogV2.CreateCaseRequestDataAttributes{ Title: datadog.PtrString("A title"), Description: datadog.PtrString("A description"), }, Relationships: &datadogV2.CreateCaseRequestDataRelationships{ Findings: datadogV2.Findings{ Data: []datadogV2.FindingData{ { Id: "OGRlMDIwYzk4MjFmZTZiNTQwMzk2ZjUxNzg0MDc0NjR-MTk3Yjk4MDI4ZDQ4YzI2ZGZiMWJmMTNhNDEwZGZkYWI=", Type: datadogV2.FINDINGDATATYPE_FINDINGS, }, }, }, Project: datadogV2.CaseManagementProject{ Data: datadogV2.CaseManagementProjectData{ Id: "959a6f71-bac8-4027-b1d3-2264f569296f", Type: datadogV2.CASEMANAGEMENTPROJECTDATATYPE_PROJECTS, }, }, }, Type: datadogV2.CASEDATATYPE_CASES, }, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.CreateCases(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateCases`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateCases`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Create case for security finding returns "Created" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.CaseDataType; import com.datadog.api.client.v2.model.CaseManagementProject; import com.datadog.api.client.v2.model.CaseManagementProjectData; import com.datadog.api.client.v2.model.CaseManagementProjectDataType; import com.datadog.api.client.v2.model.CreateCaseRequestArray; import com.datadog.api.client.v2.model.CreateCaseRequestData; import com.datadog.api.client.v2.model.CreateCaseRequestDataAttributes; import com.datadog.api.client.v2.model.CreateCaseRequestDataRelationships; import com.datadog.api.client.v2.model.FindingCaseResponseArray; import com.datadog.api.client.v2.model.FindingData; import com.datadog.api.client.v2.model.FindingDataType; import com.datadog.api.client.v2.model.Findings; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); CreateCaseRequestArray body = new CreateCaseRequestArray() .data( Collections.singletonList( new CreateCaseRequestData() .attributes( new CreateCaseRequestDataAttributes() .title("A title") .description("A description")) .relationships( new CreateCaseRequestDataRelationships() .findings( new Findings() .data( Collections.singletonList( new FindingData() .id( "YjdhNDM3N2QyNTFjYmUwYTY3NDdhMTg0YTk2Yjg5MDl-ZjNmMzAwOTFkZDNhNGQzYzI0MzgxNTk4MjRjZmE2NzE=") .type(FindingDataType.FINDINGS)))) .project( new CaseManagementProject() .data( new CaseManagementProjectData() .id("959a6f71-bac8-4027-b1d3-2264f569296f") .type(CaseManagementProjectDataType.PROJECTS)))) .type(CaseDataType.CASES))); try { FindingCaseResponseArray result = apiInstance.createCases(body); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#createCases"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` ##### ```java // Create case for security findings returns "Created" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.CaseDataType; import com.datadog.api.client.v2.model.CaseManagementProject; import com.datadog.api.client.v2.model.CaseManagementProjectData; import com.datadog.api.client.v2.model.CaseManagementProjectDataType; import com.datadog.api.client.v2.model.CreateCaseRequestArray; import com.datadog.api.client.v2.model.CreateCaseRequestData; import com.datadog.api.client.v2.model.CreateCaseRequestDataAttributes; import com.datadog.api.client.v2.model.CreateCaseRequestDataRelationships; import com.datadog.api.client.v2.model.FindingCaseResponseArray; import com.datadog.api.client.v2.model.FindingData; import com.datadog.api.client.v2.model.FindingDataType; import com.datadog.api.client.v2.model.Findings; import java.util.Arrays; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); CreateCaseRequestArray body = new CreateCaseRequestArray() .data( Collections.singletonList( new CreateCaseRequestData() .attributes( new CreateCaseRequestDataAttributes() .title("A title") .description("A description")) .relationships( new CreateCaseRequestDataRelationships() .findings( new Findings() .data( Arrays.asList( new FindingData() .id( "ZTd5LWNuYi1seWV-aS0wMjI2NGZjZjRmZWQ5ODMyMg==") .type(FindingDataType.FINDINGS), new FindingData() .id( "c2FuLXhyaS1kZnN-aS0wODM3MjVhMTM2MDExNzNkOQ==") .type(FindingDataType.FINDINGS)))) .project( new CaseManagementProject() .data( new CaseManagementProjectData() .id("959a6f71-bac8-4027-b1d3-2264f569296f") .type(CaseManagementProjectDataType.PROJECTS)))) .type(CaseDataType.CASES))); try { FindingCaseResponseArray result = apiInstance.createCases(body); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#createCases"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` ##### ```java // Create cases for security findings returns "Created" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.CaseDataType; import com.datadog.api.client.v2.model.CaseManagementProject; import com.datadog.api.client.v2.model.CaseManagementProjectData; import com.datadog.api.client.v2.model.CaseManagementProjectDataType; import com.datadog.api.client.v2.model.CreateCaseRequestArray; import com.datadog.api.client.v2.model.CreateCaseRequestData; import com.datadog.api.client.v2.model.CreateCaseRequestDataAttributes; import com.datadog.api.client.v2.model.CreateCaseRequestDataRelationships; import com.datadog.api.client.v2.model.FindingCaseResponseArray; import com.datadog.api.client.v2.model.FindingData; import com.datadog.api.client.v2.model.FindingDataType; import com.datadog.api.client.v2.model.Findings; import java.util.Arrays; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); CreateCaseRequestArray body = new CreateCaseRequestArray() .data( Arrays.asList( new CreateCaseRequestData() .attributes( new CreateCaseRequestDataAttributes() .title("A title") .description("A description")) .relationships( new CreateCaseRequestDataRelationships() .findings( new Findings() .data( Collections.singletonList( new FindingData() .id( "YjdhNDM3N2QyNTFjYmUwYTY3NDdhMTg0YTk2Yjg5MDl-ZjNmMzAwOTFkZDNhNGQzYzI0MzgxNTk4MjRjZmE2NzE=") .type(FindingDataType.FINDINGS)))) .project( new CaseManagementProject() .data( new CaseManagementProjectData() .id("959a6f71-bac8-4027-b1d3-2264f569296f") .type(CaseManagementProjectDataType.PROJECTS)))) .type(CaseDataType.CASES), new CreateCaseRequestData() .attributes( new CreateCaseRequestDataAttributes() .title("A title") .description("A description")) .relationships( new CreateCaseRequestDataRelationships() .findings( new Findings() .data( Collections.singletonList( new FindingData() .id( "OGRlMDIwYzk4MjFmZTZiNTQwMzk2ZjUxNzg0MDc0NjR-MTk3Yjk4MDI4ZDQ4YzI2ZGZiMWJmMTNhNDEwZGZkYWI=") .type(FindingDataType.FINDINGS)))) .project( new CaseManagementProject() .data( new CaseManagementProjectData() .id("959a6f71-bac8-4027-b1d3-2264f569296f") .type(CaseManagementProjectDataType.PROJECTS)))) .type(CaseDataType.CASES))); try { FindingCaseResponseArray result = apiInstance.createCases(body); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#createCases"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Create case for security finding returns "Created" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.case_data_type import CaseDataType from datadog_api_client.v2.model.case_management_project import CaseManagementProject from datadog_api_client.v2.model.case_management_project_data import CaseManagementProjectData from datadog_api_client.v2.model.case_management_project_data_type import CaseManagementProjectDataType from datadog_api_client.v2.model.create_case_request_array import CreateCaseRequestArray from datadog_api_client.v2.model.create_case_request_data import CreateCaseRequestData from datadog_api_client.v2.model.create_case_request_data_attributes import CreateCaseRequestDataAttributes from datadog_api_client.v2.model.create_case_request_data_relationships import CreateCaseRequestDataRelationships from datadog_api_client.v2.model.finding_data import FindingData from datadog_api_client.v2.model.finding_data_type import FindingDataType from datadog_api_client.v2.model.findings import Findings body = CreateCaseRequestArray( data=[ CreateCaseRequestData( attributes=CreateCaseRequestDataAttributes( title="A title", description="A description", ), relationships=CreateCaseRequestDataRelationships( findings=Findings( data=[ FindingData( id="YjdhNDM3N2QyNTFjYmUwYTY3NDdhMTg0YTk2Yjg5MDl-ZjNmMzAwOTFkZDNhNGQzYzI0MzgxNTk4MjRjZmE2NzE=", type=FindingDataType.FINDINGS, ), ], ), project=CaseManagementProject( data=CaseManagementProjectData( id="959a6f71-bac8-4027-b1d3-2264f569296f", type=CaseManagementProjectDataType.PROJECTS, ), ), ), type=CaseDataType.CASES, ), ], ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.create_cases(body=body) print(response) ``` ##### ```python """ Create case for security findings returns "Created" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.case_data_type import CaseDataType from datadog_api_client.v2.model.case_management_project import CaseManagementProject from datadog_api_client.v2.model.case_management_project_data import CaseManagementProjectData from datadog_api_client.v2.model.case_management_project_data_type import CaseManagementProjectDataType from datadog_api_client.v2.model.create_case_request_array import CreateCaseRequestArray from datadog_api_client.v2.model.create_case_request_data import CreateCaseRequestData from datadog_api_client.v2.model.create_case_request_data_attributes import CreateCaseRequestDataAttributes from datadog_api_client.v2.model.create_case_request_data_relationships import CreateCaseRequestDataRelationships from datadog_api_client.v2.model.finding_data import FindingData from datadog_api_client.v2.model.finding_data_type import FindingDataType from datadog_api_client.v2.model.findings import Findings body = CreateCaseRequestArray( data=[ CreateCaseRequestData( attributes=CreateCaseRequestDataAttributes( title="A title", description="A description", ), relationships=CreateCaseRequestDataRelationships( findings=Findings( data=[ FindingData( id="ZTd5LWNuYi1seWV-aS0wMjI2NGZjZjRmZWQ5ODMyMg==", type=FindingDataType.FINDINGS, ), FindingData( id="c2FuLXhyaS1kZnN-aS0wODM3MjVhMTM2MDExNzNkOQ==", type=FindingDataType.FINDINGS, ), ], ), project=CaseManagementProject( data=CaseManagementProjectData( id="959a6f71-bac8-4027-b1d3-2264f569296f", type=CaseManagementProjectDataType.PROJECTS, ), ), ), type=CaseDataType.CASES, ), ], ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.create_cases(body=body) print(response) ``` ##### ```python """ Create cases for security findings returns "Created" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.case_data_type import CaseDataType from datadog_api_client.v2.model.case_management_project import CaseManagementProject from datadog_api_client.v2.model.case_management_project_data import CaseManagementProjectData from datadog_api_client.v2.model.case_management_project_data_type import CaseManagementProjectDataType from datadog_api_client.v2.model.create_case_request_array import CreateCaseRequestArray from datadog_api_client.v2.model.create_case_request_data import CreateCaseRequestData from datadog_api_client.v2.model.create_case_request_data_attributes import CreateCaseRequestDataAttributes from datadog_api_client.v2.model.create_case_request_data_relationships import CreateCaseRequestDataRelationships from datadog_api_client.v2.model.finding_data import FindingData from datadog_api_client.v2.model.finding_data_type import FindingDataType from datadog_api_client.v2.model.findings import Findings body = CreateCaseRequestArray( data=[ CreateCaseRequestData( attributes=CreateCaseRequestDataAttributes( title="A title", description="A description", ), relationships=CreateCaseRequestDataRelationships( findings=Findings( data=[ FindingData( id="YjdhNDM3N2QyNTFjYmUwYTY3NDdhMTg0YTk2Yjg5MDl-ZjNmMzAwOTFkZDNhNGQzYzI0MzgxNTk4MjRjZmE2NzE=", type=FindingDataType.FINDINGS, ), ], ), project=CaseManagementProject( data=CaseManagementProjectData( id="959a6f71-bac8-4027-b1d3-2264f569296f", type=CaseManagementProjectDataType.PROJECTS, ), ), ), type=CaseDataType.CASES, ), CreateCaseRequestData( attributes=CreateCaseRequestDataAttributes( title="A title", description="A description", ), relationships=CreateCaseRequestDataRelationships( findings=Findings( data=[ FindingData( id="OGRlMDIwYzk4MjFmZTZiNTQwMzk2ZjUxNzg0MDc0NjR-MTk3Yjk4MDI4ZDQ4YzI2ZGZiMWJmMTNhNDEwZGZkYWI=", type=FindingDataType.FINDINGS, ), ], ), project=CaseManagementProject( data=CaseManagementProjectData( id="959a6f71-bac8-4027-b1d3-2264f569296f", type=CaseManagementProjectDataType.PROJECTS, ), ), ), type=CaseDataType.CASES, ), ], ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.create_cases(body=body) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Create case for security finding returns "Created" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::CreateCaseRequestArray.new({ data: [ DatadogAPIClient::V2::CreateCaseRequestData.new({ attributes: DatadogAPIClient::V2::CreateCaseRequestDataAttributes.new({ title: "A title", description: "A description", }), relationships: DatadogAPIClient::V2::CreateCaseRequestDataRelationships.new({ findings: DatadogAPIClient::V2::Findings.new({ data: [ DatadogAPIClient::V2::FindingData.new({ id: "YjdhNDM3N2QyNTFjYmUwYTY3NDdhMTg0YTk2Yjg5MDl-ZjNmMzAwOTFkZDNhNGQzYzI0MzgxNTk4MjRjZmE2NzE=", type: DatadogAPIClient::V2::FindingDataType::FINDINGS, }), ], }), project: DatadogAPIClient::V2::CaseManagementProject.new({ data: DatadogAPIClient::V2::CaseManagementProjectData.new({ id: "959a6f71-bac8-4027-b1d3-2264f569296f", type: DatadogAPIClient::V2::CaseManagementProjectDataType::PROJECTS, }), }), }), type: DatadogAPIClient::V2::CaseDataType::CASES, }), ], }) p api_instance.create_cases(body) ``` ##### ```ruby # Create case for security findings returns "Created" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::CreateCaseRequestArray.new({ data: [ DatadogAPIClient::V2::CreateCaseRequestData.new({ attributes: DatadogAPIClient::V2::CreateCaseRequestDataAttributes.new({ title: "A title", description: "A description", }), relationships: DatadogAPIClient::V2::CreateCaseRequestDataRelationships.new({ findings: DatadogAPIClient::V2::Findings.new({ data: [ DatadogAPIClient::V2::FindingData.new({ id: "ZTd5LWNuYi1seWV-aS0wMjI2NGZjZjRmZWQ5ODMyMg==", type: DatadogAPIClient::V2::FindingDataType::FINDINGS, }), DatadogAPIClient::V2::FindingData.new({ id: "c2FuLXhyaS1kZnN-aS0wODM3MjVhMTM2MDExNzNkOQ==", type: DatadogAPIClient::V2::FindingDataType::FINDINGS, }), ], }), project: DatadogAPIClient::V2::CaseManagementProject.new({ data: DatadogAPIClient::V2::CaseManagementProjectData.new({ id: "959a6f71-bac8-4027-b1d3-2264f569296f", type: DatadogAPIClient::V2::CaseManagementProjectDataType::PROJECTS, }), }), }), type: DatadogAPIClient::V2::CaseDataType::CASES, }), ], }) p api_instance.create_cases(body) ``` ##### ```ruby # Create cases for security findings returns "Created" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::CreateCaseRequestArray.new({ data: [ DatadogAPIClient::V2::CreateCaseRequestData.new({ attributes: DatadogAPIClient::V2::CreateCaseRequestDataAttributes.new({ title: "A title", description: "A description", }), relationships: DatadogAPIClient::V2::CreateCaseRequestDataRelationships.new({ findings: DatadogAPIClient::V2::Findings.new({ data: [ DatadogAPIClient::V2::FindingData.new({ id: "YjdhNDM3N2QyNTFjYmUwYTY3NDdhMTg0YTk2Yjg5MDl-ZjNmMzAwOTFkZDNhNGQzYzI0MzgxNTk4MjRjZmE2NzE=", type: DatadogAPIClient::V2::FindingDataType::FINDINGS, }), ], }), project: DatadogAPIClient::V2::CaseManagementProject.new({ data: DatadogAPIClient::V2::CaseManagementProjectData.new({ id: "959a6f71-bac8-4027-b1d3-2264f569296f", type: DatadogAPIClient::V2::CaseManagementProjectDataType::PROJECTS, }), }), }), type: DatadogAPIClient::V2::CaseDataType::CASES, }), DatadogAPIClient::V2::CreateCaseRequestData.new({ attributes: DatadogAPIClient::V2::CreateCaseRequestDataAttributes.new({ title: "A title", description: "A description", }), relationships: DatadogAPIClient::V2::CreateCaseRequestDataRelationships.new({ findings: DatadogAPIClient::V2::Findings.new({ data: [ DatadogAPIClient::V2::FindingData.new({ id: "OGRlMDIwYzk4MjFmZTZiNTQwMzk2ZjUxNzg0MDc0NjR-MTk3Yjk4MDI4ZDQ4YzI2ZGZiMWJmMTNhNDEwZGZkYWI=", type: DatadogAPIClient::V2::FindingDataType::FINDINGS, }), ], }), project: DatadogAPIClient::V2::CaseManagementProject.new({ data: DatadogAPIClient::V2::CaseManagementProjectData.new({ id: "959a6f71-bac8-4027-b1d3-2264f569296f", type: DatadogAPIClient::V2::CaseManagementProjectDataType::PROJECTS, }), }), }), type: DatadogAPIClient::V2::CaseDataType::CASES, }), ], }) p api_instance.create_cases(body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Create case for security finding returns "Created" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::CaseDataType; use datadog_api_client::datadogV2::model::CaseManagementProject; use datadog_api_client::datadogV2::model::CaseManagementProjectData; use datadog_api_client::datadogV2::model::CaseManagementProjectDataType; use datadog_api_client::datadogV2::model::CreateCaseRequestArray; use datadog_api_client::datadogV2::model::CreateCaseRequestData; use datadog_api_client::datadogV2::model::CreateCaseRequestDataAttributes; use datadog_api_client::datadogV2::model::CreateCaseRequestDataRelationships; use datadog_api_client::datadogV2::model::FindingData; use datadog_api_client::datadogV2::model::FindingDataType; use datadog_api_client::datadogV2::model::Findings; #[tokio::main] async fn main() { let body = CreateCaseRequestArray::new( vec![ CreateCaseRequestData::new(CaseDataType::CASES) .attributes( CreateCaseRequestDataAttributes::new() .description("A description".to_string()) .title("A title".to_string()), ) .relationships( CreateCaseRequestDataRelationships::new( Findings ::new().data( vec![ FindingData::new( "YjdhNDM3N2QyNTFjYmUwYTY3NDdhMTg0YTk2Yjg5MDl-ZjNmMzAwOTFkZDNhNGQzYzI0MzgxNTk4MjRjZmE2NzE=".to_string(), FindingDataType::FINDINGS, ) ], ), CaseManagementProject::new( CaseManagementProjectData::new( "959a6f71-bac8-4027-b1d3-2264f569296f".to_string(), CaseManagementProjectDataType::PROJECTS, ), ), ), ) ], ); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.create_cases(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` ##### ```rust // Create case for security findings returns "Created" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::CaseDataType; use datadog_api_client::datadogV2::model::CaseManagementProject; use datadog_api_client::datadogV2::model::CaseManagementProjectData; use datadog_api_client::datadogV2::model::CaseManagementProjectDataType; use datadog_api_client::datadogV2::model::CreateCaseRequestArray; use datadog_api_client::datadogV2::model::CreateCaseRequestData; use datadog_api_client::datadogV2::model::CreateCaseRequestDataAttributes; use datadog_api_client::datadogV2::model::CreateCaseRequestDataRelationships; use datadog_api_client::datadogV2::model::FindingData; use datadog_api_client::datadogV2::model::FindingDataType; use datadog_api_client::datadogV2::model::Findings; #[tokio::main] async fn main() { let body = CreateCaseRequestArray::new(vec![CreateCaseRequestData::new(CaseDataType::CASES) .attributes( CreateCaseRequestDataAttributes::new() .description("A description".to_string()) .title("A title".to_string()), ) .relationships(CreateCaseRequestDataRelationships::new( Findings::new().data(vec![ FindingData::new( "ZTd5LWNuYi1seWV-aS0wMjI2NGZjZjRmZWQ5ODMyMg==".to_string(), FindingDataType::FINDINGS, ), FindingData::new( "c2FuLXhyaS1kZnN-aS0wODM3MjVhMTM2MDExNzNkOQ==".to_string(), FindingDataType::FINDINGS, ), ]), CaseManagementProject::new(CaseManagementProjectData::new( "959a6f71-bac8-4027-b1d3-2264f569296f".to_string(), CaseManagementProjectDataType::PROJECTS, )), ))]); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.create_cases(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` ##### ```rust // Create cases for security findings returns "Created" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::CaseDataType; use datadog_api_client::datadogV2::model::CaseManagementProject; use datadog_api_client::datadogV2::model::CaseManagementProjectData; use datadog_api_client::datadogV2::model::CaseManagementProjectDataType; use datadog_api_client::datadogV2::model::CreateCaseRequestArray; use datadog_api_client::datadogV2::model::CreateCaseRequestData; use datadog_api_client::datadogV2::model::CreateCaseRequestDataAttributes; use datadog_api_client::datadogV2::model::CreateCaseRequestDataRelationships; use datadog_api_client::datadogV2::model::FindingData; use datadog_api_client::datadogV2::model::FindingDataType; use datadog_api_client::datadogV2::model::Findings; #[tokio::main] async fn main() { let body = CreateCaseRequestArray::new( vec![ CreateCaseRequestData::new(CaseDataType::CASES) .attributes( CreateCaseRequestDataAttributes::new() .description("A description".to_string()) .title("A title".to_string()), ) .relationships( CreateCaseRequestDataRelationships::new( Findings ::new().data( vec![ FindingData::new( "YjdhNDM3N2QyNTFjYmUwYTY3NDdhMTg0YTk2Yjg5MDl-ZjNmMzAwOTFkZDNhNGQzYzI0MzgxNTk4MjRjZmE2NzE=".to_string(), FindingDataType::FINDINGS, ) ], ), CaseManagementProject::new( CaseManagementProjectData::new( "959a6f71-bac8-4027-b1d3-2264f569296f".to_string(), CaseManagementProjectDataType::PROJECTS, ), ), ), ), CreateCaseRequestData::new(CaseDataType::CASES) .attributes( CreateCaseRequestDataAttributes::new() .description("A description".to_string()) .title("A title".to_string()), ) .relationships( CreateCaseRequestDataRelationships::new( Findings ::new().data( vec![ FindingData::new( "OGRlMDIwYzk4MjFmZTZiNTQwMzk2ZjUxNzg0MDc0NjR-MTk3Yjk4MDI4ZDQ4YzI2ZGZiMWJmMTNhNDEwZGZkYWI=".to_string(), FindingDataType::FINDINGS, ) ], ), CaseManagementProject::new( CaseManagementProjectData::new( "959a6f71-bac8-4027-b1d3-2264f569296f".to_string(), CaseManagementProjectDataType::PROJECTS, ), ), ), ) ], ); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.create_cases(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Create case for security finding returns "Created" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiCreateCasesRequest = { body: { data: [ { attributes: { title: "A title", description: "A description", }, relationships: { findings: { data: [ { id: "YjdhNDM3N2QyNTFjYmUwYTY3NDdhMTg0YTk2Yjg5MDl-ZjNmMzAwOTFkZDNhNGQzYzI0MzgxNTk4MjRjZmE2NzE=", type: "findings", }, ], }, project: { data: { id: "959a6f71-bac8-4027-b1d3-2264f569296f", type: "projects", }, }, }, type: "cases", }, ], }, }; apiInstance .createCases(params) .then((data: v2.FindingCaseResponseArray) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` ##### ```typescript /** * Create case for security findings returns "Created" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiCreateCasesRequest = { body: { data: [ { attributes: { title: "A title", description: "A description", }, relationships: { findings: { data: [ { id: "ZTd5LWNuYi1seWV-aS0wMjI2NGZjZjRmZWQ5ODMyMg==", type: "findings", }, { id: "c2FuLXhyaS1kZnN-aS0wODM3MjVhMTM2MDExNzNkOQ==", type: "findings", }, ], }, project: { data: { id: "959a6f71-bac8-4027-b1d3-2264f569296f", type: "projects", }, }, }, type: "cases", }, ], }, }; apiInstance .createCases(params) .then((data: v2.FindingCaseResponseArray) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` ##### ```typescript /** * Create cases for security findings returns "Created" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiCreateCasesRequest = { body: { data: [ { attributes: { title: "A title", description: "A description", }, relationships: { findings: { data: [ { id: "YjdhNDM3N2QyNTFjYmUwYTY3NDdhMTg0YTk2Yjg5MDl-ZjNmMzAwOTFkZDNhNGQzYzI0MzgxNTk4MjRjZmE2NzE=", type: "findings", }, ], }, project: { data: { id: "959a6f71-bac8-4027-b1d3-2264f569296f", type: "projects", }, }, }, type: "cases", }, { attributes: { title: "A title", description: "A description", }, relationships: { findings: { data: [ { id: "OGRlMDIwYzk4MjFmZTZiNTQwMzk2ZjUxNzg0MDc0NjR-MTk3Yjk4MDI4ZDQ4YzI2ZGZiMWJmMTNhNDEwZGZkYWI=", type: "findings", }, ], }, project: { data: { id: "959a6f71-bac8-4027-b1d3-2264f569296f", type: "projects", }, }, }, type: "cases", }, ], }, }; apiInstance .createCases(params) .then((data: v2.FindingCaseResponseArray) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Detach security findings from their case{% #detach-security-findings-from-their-case %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------- | | ap1.datadoghq.com | DELETE https://api.ap1.datadoghq.com/api/v2/security/findings/cases | | ap2.datadoghq.com | DELETE https://api.ap2.datadoghq.com/api/v2/security/findings/cases | | app.datadoghq.eu | DELETE https://api.datadoghq.eu/api/v2/security/findings/cases | | app.ddog-gov.com | DELETE https://api.ddog-gov.com/api/v2/security/findings/cases | | app.datadoghq.com | DELETE https://api.datadoghq.com/api/v2/security/findings/cases | | us3.datadoghq.com | DELETE https://api.us3.datadoghq.com/api/v2/security/findings/cases | | us5.datadoghq.com | DELETE https://api.us5.datadoghq.com/api/v2/security/findings/cases | ### Overview Detach security findings from their case. This operation dissociates security findings from their associated cases without deleting the cases themselves. You can detach security findings from multiple different cases in a single request, with a limit of 50 security findings per request. Security findings that are not currently attached to any case will be ignored. This endpoint requires any of the following permissions: `security_monitoring_findings_write``appsec_vm_write` ### Request #### Body Data (required) {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------- | -------------------------- | -------- | ---------------------------------------------------------------- | | | data | object | Data for detaching security findings from their case. | | data | relationships | object | Relationships detaching security findings from their case. | | relationships | findings [*required*] | object | Security findings to detach from their case. | | findings | data | [object] | Array of security finding data objects. | | data | id [*required*] | string | Unique identifier of the security finding. | | data | type [*required*] | enum | Security findings resource type. Allowed enum values: `findings` | | data | type [*required*] | enum | Cases resource type. Allowed enum values: `cases` | {% /tab %} {% tab title="Example" %} ```json { "data": { "relationships": { "findings": { "data": [ { "id": "YzM2MTFjYzcyNmY0Zjg4MTAxZmRlNjQ1MWU1ZGQwYzR-YzI5NzE5Y2Y4MzU4ZjliNzhkNjYxNTY0ODIzZDQ2YTM=", "type": "findings" } ] } }, "type": "cases" } } ``` {% /tab %} ### Response {% tab title="204" %} No Content {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X DELETE "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/findings/cases" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "relationships": { "findings": { "data": [ { "id": "YzM2MTFjYzcyNmY0Zjg4MTAxZmRlNjQ1MWU1ZGQwYzR-YzI5NzE5Y2Y4MzU4ZjliNzhkNjYxNTY0ODIzZDQ2YTM=", "type": "findings" } ] } }, "type": "cases" } } EOF ##### ```go // Detach security findings from their case returns "No Content" response package main import ( "context" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.DetachCaseRequest{ Data: &datadogV2.DetachCaseRequestData{ Relationships: &datadogV2.DetachCaseRequestDataRelationships{ Findings: datadogV2.Findings{ Data: []datadogV2.FindingData{ { Id: "YzM2MTFjYzcyNmY0Zjg4MTAxZmRlNjQ1MWU1ZGQwYzR-YzI5NzE5Y2Y4MzU4ZjliNzhkNjYxNTY0ODIzZDQ2YTM=", Type: datadogV2.FINDINGDATATYPE_FINDINGS, }, }, }, }, Type: datadogV2.CASEDATATYPE_CASES, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) r, err := api.DetachCase(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.DetachCase`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Detach security findings from their case returns "No Content" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.CaseDataType; import com.datadog.api.client.v2.model.DetachCaseRequest; import com.datadog.api.client.v2.model.DetachCaseRequestData; import com.datadog.api.client.v2.model.DetachCaseRequestDataRelationships; import com.datadog.api.client.v2.model.FindingData; import com.datadog.api.client.v2.model.FindingDataType; import com.datadog.api.client.v2.model.Findings; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); DetachCaseRequest body = new DetachCaseRequest() .data( new DetachCaseRequestData() .relationships( new DetachCaseRequestDataRelationships() .findings( new Findings() .data( Collections.singletonList( new FindingData() .id( "YzM2MTFjYzcyNmY0Zjg4MTAxZmRlNjQ1MWU1ZGQwYzR-YzI5NzE5Y2Y4MzU4ZjliNzhkNjYxNTY0ODIzZDQ2YTM=") .type(FindingDataType.FINDINGS))))) .type(CaseDataType.CASES)); try { apiInstance.detachCase(body); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#detachCase"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Detach security findings from their case returns "No Content" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.case_data_type import CaseDataType from datadog_api_client.v2.model.detach_case_request import DetachCaseRequest from datadog_api_client.v2.model.detach_case_request_data import DetachCaseRequestData from datadog_api_client.v2.model.detach_case_request_data_relationships import DetachCaseRequestDataRelationships from datadog_api_client.v2.model.finding_data import FindingData from datadog_api_client.v2.model.finding_data_type import FindingDataType from datadog_api_client.v2.model.findings import Findings body = DetachCaseRequest( data=DetachCaseRequestData( relationships=DetachCaseRequestDataRelationships( findings=Findings( data=[ FindingData( id="YzM2MTFjYzcyNmY0Zjg4MTAxZmRlNjQ1MWU1ZGQwYzR-YzI5NzE5Y2Y4MzU4ZjliNzhkNjYxNTY0ODIzZDQ2YTM=", type=FindingDataType.FINDINGS, ), ], ), ), type=CaseDataType.CASES, ), ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) api_instance.detach_case(body=body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Detach security findings from their case returns "No Content" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::DetachCaseRequest.new({ data: DatadogAPIClient::V2::DetachCaseRequestData.new({ relationships: DatadogAPIClient::V2::DetachCaseRequestDataRelationships.new({ findings: DatadogAPIClient::V2::Findings.new({ data: [ DatadogAPIClient::V2::FindingData.new({ id: "YzM2MTFjYzcyNmY0Zjg4MTAxZmRlNjQ1MWU1ZGQwYzR-YzI5NzE5Y2Y4MzU4ZjliNzhkNjYxNTY0ODIzZDQ2YTM=", type: DatadogAPIClient::V2::FindingDataType::FINDINGS, }), ], }), }), type: DatadogAPIClient::V2::CaseDataType::CASES, }), }) api_instance.detach_case(body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Detach security findings from their case returns "No Content" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::CaseDataType; use datadog_api_client::datadogV2::model::DetachCaseRequest; use datadog_api_client::datadogV2::model::DetachCaseRequestData; use datadog_api_client::datadogV2::model::DetachCaseRequestDataRelationships; use datadog_api_client::datadogV2::model::FindingData; use datadog_api_client::datadogV2::model::FindingDataType; use datadog_api_client::datadogV2::model::Findings; #[tokio::main] async fn main() { let body = DetachCaseRequest ::new().data( DetachCaseRequestData::new( CaseDataType::CASES, ).relationships( DetachCaseRequestDataRelationships::new( Findings ::new().data( vec![ FindingData::new( "YzM2MTFjYzcyNmY0Zjg4MTAxZmRlNjQ1MWU1ZGQwYzR-YzI5NzE5Y2Y4MzU4ZjliNzhkNjYxNTY0ODIzZDQ2YTM=".to_string(), FindingDataType::FINDINGS, ) ], ), ), ), ); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.detach_case(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Detach security findings from their case returns "No Content" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiDetachCaseRequest = { body: { data: { relationships: { findings: { data: [ { id: "YzM2MTFjYzcyNmY0Zjg4MTAxZmRlNjQ1MWU1ZGQwYzR-YzI5NzE5Y2Y4MzU4ZjliNzhkNjYxNTY0ODIzZDQ2YTM=", type: "findings", }, ], }, }, type: "cases", }, }, }; apiInstance .detachCase(params) .then((data: any) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Attach security findings to a case{% #attach-security-findings-to-a-case %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ---------------------------------------------------------------------------- | | ap1.datadoghq.com | PATCH https://api.ap1.datadoghq.com/api/v2/security/findings/cases/{case_id} | | ap2.datadoghq.com | PATCH https://api.ap2.datadoghq.com/api/v2/security/findings/cases/{case_id} | | app.datadoghq.eu | PATCH https://api.datadoghq.eu/api/v2/security/findings/cases/{case_id} | | app.ddog-gov.com | PATCH https://api.ddog-gov.com/api/v2/security/findings/cases/{case_id} | | app.datadoghq.com | PATCH https://api.datadoghq.com/api/v2/security/findings/cases/{case_id} | | us3.datadoghq.com | PATCH https://api.us3.datadoghq.com/api/v2/security/findings/cases/{case_id} | | us5.datadoghq.com | PATCH https://api.us5.datadoghq.com/api/v2/security/findings/cases/{case_id} | ### Overview Attach security findings to a case. You can attach up to 50 security findings per case. Security findings that are already attached to another case will be detached from their previous case and attached to the specified case. This endpoint requires any of the following permissions: `security_monitoring_findings_write``appsec_vm_write` ### Arguments #### Path Parameters | Name | Type | Description | | ------------------------- | ------ | ------------------------------------------------------------ | | case_id [*required*] | string | Unique identifier of the case to attach security findings to | ### Request #### Body Data (required) {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------- | -------------------------- | -------- | ---------------------------------------------------------------- | | | data | object | Data of the case to attach security findings to. | | data | id [*required*] | string | Unique identifier of the case. | | data | relationships | object | Relationships of the case to attach security findings to. | | relationships | findings [*required*] | object | Security findings to attach to the case. | | findings | data | [object] | Array of security finding data objects. | | data | id [*required*] | string | Unique identifier of the security finding. | | data | type [*required*] | enum | Security findings resource type. Allowed enum values: `findings` | | data | type [*required*] | enum | Cases resource type. Allowed enum values: `cases` | {% /tab %} {% tab title="Example" %} ##### ```json { "data": { "id": "7d16945b-baf8-411e-ab2a-20fe43af1ea3", "relationships": { "findings": { "data": [ { "id": "ZGZhMDI3ZjdjMDM3YjJmNzcxNTlhZGMwMjdmZWNiNTZ-MTVlYTNmYWU3NjNlOTNlYTE2YjM4N2JmZmI4Yjk5N2Y=", "type": "findings" } ] } }, "type": "cases" } } ``` ##### ```json { "data": { "id": "7d16945b-baf8-411e-ab2a-20fe43af1ea3", "relationships": { "findings": { "data": [ { "id": "ZGZhMDI3ZjdjMDM3YjJmNzcxNTlhZGMwMjdmZWNiNTZ-MTVlYTNmYWU3NjNlOTNlYTE2YjM4N2JmZmI4Yjk5N2Y=", "type": "findings" }, { "id": "MmUzMzZkODQ2YTI3NDU0OTk4NDk3NzhkOTY5YjU2Zjh-YWJjZGI1ODI4OTYzNWM3ZmUwZTBlOWRkYTRiMGUyOGQ=", "type": "findings" } ] } }, "type": "cases" } } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} Case response. | Parent field | Field | Type | Description | | -------------------- | ---------------------- | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | | | data | object | Data of the case. | | data | attributes | object | Attributes of the case. | | attributes | archived_at | date-time | Timestamp of when the case was archived. | | attributes | assigned_to | object | User assigned to the case. | | assigned_to | data [*required*] | object | Relationship to user object. | | data | id [*required*] | string | A unique identifier that represents the user. | | data | type [*required*] | enum | Users resource type. Allowed enum values: `users` | | attributes | attributes | object | Custom attributes associated with the case as key-value pairs where values are string arrays. | | additionalProperties | | [string] | | attributes | closed_at | date-time | Timestamp of when the case was closed. | | attributes | created_at | date-time | Timestamp of when the case was created. | | attributes | creation_source | string | Source of the case creation. | | attributes | description | string | Description of the case. | | attributes | due_date | string | Due date of the case. | | attributes | insights | [object] | Insights of the case. | | insights | ref | string | Reference of the insight. | | insights | resource_id | string | Unique identifier of the resource. For example, the unique identifier of a security finding. | | insights | type | string | Type of the resource. For example, the type of a security finding is "SECURITY_FINDING". | | attributes | jira_issue | object | Jira issue associated with the case. | | jira_issue | error_message | string | Error message if the Jira issue creation failed. | | jira_issue | result | object | Result of the Jira issue creation. | | result | account_id | string | Account ID of the Jira issue. | | result | issue_id | string | Unique identifier of the Jira issue. | | result | issue_key | string | Key of the Jira issue. | | result | issue_url | string | URL of the Jira issue. | | jira_issue | status | string | Status of the Jira issue creation. Can be "COMPLETED" if the Jira issue was created successfully, or "FAILED" if the Jira issue creation failed. | | attributes | key | string | Key of the case. | | attributes | modified_at | date-time | Timestamp of when the case was last modified. | | attributes | priority | string | Priority of the case. | | attributes | status | string | Status of the case. | | attributes | status_group | string | Status group of the case. | | attributes | status_name | string | Status name of the case. | | attributes | title | string | Title of the case. | | attributes | type | string | Type of the case. For security cases, this is always "SECURITY". | | data | id | string | Unique identifier of the case. | | data | relationships | object | Relationships of the case. | | relationships | created_by | object | User who created the case. | | created_by | data [*required*] | object | Relationship to user object. | | data | id [*required*] | string | A unique identifier that represents the user. | | data | type [*required*] | enum | Users resource type. Allowed enum values: `users` | | relationships | modified_by | object | User who last modified the case. | | modified_by | data [*required*] | object | Relationship to user object. | | data | id [*required*] | string | A unique identifier that represents the user. | | data | type [*required*] | enum | Users resource type. Allowed enum values: `users` | | relationships | project | object | Project in which the case was created. | | project | data [*required*] | object | Data object representing a case management project. | | data | id [*required*] | string | Unique identifier of the case management project. | | data | type [*required*] | enum | Projects resource type. Allowed enum values: `projects` | | data | type [*required*] | enum | Cases resource type. Allowed enum values: `cases` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "archived_at": "2025-01-01T00:00:00.000Z", "assigned_to": { "data": { "id": "00000000-0000-0000-2345-000000000000", "type": "users" } }, "attributes": { "": [] }, "closed_at": "2025-01-01T00:00:00.000Z", "created_at": "2025-01-01T00:00:00.000Z", "creation_source": "CS_SECURITY_FINDING", "description": "A description of the case.", "due_date": "2025-01-01", "insights": [ { "ref": "/security/appsec/vm/library/vulnerability/dfa027f7c037b2f77159adc027fecb56?detection=static", "resource_id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==", "type": "SECURITY_FINDING" } ], "jira_issue": { "error_message": "{\"errorMessages\":[\"An error occured.\"],\"errors\":{}}", "result": { "account_id": "463a8631-680e-455c-bfd3-3ed04d326eb7", "issue_id": "2871276", "issue_key": "PROJ-123", "issue_url": "https://domain.atlassian.net/browse/PROJ-123" }, "status": "COMPLETED" }, "key": "PROJ-123", "modified_at": "2025-01-01T00:00:00.000Z", "priority": "P4", "status": "OPEN", "status_group": "SG_OPEN", "status_name": "Open", "title": "A title for the case.", "type": "SECURITY" }, "id": "c1234567-89ab-cdef-0123-456789abcdef", "relationships": { "created_by": { "data": { "id": "00000000-0000-0000-2345-000000000000", "type": "users" } }, "modified_by": { "data": { "id": "00000000-0000-0000-2345-000000000000", "type": "users" } }, "project": { "data": { "id": "aeadc05e-98a8-11ec-ac2c-da7ad0900001", "type": "projects" } } }, "type": "cases" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport case_id="CHANGE_ME"\# Curl commandcurl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/findings/cases/${case_id}" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "id": "7d16945b-baf8-411e-ab2a-20fe43af1ea3", "relationships": { "findings": { "data": [ { "id": "ZGZhMDI3ZjdjMDM3YjJmNzcxNTlhZGMwMjdmZWNiNTZ-MTVlYTNmYWU3NjNlOTNlYTE2YjM4N2JmZmI4Yjk5N2Y=", "type": "findings" } ] } }, "type": "cases" } } EOF ##### \# Path parametersexport case_id="CHANGE_ME"\# Curl commandcurl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/findings/cases/${case_id}" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "id": "7d16945b-baf8-411e-ab2a-20fe43af1ea3", "relationships": { "findings": { "data": [ { "id": "ZGZhMDI3ZjdjMDM3YjJmNzcxNTlhZGMwMjdmZWNiNTZ-MTVlYTNmYWU3NjNlOTNlYTE2YjM4N2JmZmI4Yjk5N2Y=", "type": "findings" }, { "id": "MmUzMzZkODQ2YTI3NDU0OTk4NDk3NzhkOTY5YjU2Zjh-YWJjZGI1ODI4OTYzNWM3ZmUwZTBlOWRkYTRiMGUyOGQ=", "type": "findings" } ] } }, "type": "cases" } } EOF ##### ```go // Attach security finding to a case returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.AttachCaseRequest{ Data: &datadogV2.AttachCaseRequestData{ Id: "7d16945b-baf8-411e-ab2a-20fe43af1ea3", Relationships: &datadogV2.AttachCaseRequestDataRelationships{ Findings: datadogV2.Findings{ Data: []datadogV2.FindingData{ { Id: "ZGZhMDI3ZjdjMDM3YjJmNzcxNTlhZGMwMjdmZWNiNTZ-MTVlYTNmYWU3NjNlOTNlYTE2YjM4N2JmZmI4Yjk5N2Y=", Type: datadogV2.FINDINGDATATYPE_FINDINGS, }, }, }, }, Type: datadogV2.CASEDATATYPE_CASES, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.AttachCase(ctx, "7d16945b-baf8-411e-ab2a-20fe43af1ea3", body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.AttachCase`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.AttachCase`:\n%s\n", responseContent) } ``` ##### ```go // Attach security findings to a case returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.AttachCaseRequest{ Data: &datadogV2.AttachCaseRequestData{ Id: "7d16945b-baf8-411e-ab2a-20fe43af1ea3", Relationships: &datadogV2.AttachCaseRequestDataRelationships{ Findings: datadogV2.Findings{ Data: []datadogV2.FindingData{ { Id: "ZGZhMDI3ZjdjMDM3YjJmNzcxNTlhZGMwMjdmZWNiNTZ-MTVlYTNmYWU3NjNlOTNlYTE2YjM4N2JmZmI4Yjk5N2Y=", Type: datadogV2.FINDINGDATATYPE_FINDINGS, }, { Id: "MmUzMzZkODQ2YTI3NDU0OTk4NDk3NzhkOTY5YjU2Zjh-YWJjZGI1ODI4OTYzNWM3ZmUwZTBlOWRkYTRiMGUyOGQ=", Type: datadogV2.FINDINGDATATYPE_FINDINGS, }, }, }, }, Type: datadogV2.CASEDATATYPE_CASES, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.AttachCase(ctx, "7d16945b-baf8-411e-ab2a-20fe43af1ea3", body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.AttachCase`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.AttachCase`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Attach security finding to a case returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.AttachCaseRequest; import com.datadog.api.client.v2.model.AttachCaseRequestData; import com.datadog.api.client.v2.model.AttachCaseRequestDataRelationships; import com.datadog.api.client.v2.model.CaseDataType; import com.datadog.api.client.v2.model.FindingCaseResponse; import com.datadog.api.client.v2.model.FindingData; import com.datadog.api.client.v2.model.FindingDataType; import com.datadog.api.client.v2.model.Findings; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); AttachCaseRequest body = new AttachCaseRequest() .data( new AttachCaseRequestData() .id("7d16945b-baf8-411e-ab2a-20fe43af1ea3") .relationships( new AttachCaseRequestDataRelationships() .findings( new Findings() .data( Collections.singletonList( new FindingData() .id( "ZGZhMDI3ZjdjMDM3YjJmNzcxNTlhZGMwMjdmZWNiNTZ-MTVlYTNmYWU3NjNlOTNlYTE2YjM4N2JmZmI4Yjk5N2Y=") .type(FindingDataType.FINDINGS))))) .type(CaseDataType.CASES)); try { FindingCaseResponse result = apiInstance.attachCase("7d16945b-baf8-411e-ab2a-20fe43af1ea3", body); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#attachCase"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` ##### ```java // Attach security findings to a case returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.AttachCaseRequest; import com.datadog.api.client.v2.model.AttachCaseRequestData; import com.datadog.api.client.v2.model.AttachCaseRequestDataRelationships; import com.datadog.api.client.v2.model.CaseDataType; import com.datadog.api.client.v2.model.FindingCaseResponse; import com.datadog.api.client.v2.model.FindingData; import com.datadog.api.client.v2.model.FindingDataType; import com.datadog.api.client.v2.model.Findings; import java.util.Arrays; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); AttachCaseRequest body = new AttachCaseRequest() .data( new AttachCaseRequestData() .id("7d16945b-baf8-411e-ab2a-20fe43af1ea3") .relationships( new AttachCaseRequestDataRelationships() .findings( new Findings() .data( Arrays.asList( new FindingData() .id( "ZGZhMDI3ZjdjMDM3YjJmNzcxNTlhZGMwMjdmZWNiNTZ-MTVlYTNmYWU3NjNlOTNlYTE2YjM4N2JmZmI4Yjk5N2Y=") .type(FindingDataType.FINDINGS), new FindingData() .id( "MmUzMzZkODQ2YTI3NDU0OTk4NDk3NzhkOTY5YjU2Zjh-YWJjZGI1ODI4OTYzNWM3ZmUwZTBlOWRkYTRiMGUyOGQ=") .type(FindingDataType.FINDINGS))))) .type(CaseDataType.CASES)); try { FindingCaseResponse result = apiInstance.attachCase("7d16945b-baf8-411e-ab2a-20fe43af1ea3", body); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#attachCase"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Attach security finding to a case returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.attach_case_request import AttachCaseRequest from datadog_api_client.v2.model.attach_case_request_data import AttachCaseRequestData from datadog_api_client.v2.model.attach_case_request_data_relationships import AttachCaseRequestDataRelationships from datadog_api_client.v2.model.case_data_type import CaseDataType from datadog_api_client.v2.model.finding_data import FindingData from datadog_api_client.v2.model.finding_data_type import FindingDataType from datadog_api_client.v2.model.findings import Findings body = AttachCaseRequest( data=AttachCaseRequestData( id="7d16945b-baf8-411e-ab2a-20fe43af1ea3", relationships=AttachCaseRequestDataRelationships( findings=Findings( data=[ FindingData( id="ZGZhMDI3ZjdjMDM3YjJmNzcxNTlhZGMwMjdmZWNiNTZ-MTVlYTNmYWU3NjNlOTNlYTE2YjM4N2JmZmI4Yjk5N2Y=", type=FindingDataType.FINDINGS, ), ], ), ), type=CaseDataType.CASES, ), ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.attach_case(case_id="7d16945b-baf8-411e-ab2a-20fe43af1ea3", body=body) print(response) ``` ##### ```python """ Attach security findings to a case returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.attach_case_request import AttachCaseRequest from datadog_api_client.v2.model.attach_case_request_data import AttachCaseRequestData from datadog_api_client.v2.model.attach_case_request_data_relationships import AttachCaseRequestDataRelationships from datadog_api_client.v2.model.case_data_type import CaseDataType from datadog_api_client.v2.model.finding_data import FindingData from datadog_api_client.v2.model.finding_data_type import FindingDataType from datadog_api_client.v2.model.findings import Findings body = AttachCaseRequest( data=AttachCaseRequestData( id="7d16945b-baf8-411e-ab2a-20fe43af1ea3", relationships=AttachCaseRequestDataRelationships( findings=Findings( data=[ FindingData( id="ZGZhMDI3ZjdjMDM3YjJmNzcxNTlhZGMwMjdmZWNiNTZ-MTVlYTNmYWU3NjNlOTNlYTE2YjM4N2JmZmI4Yjk5N2Y=", type=FindingDataType.FINDINGS, ), FindingData( id="MmUzMzZkODQ2YTI3NDU0OTk4NDk3NzhkOTY5YjU2Zjh-YWJjZGI1ODI4OTYzNWM3ZmUwZTBlOWRkYTRiMGUyOGQ=", type=FindingDataType.FINDINGS, ), ], ), ), type=CaseDataType.CASES, ), ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.attach_case(case_id="7d16945b-baf8-411e-ab2a-20fe43af1ea3", body=body) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Attach security finding to a case returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::AttachCaseRequest.new({ data: DatadogAPIClient::V2::AttachCaseRequestData.new({ id: "7d16945b-baf8-411e-ab2a-20fe43af1ea3", relationships: DatadogAPIClient::V2::AttachCaseRequestDataRelationships.new({ findings: DatadogAPIClient::V2::Findings.new({ data: [ DatadogAPIClient::V2::FindingData.new({ id: "ZGZhMDI3ZjdjMDM3YjJmNzcxNTlhZGMwMjdmZWNiNTZ-MTVlYTNmYWU3NjNlOTNlYTE2YjM4N2JmZmI4Yjk5N2Y=", type: DatadogAPIClient::V2::FindingDataType::FINDINGS, }), ], }), }), type: DatadogAPIClient::V2::CaseDataType::CASES, }), }) p api_instance.attach_case("7d16945b-baf8-411e-ab2a-20fe43af1ea3", body) ``` ##### ```ruby # Attach security findings to a case returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::AttachCaseRequest.new({ data: DatadogAPIClient::V2::AttachCaseRequestData.new({ id: "7d16945b-baf8-411e-ab2a-20fe43af1ea3", relationships: DatadogAPIClient::V2::AttachCaseRequestDataRelationships.new({ findings: DatadogAPIClient::V2::Findings.new({ data: [ DatadogAPIClient::V2::FindingData.new({ id: "ZGZhMDI3ZjdjMDM3YjJmNzcxNTlhZGMwMjdmZWNiNTZ-MTVlYTNmYWU3NjNlOTNlYTE2YjM4N2JmZmI4Yjk5N2Y=", type: DatadogAPIClient::V2::FindingDataType::FINDINGS, }), DatadogAPIClient::V2::FindingData.new({ id: "MmUzMzZkODQ2YTI3NDU0OTk4NDk3NzhkOTY5YjU2Zjh-YWJjZGI1ODI4OTYzNWM3ZmUwZTBlOWRkYTRiMGUyOGQ=", type: DatadogAPIClient::V2::FindingDataType::FINDINGS, }), ], }), }), type: DatadogAPIClient::V2::CaseDataType::CASES, }), }) p api_instance.attach_case("7d16945b-baf8-411e-ab2a-20fe43af1ea3", body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Attach security finding to a case returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::AttachCaseRequest; use datadog_api_client::datadogV2::model::AttachCaseRequestData; use datadog_api_client::datadogV2::model::AttachCaseRequestDataRelationships; use datadog_api_client::datadogV2::model::CaseDataType; use datadog_api_client::datadogV2::model::FindingData; use datadog_api_client::datadogV2::model::FindingDataType; use datadog_api_client::datadogV2::model::Findings; #[tokio::main] async fn main() { let body = AttachCaseRequest ::new().data( AttachCaseRequestData::new( "7d16945b-baf8-411e-ab2a-20fe43af1ea3".to_string(), CaseDataType::CASES, ).relationships( AttachCaseRequestDataRelationships::new( Findings ::new().data( vec![ FindingData::new( "ZGZhMDI3ZjdjMDM3YjJmNzcxNTlhZGMwMjdmZWNiNTZ-MTVlYTNmYWU3NjNlOTNlYTE2YjM4N2JmZmI4Yjk5N2Y=".to_string(), FindingDataType::FINDINGS, ) ], ), ), ), ); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .attach_case("7d16945b-baf8-411e-ab2a-20fe43af1ea3".to_string(), body) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` ##### ```rust // Attach security findings to a case returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::AttachCaseRequest; use datadog_api_client::datadogV2::model::AttachCaseRequestData; use datadog_api_client::datadogV2::model::AttachCaseRequestDataRelationships; use datadog_api_client::datadogV2::model::CaseDataType; use datadog_api_client::datadogV2::model::FindingData; use datadog_api_client::datadogV2::model::FindingDataType; use datadog_api_client::datadogV2::model::Findings; #[tokio::main] async fn main() { let body = AttachCaseRequest ::new().data( AttachCaseRequestData::new( "7d16945b-baf8-411e-ab2a-20fe43af1ea3".to_string(), CaseDataType::CASES, ).relationships( AttachCaseRequestDataRelationships::new( Findings ::new().data( vec![ FindingData::new( "ZGZhMDI3ZjdjMDM3YjJmNzcxNTlhZGMwMjdmZWNiNTZ-MTVlYTNmYWU3NjNlOTNlYTE2YjM4N2JmZmI4Yjk5N2Y=".to_string(), FindingDataType::FINDINGS, ), FindingData::new( "MmUzMzZkODQ2YTI3NDU0OTk4NDk3NzhkOTY5YjU2Zjh-YWJjZGI1ODI4OTYzNWM3ZmUwZTBlOWRkYTRiMGUyOGQ=".to_string(), FindingDataType::FINDINGS, ) ], ), ), ), ); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .attach_case("7d16945b-baf8-411e-ab2a-20fe43af1ea3".to_string(), body) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Attach security finding to a case returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiAttachCaseRequest = { body: { data: { id: "7d16945b-baf8-411e-ab2a-20fe43af1ea3", relationships: { findings: { data: [ { id: "ZGZhMDI3ZjdjMDM3YjJmNzcxNTlhZGMwMjdmZWNiNTZ-MTVlYTNmYWU3NjNlOTNlYTE2YjM4N2JmZmI4Yjk5N2Y=", type: "findings", }, ], }, }, type: "cases", }, }, caseId: "7d16945b-baf8-411e-ab2a-20fe43af1ea3", }; apiInstance .attachCase(params) .then((data: v2.FindingCaseResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` ##### ```typescript /** * Attach security findings to a case returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiAttachCaseRequest = { body: { data: { id: "7d16945b-baf8-411e-ab2a-20fe43af1ea3", relationships: { findings: { data: [ { id: "ZGZhMDI3ZjdjMDM3YjJmNzcxNTlhZGMwMjdmZWNiNTZ-MTVlYTNmYWU3NjNlOTNlYTE2YjM4N2JmZmI4Yjk5N2Y=", type: "findings", }, { id: "MmUzMzZkODQ2YTI3NDU0OTk4NDk3NzhkOTY5YjU2Zjh-YWJjZGI1ODI4OTYzNWM3ZmUwZTBlOWRkYTRiMGUyOGQ=", type: "findings", }, ], }, }, type: "cases", }, }, caseId: "7d16945b-baf8-411e-ab2a-20fe43af1ea3", }; apiInstance .attachCase(params) .then((data: v2.FindingCaseResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Create Jira issues for security findings{% #create-jira-issues-for-security-findings %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ----------------------------------------------------------------------- | | ap1.datadoghq.com | POST https://api.ap1.datadoghq.com/api/v2/security/findings/jira_issues | | ap2.datadoghq.com | POST https://api.ap2.datadoghq.com/api/v2/security/findings/jira_issues | | app.datadoghq.eu | POST https://api.datadoghq.eu/api/v2/security/findings/jira_issues | | app.ddog-gov.com | POST https://api.ddog-gov.com/api/v2/security/findings/jira_issues | | app.datadoghq.com | POST https://api.datadoghq.com/api/v2/security/findings/jira_issues | | us3.datadoghq.com | POST https://api.us3.datadoghq.com/api/v2/security/findings/jira_issues | | us5.datadoghq.com | POST https://api.us5.datadoghq.com/api/v2/security/findings/jira_issues | ### Overview Create Jira issues for security findings. This operation creates a case in Datadog and a Jira issue linked to that case for bidirectional sync between Datadog and Jira. To configure the Jira integration, see [Bidirectional ticket syncing with Jira](https://docs.datadoghq.com/security/ticketing_integrations/#bidirectional-ticket-syncing-with-jira). You can create up to 50 Jira issues per request and associate up to 50 security findings per Jira issue. Security findings that are already attached to another Jira issue will be detached from their previous Jira issue and attached to the newly created Jira issue. This endpoint requires any of the following permissions: `security_monitoring_findings_write``appsec_vm_write` ### Request #### Body Data (required) {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------- | -------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data [*required*] | [object] | Array of Jira issue creation request data objects. | | data | attributes | object | Attributes of the Jira issue to create. | | attributes | assignee_id | string | Unique identifier of the Datadog user assigned to the Jira issue. | | attributes | description | string | Description of the Jira issue. If not provided, the description will be automatically generated. | | attributes | fields | object | Custom fields of the Jira issue to create. For the list of available fields, see [Jira documentation](https://developer.atlassian.com/cloud/jira/platform/rest/v2/api-group-issues/#api-rest-api-2-issue-createmeta-projectidorkey-issuetypes-issuetypeid-get). | | attributes | priority | enum | Datadog case priority mapped to the Jira issue priority. If not provided, the priority will be automatically set to "NOT_DEFINED". To configure the mapping, see [Bidirectional ticket syncing with Jira](https://docs.datadoghq.com/security/ticketing_integrations/#bidirectional-ticket-syncing-with-jira). Allowed enum values: `NOT_DEFINED,P1,P2,P3,P4,P5` | | attributes | title | string | Title of the Jira issue. If not provided, the title will be automatically generated. | | data | relationships | object | Relationships of the Jira issue to create. | | relationships | findings [*required*] | object | Security findings to create a Jira issue for. | | findings | data | [object] | Array of security finding data objects. | | data | id [*required*] | string | Unique identifier of the security finding. | | data | type [*required*] | enum | Security findings resource type. Allowed enum values: `findings` | | relationships | project [*required*] | object | Case management project configured with the Jira integration. It is used to create the Jira issue. To configure the Jira integration, see [Bidirectional ticket syncing with Jira](https://docs.datadoghq.com/security/ticketing_integrations/#bidirectional-ticket-syncing-with-jira). | | project | data [*required*] | object | Data object representing a case management project. | | data | id [*required*] | string | Unique identifier of the case management project. | | data | type [*required*] | enum | Projects resource type. Allowed enum values: `projects` | | data | type [*required*] | enum | Jira issues resource type. Allowed enum values: `jira_issues` | {% /tab %} {% tab title="Example" %} ##### ```json { "data": [ { "attributes": { "title": "A title", "description": "A description" }, "relationships": { "findings": { "data": [ { "id": "YmNlZmJhYTcyMDU5ZDk0ZDhiNjRmNGI0NDk4MDdiNzN-MDJlMjg0NzNmYzJiODY2MzJkNjU0OTI4NmVhZTUyY2U=", "type": "findings" } ] }, "project": { "data": { "id": "959a6f71-bac8-4027-b1d3-2264f569296f", "type": "projects" } } }, "type": "jira_issues" } ] } ``` ##### ```json { "data": [ { "attributes": { "title": "A title", "description": "A description" }, "relationships": { "findings": { "data": [ { "id": "a3ZoLXNjbS14eXV-aS0wNWY5MGYwMGE4NDg2ODdlOA==", "type": "findings" }, { "id": "eWswLWJsdC1hZm5-aS0wMjRlYTgwMzVkZTU1MGIwYQ==", "type": "findings" } ] }, "project": { "data": { "id": "959a6f71-bac8-4027-b1d3-2264f569296f", "type": "projects" } } }, "type": "jira_issues" } ] } ``` ##### ```json { "data": [ { "attributes": { "title": "A title", "description": "A description" }, "relationships": { "findings": { "data": [ { "id": "eWswLWJsdC1hZm5-aS0wMjRlYTgwMzVkZTU1MGIwYQ==", "type": "findings" } ] }, "project": { "data": { "id": "959a6f71-bac8-4027-b1d3-2264f569296f", "type": "projects" } } }, "type": "jira_issues" }, { "attributes": { "title": "A title", "description": "A description" }, "relationships": { "findings": { "data": [ { "id": "a3ZoLXNjbS14eXV-aS0wNWY5MGYwMGE4NDg2ODdlOA==", "type": "findings" } ] }, "project": { "data": { "id": "959a6f71-bac8-4027-b1d3-2264f569296f", "type": "projects" } } }, "type": "jira_issues" } ] } ``` {% /tab %} ### Response {% tab title="201" %} Created {% tab title="Model" %} List of case responses. | Parent field | Field | Type | Description | | -------------------- | ---------------------- | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | | | data [*required*] | [object] | Array of case response data objects. | | data | attributes | object | Attributes of the case. | | attributes | archived_at | date-time | Timestamp of when the case was archived. | | attributes | assigned_to | object | User assigned to the case. | | assigned_to | data [*required*] | object | Relationship to user object. | | data | id [*required*] | string | A unique identifier that represents the user. | | data | type [*required*] | enum | Users resource type. Allowed enum values: `users` | | attributes | attributes | object | Custom attributes associated with the case as key-value pairs where values are string arrays. | | additionalProperties | | [string] | | attributes | closed_at | date-time | Timestamp of when the case was closed. | | attributes | created_at | date-time | Timestamp of when the case was created. | | attributes | creation_source | string | Source of the case creation. | | attributes | description | string | Description of the case. | | attributes | due_date | string | Due date of the case. | | attributes | insights | [object] | Insights of the case. | | insights | ref | string | Reference of the insight. | | insights | resource_id | string | Unique identifier of the resource. For example, the unique identifier of a security finding. | | insights | type | string | Type of the resource. For example, the type of a security finding is "SECURITY_FINDING". | | attributes | jira_issue | object | Jira issue associated with the case. | | jira_issue | error_message | string | Error message if the Jira issue creation failed. | | jira_issue | result | object | Result of the Jira issue creation. | | result | account_id | string | Account ID of the Jira issue. | | result | issue_id | string | Unique identifier of the Jira issue. | | result | issue_key | string | Key of the Jira issue. | | result | issue_url | string | URL of the Jira issue. | | jira_issue | status | string | Status of the Jira issue creation. Can be "COMPLETED" if the Jira issue was created successfully, or "FAILED" if the Jira issue creation failed. | | attributes | key | string | Key of the case. | | attributes | modified_at | date-time | Timestamp of when the case was last modified. | | attributes | priority | string | Priority of the case. | | attributes | status | string | Status of the case. | | attributes | status_group | string | Status group of the case. | | attributes | status_name | string | Status name of the case. | | attributes | title | string | Title of the case. | | attributes | type | string | Type of the case. For security cases, this is always "SECURITY". | | data | id | string | Unique identifier of the case. | | data | relationships | object | Relationships of the case. | | relationships | created_by | object | User who created the case. | | created_by | data [*required*] | object | Relationship to user object. | | data | id [*required*] | string | A unique identifier that represents the user. | | data | type [*required*] | enum | Users resource type. Allowed enum values: `users` | | relationships | modified_by | object | User who last modified the case. | | modified_by | data [*required*] | object | Relationship to user object. | | data | id [*required*] | string | A unique identifier that represents the user. | | data | type [*required*] | enum | Users resource type. Allowed enum values: `users` | | relationships | project | object | Project in which the case was created. | | project | data [*required*] | object | Data object representing a case management project. | | data | id [*required*] | string | Unique identifier of the case management project. | | data | type [*required*] | enum | Projects resource type. Allowed enum values: `projects` | | data | type [*required*] | enum | Cases resource type. Allowed enum values: `cases` | {% /tab %} {% tab title="Example" %} ```json { "data": [ { "attributes": { "archived_at": "2025-01-01T00:00:00.000Z", "assigned_to": { "data": { "id": "00000000-0000-0000-2345-000000000000", "type": "users" } }, "attributes": { "": [] }, "closed_at": "2025-01-01T00:00:00.000Z", "created_at": "2025-01-01T00:00:00.000Z", "creation_source": "CS_SECURITY_FINDING", "description": "A description of the case.", "due_date": "2025-01-01", "insights": [ { "ref": "/security/appsec/vm/library/vulnerability/dfa027f7c037b2f77159adc027fecb56?detection=static", "resource_id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==", "type": "SECURITY_FINDING" } ], "jira_issue": { "error_message": "{\"errorMessages\":[\"An error occured.\"],\"errors\":{}}", "result": { "account_id": "463a8631-680e-455c-bfd3-3ed04d326eb7", "issue_id": "2871276", "issue_key": "PROJ-123", "issue_url": "https://domain.atlassian.net/browse/PROJ-123" }, "status": "COMPLETED" }, "key": "PROJ-123", "modified_at": "2025-01-01T00:00:00.000Z", "priority": "P4", "status": "OPEN", "status_group": "SG_OPEN", "status_name": "Open", "title": "A title for the case.", "type": "SECURITY" }, "id": "c1234567-89ab-cdef-0123-456789abcdef", "relationships": { "created_by": { "data": { "id": "00000000-0000-0000-2345-000000000000", "type": "users" } }, "modified_by": { "data": { "id": "00000000-0000-0000-2345-000000000000", "type": "users" } }, "project": { "data": { "id": "aeadc05e-98a8-11ec-ac2c-da7ad0900001", "type": "projects" } } }, "type": "cases" } ] } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/findings/jira_issues" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": [ { "attributes": { "title": "A title", "description": "A description" }, "relationships": { "findings": { "data": [ { "id": "YmNlZmJhYTcyMDU5ZDk0ZDhiNjRmNGI0NDk4MDdiNzN-MDJlMjg0NzNmYzJiODY2MzJkNjU0OTI4NmVhZTUyY2U=", "type": "findings" } ] }, "project": { "data": { "id": "959a6f71-bac8-4027-b1d3-2264f569296f", "type": "projects" } } }, "type": "jira_issues" } ] } EOF ##### \# Curl commandcurl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/findings/jira_issues" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": [ { "attributes": { "title": "A title", "description": "A description" }, "relationships": { "findings": { "data": [ { "id": "a3ZoLXNjbS14eXV-aS0wNWY5MGYwMGE4NDg2ODdlOA==", "type": "findings" }, { "id": "eWswLWJsdC1hZm5-aS0wMjRlYTgwMzVkZTU1MGIwYQ==", "type": "findings" } ] }, "project": { "data": { "id": "959a6f71-bac8-4027-b1d3-2264f569296f", "type": "projects" } } }, "type": "jira_issues" } ] } EOF ##### \# Curl commandcurl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/findings/jira_issues" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": [ { "attributes": { "title": "A title", "description": "A description" }, "relationships": { "findings": { "data": [ { "id": "eWswLWJsdC1hZm5-aS0wMjRlYTgwMzVkZTU1MGIwYQ==", "type": "findings" } ] }, "project": { "data": { "id": "959a6f71-bac8-4027-b1d3-2264f569296f", "type": "projects" } } }, "type": "jira_issues" }, { "attributes": { "title": "A title", "description": "A description" }, "relationships": { "findings": { "data": [ { "id": "a3ZoLXNjbS14eXV-aS0wNWY5MGYwMGE4NDg2ODdlOA==", "type": "findings" } ] }, "project": { "data": { "id": "959a6f71-bac8-4027-b1d3-2264f569296f", "type": "projects" } } }, "type": "jira_issues" } ] } EOF ##### ```go // Create Jira issue for security finding returns "Created" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.CreateJiraIssueRequestArray{ Data: []datadogV2.CreateJiraIssueRequestData{ { Attributes: &datadogV2.CreateJiraIssueRequestDataAttributes{ Title: datadog.PtrString("A title"), Description: datadog.PtrString("A description"), }, Relationships: &datadogV2.CreateJiraIssueRequestDataRelationships{ Findings: datadogV2.Findings{ Data: []datadogV2.FindingData{ { Id: "YmNlZmJhYTcyMDU5ZDk0ZDhiNjRmNGI0NDk4MDdiNzN-MDJlMjg0NzNmYzJiODY2MzJkNjU0OTI4NmVhZTUyY2U=", Type: datadogV2.FINDINGDATATYPE_FINDINGS, }, }, }, Project: datadogV2.CaseManagementProject{ Data: datadogV2.CaseManagementProjectData{ Id: "959a6f71-bac8-4027-b1d3-2264f569296f", Type: datadogV2.CASEMANAGEMENTPROJECTDATATYPE_PROJECTS, }, }, }, Type: datadogV2.JIRAISSUESDATATYPE_JIRA_ISSUES, }, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.CreateJiraIssues(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateJiraIssues`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateJiraIssues`:\n%s\n", responseContent) } ``` ##### ```go // Create Jira issue for security findings returns "Created" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.CreateJiraIssueRequestArray{ Data: []datadogV2.CreateJiraIssueRequestData{ { Attributes: &datadogV2.CreateJiraIssueRequestDataAttributes{ Title: datadog.PtrString("A title"), Description: datadog.PtrString("A description"), }, Relationships: &datadogV2.CreateJiraIssueRequestDataRelationships{ Findings: datadogV2.Findings{ Data: []datadogV2.FindingData{ { Id: "a3ZoLXNjbS14eXV-aS0wNWY5MGYwMGE4NDg2ODdlOA==", Type: datadogV2.FINDINGDATATYPE_FINDINGS, }, { Id: "eWswLWJsdC1hZm5-aS0wMjRlYTgwMzVkZTU1MGIwYQ==", Type: datadogV2.FINDINGDATATYPE_FINDINGS, }, }, }, Project: datadogV2.CaseManagementProject{ Data: datadogV2.CaseManagementProjectData{ Id: "959a6f71-bac8-4027-b1d3-2264f569296f", Type: datadogV2.CASEMANAGEMENTPROJECTDATATYPE_PROJECTS, }, }, }, Type: datadogV2.JIRAISSUESDATATYPE_JIRA_ISSUES, }, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.CreateJiraIssues(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateJiraIssues`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateJiraIssues`:\n%s\n", responseContent) } ``` ##### ```go // Create Jira issues for security findings returns "Created" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.CreateJiraIssueRequestArray{ Data: []datadogV2.CreateJiraIssueRequestData{ { Attributes: &datadogV2.CreateJiraIssueRequestDataAttributes{ Title: datadog.PtrString("A title"), Description: datadog.PtrString("A description"), }, Relationships: &datadogV2.CreateJiraIssueRequestDataRelationships{ Findings: datadogV2.Findings{ Data: []datadogV2.FindingData{ { Id: "eWswLWJsdC1hZm5-aS0wMjRlYTgwMzVkZTU1MGIwYQ==", Type: datadogV2.FINDINGDATATYPE_FINDINGS, }, }, }, Project: datadogV2.CaseManagementProject{ Data: datadogV2.CaseManagementProjectData{ Id: "959a6f71-bac8-4027-b1d3-2264f569296f", Type: datadogV2.CASEMANAGEMENTPROJECTDATATYPE_PROJECTS, }, }, }, Type: datadogV2.JIRAISSUESDATATYPE_JIRA_ISSUES, }, { Attributes: &datadogV2.CreateJiraIssueRequestDataAttributes{ Title: datadog.PtrString("A title"), Description: datadog.PtrString("A description"), }, Relationships: &datadogV2.CreateJiraIssueRequestDataRelationships{ Findings: datadogV2.Findings{ Data: []datadogV2.FindingData{ { Id: "a3ZoLXNjbS14eXV-aS0wNWY5MGYwMGE4NDg2ODdlOA==", Type: datadogV2.FINDINGDATATYPE_FINDINGS, }, }, }, Project: datadogV2.CaseManagementProject{ Data: datadogV2.CaseManagementProjectData{ Id: "959a6f71-bac8-4027-b1d3-2264f569296f", Type: datadogV2.CASEMANAGEMENTPROJECTDATATYPE_PROJECTS, }, }, }, Type: datadogV2.JIRAISSUESDATATYPE_JIRA_ISSUES, }, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.CreateJiraIssues(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateJiraIssues`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateJiraIssues`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Create Jira issue for security finding returns "Created" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.CaseManagementProject; import com.datadog.api.client.v2.model.CaseManagementProjectData; import com.datadog.api.client.v2.model.CaseManagementProjectDataType; import com.datadog.api.client.v2.model.CreateJiraIssueRequestArray; import com.datadog.api.client.v2.model.CreateJiraIssueRequestData; import com.datadog.api.client.v2.model.CreateJiraIssueRequestDataAttributes; import com.datadog.api.client.v2.model.CreateJiraIssueRequestDataRelationships; import com.datadog.api.client.v2.model.FindingCaseResponseArray; import com.datadog.api.client.v2.model.FindingData; import com.datadog.api.client.v2.model.FindingDataType; import com.datadog.api.client.v2.model.Findings; import com.datadog.api.client.v2.model.JiraIssuesDataType; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); CreateJiraIssueRequestArray body = new CreateJiraIssueRequestArray() .data( Collections.singletonList( new CreateJiraIssueRequestData() .attributes( new CreateJiraIssueRequestDataAttributes() .title("A title") .description("A description")) .relationships( new CreateJiraIssueRequestDataRelationships() .findings( new Findings() .data( Collections.singletonList( new FindingData() .id( "YmNlZmJhYTcyMDU5ZDk0ZDhiNjRmNGI0NDk4MDdiNzN-MDJlMjg0NzNmYzJiODY2MzJkNjU0OTI4NmVhZTUyY2U=") .type(FindingDataType.FINDINGS)))) .project( new CaseManagementProject() .data( new CaseManagementProjectData() .id("959a6f71-bac8-4027-b1d3-2264f569296f") .type(CaseManagementProjectDataType.PROJECTS)))) .type(JiraIssuesDataType.JIRA_ISSUES))); try { FindingCaseResponseArray result = apiInstance.createJiraIssues(body); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#createJiraIssues"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` ##### ```java // Create Jira issue for security findings returns "Created" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.CaseManagementProject; import com.datadog.api.client.v2.model.CaseManagementProjectData; import com.datadog.api.client.v2.model.CaseManagementProjectDataType; import com.datadog.api.client.v2.model.CreateJiraIssueRequestArray; import com.datadog.api.client.v2.model.CreateJiraIssueRequestData; import com.datadog.api.client.v2.model.CreateJiraIssueRequestDataAttributes; import com.datadog.api.client.v2.model.CreateJiraIssueRequestDataRelationships; import com.datadog.api.client.v2.model.FindingCaseResponseArray; import com.datadog.api.client.v2.model.FindingData; import com.datadog.api.client.v2.model.FindingDataType; import com.datadog.api.client.v2.model.Findings; import com.datadog.api.client.v2.model.JiraIssuesDataType; import java.util.Arrays; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); CreateJiraIssueRequestArray body = new CreateJiraIssueRequestArray() .data( Collections.singletonList( new CreateJiraIssueRequestData() .attributes( new CreateJiraIssueRequestDataAttributes() .title("A title") .description("A description")) .relationships( new CreateJiraIssueRequestDataRelationships() .findings( new Findings() .data( Arrays.asList( new FindingData() .id( "a3ZoLXNjbS14eXV-aS0wNWY5MGYwMGE4NDg2ODdlOA==") .type(FindingDataType.FINDINGS), new FindingData() .id( "eWswLWJsdC1hZm5-aS0wMjRlYTgwMzVkZTU1MGIwYQ==") .type(FindingDataType.FINDINGS)))) .project( new CaseManagementProject() .data( new CaseManagementProjectData() .id("959a6f71-bac8-4027-b1d3-2264f569296f") .type(CaseManagementProjectDataType.PROJECTS)))) .type(JiraIssuesDataType.JIRA_ISSUES))); try { FindingCaseResponseArray result = apiInstance.createJiraIssues(body); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#createJiraIssues"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` ##### ```java // Create Jira issues for security findings returns "Created" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.CaseManagementProject; import com.datadog.api.client.v2.model.CaseManagementProjectData; import com.datadog.api.client.v2.model.CaseManagementProjectDataType; import com.datadog.api.client.v2.model.CreateJiraIssueRequestArray; import com.datadog.api.client.v2.model.CreateJiraIssueRequestData; import com.datadog.api.client.v2.model.CreateJiraIssueRequestDataAttributes; import com.datadog.api.client.v2.model.CreateJiraIssueRequestDataRelationships; import com.datadog.api.client.v2.model.FindingCaseResponseArray; import com.datadog.api.client.v2.model.FindingData; import com.datadog.api.client.v2.model.FindingDataType; import com.datadog.api.client.v2.model.Findings; import com.datadog.api.client.v2.model.JiraIssuesDataType; import java.util.Arrays; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); CreateJiraIssueRequestArray body = new CreateJiraIssueRequestArray() .data( Arrays.asList( new CreateJiraIssueRequestData() .attributes( new CreateJiraIssueRequestDataAttributes() .title("A title") .description("A description")) .relationships( new CreateJiraIssueRequestDataRelationships() .findings( new Findings() .data( Collections.singletonList( new FindingData() .id( "eWswLWJsdC1hZm5-aS0wMjRlYTgwMzVkZTU1MGIwYQ==") .type(FindingDataType.FINDINGS)))) .project( new CaseManagementProject() .data( new CaseManagementProjectData() .id("959a6f71-bac8-4027-b1d3-2264f569296f") .type(CaseManagementProjectDataType.PROJECTS)))) .type(JiraIssuesDataType.JIRA_ISSUES), new CreateJiraIssueRequestData() .attributes( new CreateJiraIssueRequestDataAttributes() .title("A title") .description("A description")) .relationships( new CreateJiraIssueRequestDataRelationships() .findings( new Findings() .data( Collections.singletonList( new FindingData() .id( "a3ZoLXNjbS14eXV-aS0wNWY5MGYwMGE4NDg2ODdlOA==") .type(FindingDataType.FINDINGS)))) .project( new CaseManagementProject() .data( new CaseManagementProjectData() .id("959a6f71-bac8-4027-b1d3-2264f569296f") .type(CaseManagementProjectDataType.PROJECTS)))) .type(JiraIssuesDataType.JIRA_ISSUES))); try { FindingCaseResponseArray result = apiInstance.createJiraIssues(body); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#createJiraIssues"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Create Jira issue for security finding returns "Created" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.case_management_project import CaseManagementProject from datadog_api_client.v2.model.case_management_project_data import CaseManagementProjectData from datadog_api_client.v2.model.case_management_project_data_type import CaseManagementProjectDataType from datadog_api_client.v2.model.create_jira_issue_request_array import CreateJiraIssueRequestArray from datadog_api_client.v2.model.create_jira_issue_request_data import CreateJiraIssueRequestData from datadog_api_client.v2.model.create_jira_issue_request_data_attributes import CreateJiraIssueRequestDataAttributes from datadog_api_client.v2.model.create_jira_issue_request_data_relationships import ( CreateJiraIssueRequestDataRelationships, ) from datadog_api_client.v2.model.finding_data import FindingData from datadog_api_client.v2.model.finding_data_type import FindingDataType from datadog_api_client.v2.model.findings import Findings from datadog_api_client.v2.model.jira_issues_data_type import JiraIssuesDataType body = CreateJiraIssueRequestArray( data=[ CreateJiraIssueRequestData( attributes=CreateJiraIssueRequestDataAttributes( title="A title", description="A description", ), relationships=CreateJiraIssueRequestDataRelationships( findings=Findings( data=[ FindingData( id="YmNlZmJhYTcyMDU5ZDk0ZDhiNjRmNGI0NDk4MDdiNzN-MDJlMjg0NzNmYzJiODY2MzJkNjU0OTI4NmVhZTUyY2U=", type=FindingDataType.FINDINGS, ), ], ), project=CaseManagementProject( data=CaseManagementProjectData( id="959a6f71-bac8-4027-b1d3-2264f569296f", type=CaseManagementProjectDataType.PROJECTS, ), ), ), type=JiraIssuesDataType.JIRA_ISSUES, ), ], ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.create_jira_issues(body=body) print(response) ``` ##### ```python """ Create Jira issue for security findings returns "Created" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.case_management_project import CaseManagementProject from datadog_api_client.v2.model.case_management_project_data import CaseManagementProjectData from datadog_api_client.v2.model.case_management_project_data_type import CaseManagementProjectDataType from datadog_api_client.v2.model.create_jira_issue_request_array import CreateJiraIssueRequestArray from datadog_api_client.v2.model.create_jira_issue_request_data import CreateJiraIssueRequestData from datadog_api_client.v2.model.create_jira_issue_request_data_attributes import CreateJiraIssueRequestDataAttributes from datadog_api_client.v2.model.create_jira_issue_request_data_relationships import ( CreateJiraIssueRequestDataRelationships, ) from datadog_api_client.v2.model.finding_data import FindingData from datadog_api_client.v2.model.finding_data_type import FindingDataType from datadog_api_client.v2.model.findings import Findings from datadog_api_client.v2.model.jira_issues_data_type import JiraIssuesDataType body = CreateJiraIssueRequestArray( data=[ CreateJiraIssueRequestData( attributes=CreateJiraIssueRequestDataAttributes( title="A title", description="A description", ), relationships=CreateJiraIssueRequestDataRelationships( findings=Findings( data=[ FindingData( id="a3ZoLXNjbS14eXV-aS0wNWY5MGYwMGE4NDg2ODdlOA==", type=FindingDataType.FINDINGS, ), FindingData( id="eWswLWJsdC1hZm5-aS0wMjRlYTgwMzVkZTU1MGIwYQ==", type=FindingDataType.FINDINGS, ), ], ), project=CaseManagementProject( data=CaseManagementProjectData( id="959a6f71-bac8-4027-b1d3-2264f569296f", type=CaseManagementProjectDataType.PROJECTS, ), ), ), type=JiraIssuesDataType.JIRA_ISSUES, ), ], ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.create_jira_issues(body=body) print(response) ``` ##### ```python """ Create Jira issues for security findings returns "Created" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.case_management_project import CaseManagementProject from datadog_api_client.v2.model.case_management_project_data import CaseManagementProjectData from datadog_api_client.v2.model.case_management_project_data_type import CaseManagementProjectDataType from datadog_api_client.v2.model.create_jira_issue_request_array import CreateJiraIssueRequestArray from datadog_api_client.v2.model.create_jira_issue_request_data import CreateJiraIssueRequestData from datadog_api_client.v2.model.create_jira_issue_request_data_attributes import CreateJiraIssueRequestDataAttributes from datadog_api_client.v2.model.create_jira_issue_request_data_relationships import ( CreateJiraIssueRequestDataRelationships, ) from datadog_api_client.v2.model.finding_data import FindingData from datadog_api_client.v2.model.finding_data_type import FindingDataType from datadog_api_client.v2.model.findings import Findings from datadog_api_client.v2.model.jira_issues_data_type import JiraIssuesDataType body = CreateJiraIssueRequestArray( data=[ CreateJiraIssueRequestData( attributes=CreateJiraIssueRequestDataAttributes( title="A title", description="A description", ), relationships=CreateJiraIssueRequestDataRelationships( findings=Findings( data=[ FindingData( id="eWswLWJsdC1hZm5-aS0wMjRlYTgwMzVkZTU1MGIwYQ==", type=FindingDataType.FINDINGS, ), ], ), project=CaseManagementProject( data=CaseManagementProjectData( id="959a6f71-bac8-4027-b1d3-2264f569296f", type=CaseManagementProjectDataType.PROJECTS, ), ), ), type=JiraIssuesDataType.JIRA_ISSUES, ), CreateJiraIssueRequestData( attributes=CreateJiraIssueRequestDataAttributes( title="A title", description="A description", ), relationships=CreateJiraIssueRequestDataRelationships( findings=Findings( data=[ FindingData( id="a3ZoLXNjbS14eXV-aS0wNWY5MGYwMGE4NDg2ODdlOA==", type=FindingDataType.FINDINGS, ), ], ), project=CaseManagementProject( data=CaseManagementProjectData( id="959a6f71-bac8-4027-b1d3-2264f569296f", type=CaseManagementProjectDataType.PROJECTS, ), ), ), type=JiraIssuesDataType.JIRA_ISSUES, ), ], ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.create_jira_issues(body=body) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Create Jira issue for security finding returns "Created" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::CreateJiraIssueRequestArray.new({ data: [ DatadogAPIClient::V2::CreateJiraIssueRequestData.new({ attributes: DatadogAPIClient::V2::CreateJiraIssueRequestDataAttributes.new({ title: "A title", description: "A description", }), relationships: DatadogAPIClient::V2::CreateJiraIssueRequestDataRelationships.new({ findings: DatadogAPIClient::V2::Findings.new({ data: [ DatadogAPIClient::V2::FindingData.new({ id: "YmNlZmJhYTcyMDU5ZDk0ZDhiNjRmNGI0NDk4MDdiNzN-MDJlMjg0NzNmYzJiODY2MzJkNjU0OTI4NmVhZTUyY2U=", type: DatadogAPIClient::V2::FindingDataType::FINDINGS, }), ], }), project: DatadogAPIClient::V2::CaseManagementProject.new({ data: DatadogAPIClient::V2::CaseManagementProjectData.new({ id: "959a6f71-bac8-4027-b1d3-2264f569296f", type: DatadogAPIClient::V2::CaseManagementProjectDataType::PROJECTS, }), }), }), type: DatadogAPIClient::V2::JiraIssuesDataType::JIRA_ISSUES, }), ], }) p api_instance.create_jira_issues(body) ``` ##### ```ruby # Create Jira issue for security findings returns "Created" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::CreateJiraIssueRequestArray.new({ data: [ DatadogAPIClient::V2::CreateJiraIssueRequestData.new({ attributes: DatadogAPIClient::V2::CreateJiraIssueRequestDataAttributes.new({ title: "A title", description: "A description", }), relationships: DatadogAPIClient::V2::CreateJiraIssueRequestDataRelationships.new({ findings: DatadogAPIClient::V2::Findings.new({ data: [ DatadogAPIClient::V2::FindingData.new({ id: "a3ZoLXNjbS14eXV-aS0wNWY5MGYwMGE4NDg2ODdlOA==", type: DatadogAPIClient::V2::FindingDataType::FINDINGS, }), DatadogAPIClient::V2::FindingData.new({ id: "eWswLWJsdC1hZm5-aS0wMjRlYTgwMzVkZTU1MGIwYQ==", type: DatadogAPIClient::V2::FindingDataType::FINDINGS, }), ], }), project: DatadogAPIClient::V2::CaseManagementProject.new({ data: DatadogAPIClient::V2::CaseManagementProjectData.new({ id: "959a6f71-bac8-4027-b1d3-2264f569296f", type: DatadogAPIClient::V2::CaseManagementProjectDataType::PROJECTS, }), }), }), type: DatadogAPIClient::V2::JiraIssuesDataType::JIRA_ISSUES, }), ], }) p api_instance.create_jira_issues(body) ``` ##### ```ruby # Create Jira issues for security findings returns "Created" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::CreateJiraIssueRequestArray.new({ data: [ DatadogAPIClient::V2::CreateJiraIssueRequestData.new({ attributes: DatadogAPIClient::V2::CreateJiraIssueRequestDataAttributes.new({ title: "A title", description: "A description", }), relationships: DatadogAPIClient::V2::CreateJiraIssueRequestDataRelationships.new({ findings: DatadogAPIClient::V2::Findings.new({ data: [ DatadogAPIClient::V2::FindingData.new({ id: "eWswLWJsdC1hZm5-aS0wMjRlYTgwMzVkZTU1MGIwYQ==", type: DatadogAPIClient::V2::FindingDataType::FINDINGS, }), ], }), project: DatadogAPIClient::V2::CaseManagementProject.new({ data: DatadogAPIClient::V2::CaseManagementProjectData.new({ id: "959a6f71-bac8-4027-b1d3-2264f569296f", type: DatadogAPIClient::V2::CaseManagementProjectDataType::PROJECTS, }), }), }), type: DatadogAPIClient::V2::JiraIssuesDataType::JIRA_ISSUES, }), DatadogAPIClient::V2::CreateJiraIssueRequestData.new({ attributes: DatadogAPIClient::V2::CreateJiraIssueRequestDataAttributes.new({ title: "A title", description: "A description", }), relationships: DatadogAPIClient::V2::CreateJiraIssueRequestDataRelationships.new({ findings: DatadogAPIClient::V2::Findings.new({ data: [ DatadogAPIClient::V2::FindingData.new({ id: "a3ZoLXNjbS14eXV-aS0wNWY5MGYwMGE4NDg2ODdlOA==", type: DatadogAPIClient::V2::FindingDataType::FINDINGS, }), ], }), project: DatadogAPIClient::V2::CaseManagementProject.new({ data: DatadogAPIClient::V2::CaseManagementProjectData.new({ id: "959a6f71-bac8-4027-b1d3-2264f569296f", type: DatadogAPIClient::V2::CaseManagementProjectDataType::PROJECTS, }), }), }), type: DatadogAPIClient::V2::JiraIssuesDataType::JIRA_ISSUES, }), ], }) p api_instance.create_jira_issues(body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Create Jira issue for security finding returns "Created" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::CaseManagementProject; use datadog_api_client::datadogV2::model::CaseManagementProjectData; use datadog_api_client::datadogV2::model::CaseManagementProjectDataType; use datadog_api_client::datadogV2::model::CreateJiraIssueRequestArray; use datadog_api_client::datadogV2::model::CreateJiraIssueRequestData; use datadog_api_client::datadogV2::model::CreateJiraIssueRequestDataAttributes; use datadog_api_client::datadogV2::model::CreateJiraIssueRequestDataRelationships; use datadog_api_client::datadogV2::model::FindingData; use datadog_api_client::datadogV2::model::FindingDataType; use datadog_api_client::datadogV2::model::Findings; use datadog_api_client::datadogV2::model::JiraIssuesDataType; #[tokio::main] async fn main() { let body = CreateJiraIssueRequestArray::new( vec![ CreateJiraIssueRequestData::new(JiraIssuesDataType::JIRA_ISSUES) .attributes( CreateJiraIssueRequestDataAttributes::new() .description("A description".to_string()) .title("A title".to_string()), ) .relationships( CreateJiraIssueRequestDataRelationships::new( Findings ::new().data( vec![ FindingData::new( "YmNlZmJhYTcyMDU5ZDk0ZDhiNjRmNGI0NDk4MDdiNzN-MDJlMjg0NzNmYzJiODY2MzJkNjU0OTI4NmVhZTUyY2U=".to_string(), FindingDataType::FINDINGS, ) ], ), CaseManagementProject::new( CaseManagementProjectData::new( "959a6f71-bac8-4027-b1d3-2264f569296f".to_string(), CaseManagementProjectDataType::PROJECTS, ), ), ), ) ], ); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.create_jira_issues(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` ##### ```rust // Create Jira issue for security findings returns "Created" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::CaseManagementProject; use datadog_api_client::datadogV2::model::CaseManagementProjectData; use datadog_api_client::datadogV2::model::CaseManagementProjectDataType; use datadog_api_client::datadogV2::model::CreateJiraIssueRequestArray; use datadog_api_client::datadogV2::model::CreateJiraIssueRequestData; use datadog_api_client::datadogV2::model::CreateJiraIssueRequestDataAttributes; use datadog_api_client::datadogV2::model::CreateJiraIssueRequestDataRelationships; use datadog_api_client::datadogV2::model::FindingData; use datadog_api_client::datadogV2::model::FindingDataType; use datadog_api_client::datadogV2::model::Findings; use datadog_api_client::datadogV2::model::JiraIssuesDataType; #[tokio::main] async fn main() { let body = CreateJiraIssueRequestArray::new(vec![CreateJiraIssueRequestData::new( JiraIssuesDataType::JIRA_ISSUES, ) .attributes( CreateJiraIssueRequestDataAttributes::new() .description("A description".to_string()) .title("A title".to_string()), ) .relationships(CreateJiraIssueRequestDataRelationships::new( Findings::new().data(vec![ FindingData::new( "a3ZoLXNjbS14eXV-aS0wNWY5MGYwMGE4NDg2ODdlOA==".to_string(), FindingDataType::FINDINGS, ), FindingData::new( "eWswLWJsdC1hZm5-aS0wMjRlYTgwMzVkZTU1MGIwYQ==".to_string(), FindingDataType::FINDINGS, ), ]), CaseManagementProject::new(CaseManagementProjectData::new( "959a6f71-bac8-4027-b1d3-2264f569296f".to_string(), CaseManagementProjectDataType::PROJECTS, )), ))]); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.create_jira_issues(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` ##### ```rust // Create Jira issues for security findings returns "Created" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::CaseManagementProject; use datadog_api_client::datadogV2::model::CaseManagementProjectData; use datadog_api_client::datadogV2::model::CaseManagementProjectDataType; use datadog_api_client::datadogV2::model::CreateJiraIssueRequestArray; use datadog_api_client::datadogV2::model::CreateJiraIssueRequestData; use datadog_api_client::datadogV2::model::CreateJiraIssueRequestDataAttributes; use datadog_api_client::datadogV2::model::CreateJiraIssueRequestDataRelationships; use datadog_api_client::datadogV2::model::FindingData; use datadog_api_client::datadogV2::model::FindingDataType; use datadog_api_client::datadogV2::model::Findings; use datadog_api_client::datadogV2::model::JiraIssuesDataType; #[tokio::main] async fn main() { let body = CreateJiraIssueRequestArray::new(vec![ CreateJiraIssueRequestData::new(JiraIssuesDataType::JIRA_ISSUES) .attributes( CreateJiraIssueRequestDataAttributes::new() .description("A description".to_string()) .title("A title".to_string()), ) .relationships(CreateJiraIssueRequestDataRelationships::new( Findings::new().data(vec![FindingData::new( "eWswLWJsdC1hZm5-aS0wMjRlYTgwMzVkZTU1MGIwYQ==".to_string(), FindingDataType::FINDINGS, )]), CaseManagementProject::new(CaseManagementProjectData::new( "959a6f71-bac8-4027-b1d3-2264f569296f".to_string(), CaseManagementProjectDataType::PROJECTS, )), )), CreateJiraIssueRequestData::new(JiraIssuesDataType::JIRA_ISSUES) .attributes( CreateJiraIssueRequestDataAttributes::new() .description("A description".to_string()) .title("A title".to_string()), ) .relationships(CreateJiraIssueRequestDataRelationships::new( Findings::new().data(vec![FindingData::new( "a3ZoLXNjbS14eXV-aS0wNWY5MGYwMGE4NDg2ODdlOA==".to_string(), FindingDataType::FINDINGS, )]), CaseManagementProject::new(CaseManagementProjectData::new( "959a6f71-bac8-4027-b1d3-2264f569296f".to_string(), CaseManagementProjectDataType::PROJECTS, )), )), ]); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.create_jira_issues(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Create Jira issue for security finding returns "Created" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiCreateJiraIssuesRequest = { body: { data: [ { attributes: { title: "A title", description: "A description", }, relationships: { findings: { data: [ { id: "YmNlZmJhYTcyMDU5ZDk0ZDhiNjRmNGI0NDk4MDdiNzN-MDJlMjg0NzNmYzJiODY2MzJkNjU0OTI4NmVhZTUyY2U=", type: "findings", }, ], }, project: { data: { id: "959a6f71-bac8-4027-b1d3-2264f569296f", type: "projects", }, }, }, type: "jira_issues", }, ], }, }; apiInstance .createJiraIssues(params) .then((data: v2.FindingCaseResponseArray) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` ##### ```typescript /** * Create Jira issue for security findings returns "Created" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiCreateJiraIssuesRequest = { body: { data: [ { attributes: { title: "A title", description: "A description", }, relationships: { findings: { data: [ { id: "a3ZoLXNjbS14eXV-aS0wNWY5MGYwMGE4NDg2ODdlOA==", type: "findings", }, { id: "eWswLWJsdC1hZm5-aS0wMjRlYTgwMzVkZTU1MGIwYQ==", type: "findings", }, ], }, project: { data: { id: "959a6f71-bac8-4027-b1d3-2264f569296f", type: "projects", }, }, }, type: "jira_issues", }, ], }, }; apiInstance .createJiraIssues(params) .then((data: v2.FindingCaseResponseArray) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` ##### ```typescript /** * Create Jira issues for security findings returns "Created" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiCreateJiraIssuesRequest = { body: { data: [ { attributes: { title: "A title", description: "A description", }, relationships: { findings: { data: [ { id: "eWswLWJsdC1hZm5-aS0wMjRlYTgwMzVkZTU1MGIwYQ==", type: "findings", }, ], }, project: { data: { id: "959a6f71-bac8-4027-b1d3-2264f569296f", type: "projects", }, }, }, type: "jira_issues", }, { attributes: { title: "A title", description: "A description", }, relationships: { findings: { data: [ { id: "a3ZoLXNjbS14eXV-aS0wNWY5MGYwMGE4NDg2ODdlOA==", type: "findings", }, ], }, project: { data: { id: "959a6f71-bac8-4027-b1d3-2264f569296f", type: "projects", }, }, }, type: "jira_issues", }, ], }, }; apiInstance .createJiraIssues(params) .then((data: v2.FindingCaseResponseArray) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Attach security findings to a Jira issue{% #attach-security-findings-to-a-jira-issue %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------ | | ap1.datadoghq.com | PATCH https://api.ap1.datadoghq.com/api/v2/security/findings/jira_issues | | ap2.datadoghq.com | PATCH https://api.ap2.datadoghq.com/api/v2/security/findings/jira_issues | | app.datadoghq.eu | PATCH https://api.datadoghq.eu/api/v2/security/findings/jira_issues | | app.ddog-gov.com | PATCH https://api.ddog-gov.com/api/v2/security/findings/jira_issues | | app.datadoghq.com | PATCH https://api.datadoghq.com/api/v2/security/findings/jira_issues | | us3.datadoghq.com | PATCH https://api.us3.datadoghq.com/api/v2/security/findings/jira_issues | | us5.datadoghq.com | PATCH https://api.us5.datadoghq.com/api/v2/security/findings/jira_issues | ### Overview Attach security findings to a Jira issue by providing the Jira issue URL. You can attach up to 50 security findings per Jira issue. If the Jira issue is not linked to any case, this operation will create a case for the security findings and link the Jira issue to the newly created case. To configure the Jira integration, see [Bidirectional ticket syncing with Jira](https://docs.datadoghq.com/security/ticketing_integrations/#bidirectional-ticket-syncing-with-jira). Security findings that are already attached to another Jira issue will be detached from their previous Jira issue and attached to the specified Jira issue. This endpoint requires any of the following permissions: `security_monitoring_findings_write``appsec_vm_write` ### Request #### Body Data (required) {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------- | -------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data | object | Data of the Jira issue to attach security findings to. | | data | attributes | object | Attributes of the Jira issue to attach security findings to. | | attributes | jira_issue_url [*required*] | string | URL of the Jira issue to attach security findings to. | | data | relationships | object | Relationships of the Jira issue to attach security findings to. | | relationships | findings [*required*] | object | Security findings to attach to the Jira issue. | | findings | data | [object] | Array of security finding data objects. | | data | id [*required*] | string | Unique identifier of the security finding. | | data | type [*required*] | enum | Security findings resource type. Allowed enum values: `findings` | | relationships | project [*required*] | object | Case management project with Jira integration configured. It is used to attach security findings to the Jira issue. To configure the integration, see [Bidirectional ticket syncing with Jira](https://docs.datadoghq.com/security/ticketing_integrations/#bidirectional-ticket-syncing-with-jira). | | project | data [*required*] | object | Data object representing a case management project. | | data | id [*required*] | string | Unique identifier of the case management project. | | data | type [*required*] | enum | Projects resource type. Allowed enum values: `projects` | | data | type [*required*] | enum | Jira issues resource type. Allowed enum values: `jira_issues` | {% /tab %} {% tab title="Example" %} ##### ```json { "data": { "attributes": { "jira_issue_url": "https://datadoghq-sandbox-538.atlassian.net/browse/CSMSEC-105476" }, "relationships": { "findings": { "data": [ { "id": "OTQ3NjJkMmYwMTIzMzMxNTc1Y2Q4MTA5NWU0NTBmMDl-ZjE3NjMxZWVkYzBjZGI1NDY2NWY2OGQxZDk4MDY4MmI=", "type": "findings" } ] }, "project": { "data": { "id": "959a6f71-bac8-4027-b1d3-2264f569296f", "type": "projects" } } }, "type": "jira_issues" } } ``` ##### ```json { "data": { "attributes": { "jira_issue_url": "https://datadoghq-sandbox-538.atlassian.net/browse/CSMSEC-105476" }, "relationships": { "findings": { "data": [ { "id": "OTQ3NjJkMmYwMTIzMzMxNTc1Y2Q4MTA5NWU0NTBmMDl-ZjE3NjMxZWVkYzBjZGI1NDY2NWY2OGQxZDk4MDY4MmI=", "type": "findings" }, { "id": "MTNjN2ZmYWMzMDIxYmU1ZDFiZDRjNWUwN2I1NzVmY2F-YTA3MzllMTUzNWM3NmEyZjdiNzEzOWM5YmViZTMzOGM=", "type": "findings" } ] }, "project": { "data": { "id": "959a6f71-bac8-4027-b1d3-2264f569296f", "type": "projects" } } }, "type": "jira_issues" } } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} Case response. | Parent field | Field | Type | Description | | -------------------- | ---------------------- | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | | | data | object | Data of the case. | | data | attributes | object | Attributes of the case. | | attributes | archived_at | date-time | Timestamp of when the case was archived. | | attributes | assigned_to | object | User assigned to the case. | | assigned_to | data [*required*] | object | Relationship to user object. | | data | id [*required*] | string | A unique identifier that represents the user. | | data | type [*required*] | enum | Users resource type. Allowed enum values: `users` | | attributes | attributes | object | Custom attributes associated with the case as key-value pairs where values are string arrays. | | additionalProperties | | [string] | | attributes | closed_at | date-time | Timestamp of when the case was closed. | | attributes | created_at | date-time | Timestamp of when the case was created. | | attributes | creation_source | string | Source of the case creation. | | attributes | description | string | Description of the case. | | attributes | due_date | string | Due date of the case. | | attributes | insights | [object] | Insights of the case. | | insights | ref | string | Reference of the insight. | | insights | resource_id | string | Unique identifier of the resource. For example, the unique identifier of a security finding. | | insights | type | string | Type of the resource. For example, the type of a security finding is "SECURITY_FINDING". | | attributes | jira_issue | object | Jira issue associated with the case. | | jira_issue | error_message | string | Error message if the Jira issue creation failed. | | jira_issue | result | object | Result of the Jira issue creation. | | result | account_id | string | Account ID of the Jira issue. | | result | issue_id | string | Unique identifier of the Jira issue. | | result | issue_key | string | Key of the Jira issue. | | result | issue_url | string | URL of the Jira issue. | | jira_issue | status | string | Status of the Jira issue creation. Can be "COMPLETED" if the Jira issue was created successfully, or "FAILED" if the Jira issue creation failed. | | attributes | key | string | Key of the case. | | attributes | modified_at | date-time | Timestamp of when the case was last modified. | | attributes | priority | string | Priority of the case. | | attributes | status | string | Status of the case. | | attributes | status_group | string | Status group of the case. | | attributes | status_name | string | Status name of the case. | | attributes | title | string | Title of the case. | | attributes | type | string | Type of the case. For security cases, this is always "SECURITY". | | data | id | string | Unique identifier of the case. | | data | relationships | object | Relationships of the case. | | relationships | created_by | object | User who created the case. | | created_by | data [*required*] | object | Relationship to user object. | | data | id [*required*] | string | A unique identifier that represents the user. | | data | type [*required*] | enum | Users resource type. Allowed enum values: `users` | | relationships | modified_by | object | User who last modified the case. | | modified_by | data [*required*] | object | Relationship to user object. | | data | id [*required*] | string | A unique identifier that represents the user. | | data | type [*required*] | enum | Users resource type. Allowed enum values: `users` | | relationships | project | object | Project in which the case was created. | | project | data [*required*] | object | Data object representing a case management project. | | data | id [*required*] | string | Unique identifier of the case management project. | | data | type [*required*] | enum | Projects resource type. Allowed enum values: `projects` | | data | type [*required*] | enum | Cases resource type. Allowed enum values: `cases` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "archived_at": "2025-01-01T00:00:00.000Z", "assigned_to": { "data": { "id": "00000000-0000-0000-2345-000000000000", "type": "users" } }, "attributes": { "": [] }, "closed_at": "2025-01-01T00:00:00.000Z", "created_at": "2025-01-01T00:00:00.000Z", "creation_source": "CS_SECURITY_FINDING", "description": "A description of the case.", "due_date": "2025-01-01", "insights": [ { "ref": "/security/appsec/vm/library/vulnerability/dfa027f7c037b2f77159adc027fecb56?detection=static", "resource_id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==", "type": "SECURITY_FINDING" } ], "jira_issue": { "error_message": "{\"errorMessages\":[\"An error occured.\"],\"errors\":{}}", "result": { "account_id": "463a8631-680e-455c-bfd3-3ed04d326eb7", "issue_id": "2871276", "issue_key": "PROJ-123", "issue_url": "https://domain.atlassian.net/browse/PROJ-123" }, "status": "COMPLETED" }, "key": "PROJ-123", "modified_at": "2025-01-01T00:00:00.000Z", "priority": "P4", "status": "OPEN", "status_group": "SG_OPEN", "status_name": "Open", "title": "A title for the case.", "type": "SECURITY" }, "id": "c1234567-89ab-cdef-0123-456789abcdef", "relationships": { "created_by": { "data": { "id": "00000000-0000-0000-2345-000000000000", "type": "users" } }, "modified_by": { "data": { "id": "00000000-0000-0000-2345-000000000000", "type": "users" } }, "project": { "data": { "id": "aeadc05e-98a8-11ec-ac2c-da7ad0900001", "type": "projects" } } }, "type": "cases" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/findings/jira_issues" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "attributes": { "jira_issue_url": "https://datadoghq-sandbox-538.atlassian.net/browse/CSMSEC-105476" }, "relationships": { "findings": { "data": [ { "id": "OTQ3NjJkMmYwMTIzMzMxNTc1Y2Q4MTA5NWU0NTBmMDl-ZjE3NjMxZWVkYzBjZGI1NDY2NWY2OGQxZDk4MDY4MmI=", "type": "findings" } ] }, "project": { "data": { "id": "959a6f71-bac8-4027-b1d3-2264f569296f", "type": "projects" } } }, "type": "jira_issues" } } EOF ##### \# Curl commandcurl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/findings/jira_issues" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "attributes": { "jira_issue_url": "https://datadoghq-sandbox-538.atlassian.net/browse/CSMSEC-105476" }, "relationships": { "findings": { "data": [ { "id": "OTQ3NjJkMmYwMTIzMzMxNTc1Y2Q4MTA5NWU0NTBmMDl-ZjE3NjMxZWVkYzBjZGI1NDY2NWY2OGQxZDk4MDY4MmI=", "type": "findings" }, { "id": "MTNjN2ZmYWMzMDIxYmU1ZDFiZDRjNWUwN2I1NzVmY2F-YTA3MzllMTUzNWM3NmEyZjdiNzEzOWM5YmViZTMzOGM=", "type": "findings" } ] }, "project": { "data": { "id": "959a6f71-bac8-4027-b1d3-2264f569296f", "type": "projects" } } }, "type": "jira_issues" } } EOF ##### ```go // Attach security finding to a Jira issue returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.AttachJiraIssueRequest{ Data: &datadogV2.AttachJiraIssueRequestData{ Attributes: &datadogV2.AttachJiraIssueRequestDataAttributes{ JiraIssueUrl: "https://datadoghq-sandbox-538.atlassian.net/browse/CSMSEC-105476", }, Relationships: &datadogV2.AttachJiraIssueRequestDataRelationships{ Findings: datadogV2.Findings{ Data: []datadogV2.FindingData{ { Id: "OTQ3NjJkMmYwMTIzMzMxNTc1Y2Q4MTA5NWU0NTBmMDl-ZjE3NjMxZWVkYzBjZGI1NDY2NWY2OGQxZDk4MDY4MmI=", Type: datadogV2.FINDINGDATATYPE_FINDINGS, }, }, }, Project: datadogV2.CaseManagementProject{ Data: datadogV2.CaseManagementProjectData{ Id: "959a6f71-bac8-4027-b1d3-2264f569296f", Type: datadogV2.CASEMANAGEMENTPROJECTDATATYPE_PROJECTS, }, }, }, Type: datadogV2.JIRAISSUESDATATYPE_JIRA_ISSUES, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.AttachJiraIssue(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.AttachJiraIssue`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.AttachJiraIssue`:\n%s\n", responseContent) } ``` ##### ```go // Attach security findings to a Jira issue returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.AttachJiraIssueRequest{ Data: &datadogV2.AttachJiraIssueRequestData{ Attributes: &datadogV2.AttachJiraIssueRequestDataAttributes{ JiraIssueUrl: "https://datadoghq-sandbox-538.atlassian.net/browse/CSMSEC-105476", }, Relationships: &datadogV2.AttachJiraIssueRequestDataRelationships{ Findings: datadogV2.Findings{ Data: []datadogV2.FindingData{ { Id: "OTQ3NjJkMmYwMTIzMzMxNTc1Y2Q4MTA5NWU0NTBmMDl-ZjE3NjMxZWVkYzBjZGI1NDY2NWY2OGQxZDk4MDY4MmI=", Type: datadogV2.FINDINGDATATYPE_FINDINGS, }, { Id: "MTNjN2ZmYWMzMDIxYmU1ZDFiZDRjNWUwN2I1NzVmY2F-YTA3MzllMTUzNWM3NmEyZjdiNzEzOWM5YmViZTMzOGM=", Type: datadogV2.FINDINGDATATYPE_FINDINGS, }, }, }, Project: datadogV2.CaseManagementProject{ Data: datadogV2.CaseManagementProjectData{ Id: "959a6f71-bac8-4027-b1d3-2264f569296f", Type: datadogV2.CASEMANAGEMENTPROJECTDATATYPE_PROJECTS, }, }, }, Type: datadogV2.JIRAISSUESDATATYPE_JIRA_ISSUES, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.AttachJiraIssue(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.AttachJiraIssue`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.AttachJiraIssue`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Attach security finding to a Jira issue returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.AttachJiraIssueRequest; import com.datadog.api.client.v2.model.AttachJiraIssueRequestData; import com.datadog.api.client.v2.model.AttachJiraIssueRequestDataAttributes; import com.datadog.api.client.v2.model.AttachJiraIssueRequestDataRelationships; import com.datadog.api.client.v2.model.CaseManagementProject; import com.datadog.api.client.v2.model.CaseManagementProjectData; import com.datadog.api.client.v2.model.CaseManagementProjectDataType; import com.datadog.api.client.v2.model.FindingCaseResponse; import com.datadog.api.client.v2.model.FindingData; import com.datadog.api.client.v2.model.FindingDataType; import com.datadog.api.client.v2.model.Findings; import com.datadog.api.client.v2.model.JiraIssuesDataType; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); AttachJiraIssueRequest body = new AttachJiraIssueRequest() .data( new AttachJiraIssueRequestData() .attributes( new AttachJiraIssueRequestDataAttributes() .jiraIssueUrl( "https://datadoghq-sandbox-538.atlassian.net/browse/CSMSEC-105476")) .relationships( new AttachJiraIssueRequestDataRelationships() .findings( new Findings() .data( Collections.singletonList( new FindingData() .id( "OTQ3NjJkMmYwMTIzMzMxNTc1Y2Q4MTA5NWU0NTBmMDl-ZjE3NjMxZWVkYzBjZGI1NDY2NWY2OGQxZDk4MDY4MmI=") .type(FindingDataType.FINDINGS)))) .project( new CaseManagementProject() .data( new CaseManagementProjectData() .id("959a6f71-bac8-4027-b1d3-2264f569296f") .type(CaseManagementProjectDataType.PROJECTS)))) .type(JiraIssuesDataType.JIRA_ISSUES)); try { FindingCaseResponse result = apiInstance.attachJiraIssue(body); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#attachJiraIssue"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` ##### ```java // Attach security findings to a Jira issue returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.AttachJiraIssueRequest; import com.datadog.api.client.v2.model.AttachJiraIssueRequestData; import com.datadog.api.client.v2.model.AttachJiraIssueRequestDataAttributes; import com.datadog.api.client.v2.model.AttachJiraIssueRequestDataRelationships; import com.datadog.api.client.v2.model.CaseManagementProject; import com.datadog.api.client.v2.model.CaseManagementProjectData; import com.datadog.api.client.v2.model.CaseManagementProjectDataType; import com.datadog.api.client.v2.model.FindingCaseResponse; import com.datadog.api.client.v2.model.FindingData; import com.datadog.api.client.v2.model.FindingDataType; import com.datadog.api.client.v2.model.Findings; import com.datadog.api.client.v2.model.JiraIssuesDataType; import java.util.Arrays; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); AttachJiraIssueRequest body = new AttachJiraIssueRequest() .data( new AttachJiraIssueRequestData() .attributes( new AttachJiraIssueRequestDataAttributes() .jiraIssueUrl( "https://datadoghq-sandbox-538.atlassian.net/browse/CSMSEC-105476")) .relationships( new AttachJiraIssueRequestDataRelationships() .findings( new Findings() .data( Arrays.asList( new FindingData() .id( "OTQ3NjJkMmYwMTIzMzMxNTc1Y2Q4MTA5NWU0NTBmMDl-ZjE3NjMxZWVkYzBjZGI1NDY2NWY2OGQxZDk4MDY4MmI=") .type(FindingDataType.FINDINGS), new FindingData() .id( "MTNjN2ZmYWMzMDIxYmU1ZDFiZDRjNWUwN2I1NzVmY2F-YTA3MzllMTUzNWM3NmEyZjdiNzEzOWM5YmViZTMzOGM=") .type(FindingDataType.FINDINGS)))) .project( new CaseManagementProject() .data( new CaseManagementProjectData() .id("959a6f71-bac8-4027-b1d3-2264f569296f") .type(CaseManagementProjectDataType.PROJECTS)))) .type(JiraIssuesDataType.JIRA_ISSUES)); try { FindingCaseResponse result = apiInstance.attachJiraIssue(body); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#attachJiraIssue"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Attach security finding to a Jira issue returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.attach_jira_issue_request import AttachJiraIssueRequest from datadog_api_client.v2.model.attach_jira_issue_request_data import AttachJiraIssueRequestData from datadog_api_client.v2.model.attach_jira_issue_request_data_attributes import AttachJiraIssueRequestDataAttributes from datadog_api_client.v2.model.attach_jira_issue_request_data_relationships import ( AttachJiraIssueRequestDataRelationships, ) from datadog_api_client.v2.model.case_management_project import CaseManagementProject from datadog_api_client.v2.model.case_management_project_data import CaseManagementProjectData from datadog_api_client.v2.model.case_management_project_data_type import CaseManagementProjectDataType from datadog_api_client.v2.model.finding_data import FindingData from datadog_api_client.v2.model.finding_data_type import FindingDataType from datadog_api_client.v2.model.findings import Findings from datadog_api_client.v2.model.jira_issues_data_type import JiraIssuesDataType body = AttachJiraIssueRequest( data=AttachJiraIssueRequestData( attributes=AttachJiraIssueRequestDataAttributes( jira_issue_url="https://datadoghq-sandbox-538.atlassian.net/browse/CSMSEC-105476", ), relationships=AttachJiraIssueRequestDataRelationships( findings=Findings( data=[ FindingData( id="OTQ3NjJkMmYwMTIzMzMxNTc1Y2Q4MTA5NWU0NTBmMDl-ZjE3NjMxZWVkYzBjZGI1NDY2NWY2OGQxZDk4MDY4MmI=", type=FindingDataType.FINDINGS, ), ], ), project=CaseManagementProject( data=CaseManagementProjectData( id="959a6f71-bac8-4027-b1d3-2264f569296f", type=CaseManagementProjectDataType.PROJECTS, ), ), ), type=JiraIssuesDataType.JIRA_ISSUES, ), ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.attach_jira_issue(body=body) print(response) ``` ##### ```python """ Attach security findings to a Jira issue returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.attach_jira_issue_request import AttachJiraIssueRequest from datadog_api_client.v2.model.attach_jira_issue_request_data import AttachJiraIssueRequestData from datadog_api_client.v2.model.attach_jira_issue_request_data_attributes import AttachJiraIssueRequestDataAttributes from datadog_api_client.v2.model.attach_jira_issue_request_data_relationships import ( AttachJiraIssueRequestDataRelationships, ) from datadog_api_client.v2.model.case_management_project import CaseManagementProject from datadog_api_client.v2.model.case_management_project_data import CaseManagementProjectData from datadog_api_client.v2.model.case_management_project_data_type import CaseManagementProjectDataType from datadog_api_client.v2.model.finding_data import FindingData from datadog_api_client.v2.model.finding_data_type import FindingDataType from datadog_api_client.v2.model.findings import Findings from datadog_api_client.v2.model.jira_issues_data_type import JiraIssuesDataType body = AttachJiraIssueRequest( data=AttachJiraIssueRequestData( attributes=AttachJiraIssueRequestDataAttributes( jira_issue_url="https://datadoghq-sandbox-538.atlassian.net/browse/CSMSEC-105476", ), relationships=AttachJiraIssueRequestDataRelationships( findings=Findings( data=[ FindingData( id="OTQ3NjJkMmYwMTIzMzMxNTc1Y2Q4MTA5NWU0NTBmMDl-ZjE3NjMxZWVkYzBjZGI1NDY2NWY2OGQxZDk4MDY4MmI=", type=FindingDataType.FINDINGS, ), FindingData( id="MTNjN2ZmYWMzMDIxYmU1ZDFiZDRjNWUwN2I1NzVmY2F-YTA3MzllMTUzNWM3NmEyZjdiNzEzOWM5YmViZTMzOGM=", type=FindingDataType.FINDINGS, ), ], ), project=CaseManagementProject( data=CaseManagementProjectData( id="959a6f71-bac8-4027-b1d3-2264f569296f", type=CaseManagementProjectDataType.PROJECTS, ), ), ), type=JiraIssuesDataType.JIRA_ISSUES, ), ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.attach_jira_issue(body=body) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Attach security finding to a Jira issue returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::AttachJiraIssueRequest.new({ data: DatadogAPIClient::V2::AttachJiraIssueRequestData.new({ attributes: DatadogAPIClient::V2::AttachJiraIssueRequestDataAttributes.new({ jira_issue_url: "https://datadoghq-sandbox-538.atlassian.net/browse/CSMSEC-105476", }), relationships: DatadogAPIClient::V2::AttachJiraIssueRequestDataRelationships.new({ findings: DatadogAPIClient::V2::Findings.new({ data: [ DatadogAPIClient::V2::FindingData.new({ id: "OTQ3NjJkMmYwMTIzMzMxNTc1Y2Q4MTA5NWU0NTBmMDl-ZjE3NjMxZWVkYzBjZGI1NDY2NWY2OGQxZDk4MDY4MmI=", type: DatadogAPIClient::V2::FindingDataType::FINDINGS, }), ], }), project: DatadogAPIClient::V2::CaseManagementProject.new({ data: DatadogAPIClient::V2::CaseManagementProjectData.new({ id: "959a6f71-bac8-4027-b1d3-2264f569296f", type: DatadogAPIClient::V2::CaseManagementProjectDataType::PROJECTS, }), }), }), type: DatadogAPIClient::V2::JiraIssuesDataType::JIRA_ISSUES, }), }) p api_instance.attach_jira_issue(body) ``` ##### ```ruby # Attach security findings to a Jira issue returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::AttachJiraIssueRequest.new({ data: DatadogAPIClient::V2::AttachJiraIssueRequestData.new({ attributes: DatadogAPIClient::V2::AttachJiraIssueRequestDataAttributes.new({ jira_issue_url: "https://datadoghq-sandbox-538.atlassian.net/browse/CSMSEC-105476", }), relationships: DatadogAPIClient::V2::AttachJiraIssueRequestDataRelationships.new({ findings: DatadogAPIClient::V2::Findings.new({ data: [ DatadogAPIClient::V2::FindingData.new({ id: "OTQ3NjJkMmYwMTIzMzMxNTc1Y2Q4MTA5NWU0NTBmMDl-ZjE3NjMxZWVkYzBjZGI1NDY2NWY2OGQxZDk4MDY4MmI=", type: DatadogAPIClient::V2::FindingDataType::FINDINGS, }), DatadogAPIClient::V2::FindingData.new({ id: "MTNjN2ZmYWMzMDIxYmU1ZDFiZDRjNWUwN2I1NzVmY2F-YTA3MzllMTUzNWM3NmEyZjdiNzEzOWM5YmViZTMzOGM=", type: DatadogAPIClient::V2::FindingDataType::FINDINGS, }), ], }), project: DatadogAPIClient::V2::CaseManagementProject.new({ data: DatadogAPIClient::V2::CaseManagementProjectData.new({ id: "959a6f71-bac8-4027-b1d3-2264f569296f", type: DatadogAPIClient::V2::CaseManagementProjectDataType::PROJECTS, }), }), }), type: DatadogAPIClient::V2::JiraIssuesDataType::JIRA_ISSUES, }), }) p api_instance.attach_jira_issue(body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Attach security finding to a Jira issue returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::AttachJiraIssueRequest; use datadog_api_client::datadogV2::model::AttachJiraIssueRequestData; use datadog_api_client::datadogV2::model::AttachJiraIssueRequestDataAttributes; use datadog_api_client::datadogV2::model::AttachJiraIssueRequestDataRelationships; use datadog_api_client::datadogV2::model::CaseManagementProject; use datadog_api_client::datadogV2::model::CaseManagementProjectData; use datadog_api_client::datadogV2::model::CaseManagementProjectDataType; use datadog_api_client::datadogV2::model::FindingData; use datadog_api_client::datadogV2::model::FindingDataType; use datadog_api_client::datadogV2::model::Findings; use datadog_api_client::datadogV2::model::JiraIssuesDataType; #[tokio::main] async fn main() { let body = AttachJiraIssueRequest ::new().data( AttachJiraIssueRequestData::new(JiraIssuesDataType::JIRA_ISSUES) .attributes( AttachJiraIssueRequestDataAttributes::new( "https://datadoghq-sandbox-538.atlassian.net/browse/CSMSEC-105476".to_string(), ), ) .relationships( AttachJiraIssueRequestDataRelationships::new( Findings ::new().data( vec![ FindingData::new( "OTQ3NjJkMmYwMTIzMzMxNTc1Y2Q4MTA5NWU0NTBmMDl-ZjE3NjMxZWVkYzBjZGI1NDY2NWY2OGQxZDk4MDY4MmI=".to_string(), FindingDataType::FINDINGS, ) ], ), CaseManagementProject::new( CaseManagementProjectData::new( "959a6f71-bac8-4027-b1d3-2264f569296f".to_string(), CaseManagementProjectDataType::PROJECTS, ), ), ), ), ); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.attach_jira_issue(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` ##### ```rust // Attach security findings to a Jira issue returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::AttachJiraIssueRequest; use datadog_api_client::datadogV2::model::AttachJiraIssueRequestData; use datadog_api_client::datadogV2::model::AttachJiraIssueRequestDataAttributes; use datadog_api_client::datadogV2::model::AttachJiraIssueRequestDataRelationships; use datadog_api_client::datadogV2::model::CaseManagementProject; use datadog_api_client::datadogV2::model::CaseManagementProjectData; use datadog_api_client::datadogV2::model::CaseManagementProjectDataType; use datadog_api_client::datadogV2::model::FindingData; use datadog_api_client::datadogV2::model::FindingDataType; use datadog_api_client::datadogV2::model::Findings; use datadog_api_client::datadogV2::model::JiraIssuesDataType; #[tokio::main] async fn main() { let body = AttachJiraIssueRequest ::new().data( AttachJiraIssueRequestData::new(JiraIssuesDataType::JIRA_ISSUES) .attributes( AttachJiraIssueRequestDataAttributes::new( "https://datadoghq-sandbox-538.atlassian.net/browse/CSMSEC-105476".to_string(), ), ) .relationships( AttachJiraIssueRequestDataRelationships::new( Findings ::new().data( vec![ FindingData::new( "OTQ3NjJkMmYwMTIzMzMxNTc1Y2Q4MTA5NWU0NTBmMDl-ZjE3NjMxZWVkYzBjZGI1NDY2NWY2OGQxZDk4MDY4MmI=".to_string(), FindingDataType::FINDINGS, ), FindingData::new( "MTNjN2ZmYWMzMDIxYmU1ZDFiZDRjNWUwN2I1NzVmY2F-YTA3MzllMTUzNWM3NmEyZjdiNzEzOWM5YmViZTMzOGM=".to_string(), FindingDataType::FINDINGS, ) ], ), CaseManagementProject::new( CaseManagementProjectData::new( "959a6f71-bac8-4027-b1d3-2264f569296f".to_string(), CaseManagementProjectDataType::PROJECTS, ), ), ), ), ); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.attach_jira_issue(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Attach security finding to a Jira issue returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiAttachJiraIssueRequest = { body: { data: { attributes: { jiraIssueUrl: "https://datadoghq-sandbox-538.atlassian.net/browse/CSMSEC-105476", }, relationships: { findings: { data: [ { id: "OTQ3NjJkMmYwMTIzMzMxNTc1Y2Q4MTA5NWU0NTBmMDl-ZjE3NjMxZWVkYzBjZGI1NDY2NWY2OGQxZDk4MDY4MmI=", type: "findings", }, ], }, project: { data: { id: "959a6f71-bac8-4027-b1d3-2264f569296f", type: "projects", }, }, }, type: "jira_issues", }, }, }; apiInstance .attachJiraIssue(params) .then((data: v2.FindingCaseResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` ##### ```typescript /** * Attach security findings to a Jira issue returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiAttachJiraIssueRequest = { body: { data: { attributes: { jiraIssueUrl: "https://datadoghq-sandbox-538.atlassian.net/browse/CSMSEC-105476", }, relationships: { findings: { data: [ { id: "OTQ3NjJkMmYwMTIzMzMxNTc1Y2Q4MTA5NWU0NTBmMDl-ZjE3NjMxZWVkYzBjZGI1NDY2NWY2OGQxZDk4MDY4MmI=", type: "findings", }, { id: "MTNjN2ZmYWMzMDIxYmU1ZDFiZDRjNWUwN2I1NzVmY2F-YTA3MzllMTUzNWM3NmEyZjdiNzEzOWM5YmViZTMzOGM=", type: "findings", }, ], }, project: { data: { id: "959a6f71-bac8-4027-b1d3-2264f569296f", type: "projects", }, }, }, type: "jira_issues", }, }, }; apiInstance .attachJiraIssue(params) .then((data: v2.FindingCaseResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Update a custom framework{% #update-a-custom-framework %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------------------------------------- | | ap1.datadoghq.com | PUT https://api.ap1.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version} | | ap2.datadoghq.com | PUT https://api.ap2.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version} | | app.datadoghq.eu | PUT https://api.datadoghq.eu/api/v2/cloud_security_management/custom_frameworks/{handle}/{version} | | app.ddog-gov.com | PUT https://api.ddog-gov.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version} | | app.datadoghq.com | PUT https://api.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version} | | us3.datadoghq.com | PUT https://api.us3.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version} | | us5.datadoghq.com | PUT https://api.us5.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version} | ### Overview Update a custom framework. This endpoint requires all of the following permissions: `security_monitoring_rules_read``security_monitoring_rules_write` OAuth apps require the `security_monitoring_rules_read, security_monitoring_rules_write` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Arguments #### Path Parameters | Name | Type | Description | | ------------------------- | ------ | --------------------- | | handle [*required*] | string | The framework handle | | version [*required*] | string | The framework version | ### Request #### Body Data (required) {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------ | ------------------------------ | -------- | ------------------------------------------------------------------------------------------------------- | | | data [*required*] | object | Contains type and attributes for custom frameworks. | | data | attributes [*required*] | object | Framework Data Attributes. | | attributes | description | string | Framework Description | | attributes | handle [*required*] | string | Framework Handle | | attributes | icon_url | string | Framework Icon URL | | attributes | name [*required*] | string | Framework Name | | attributes | requirements [*required*] | [object] | Framework Requirements | | requirements | controls [*required*] | [object] | Requirement Controls. | | controls | name [*required*] | string | Control Name. | | controls | rules_id [*required*] | [string] | Rule IDs. | | requirements | name [*required*] | string | Requirement Name. | | attributes | version [*required*] | string | Framework Version | | data | type [*required*] | enum | The type of the resource. The value must be `custom_framework`. Allowed enum values: `custom_framework` | {% /tab %} {% tab title="Example" %} ```json { "data": { "type": "custom_framework", "attributes": { "name": "name", "handle": "create-framework-new", "version": "10", "icon_url": "test-url", "requirements": [ { "name": "requirement", "controls": [ { "name": "control", "rules_id": [ "def-000-be9" ] } ] } ] } } } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} Response object to update a custom framework. | Parent field | Field | Type | Description | | ------------ | ---------------------------- | ------ | ------------------------------------------------------------------------------------------------------- | | | data [*required*] | object | Contains type and attributes for custom frameworks. | | data | attributes [*required*] | object | Framework Handle and Version. | | attributes | handle | string | Framework Handle | | attributes | version | string | Framework Version | | data | id [*required*] | string | The ID of the custom framework. | | data | type [*required*] | enum | The type of the resource. The value must be `custom_framework`. Allowed enum values: `custom_framework` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "handle": "sec2", "version": "2" }, "id": "handle-version", "type": "custom_framework" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="500" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport handle="CHANGE_ME"export version="CHANGE_ME"\# Curl commandcurl -X PUT "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/${handle}/${version}" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "type": "custom_framework", "attributes": { "name": "name", "handle": "create-framework-new", "version": "10", "icon_url": "test-url", "requirements": [ { "name": "requirement", "controls": [ { "name": "control", "rules_id": [ "def-000-be9" ] } ] } ] } } } EOF ##### ```go // Update a custom framework returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.UpdateCustomFrameworkRequest{ Data: datadogV2.CustomFrameworkData{ Type: datadogV2.CUSTOMFRAMEWORKTYPE_CUSTOM_FRAMEWORK, Attributes: datadogV2.CustomFrameworkDataAttributes{ Name: "name", Handle: "create-framework-new", Version: "10", IconUrl: datadog.PtrString("test-url"), Requirements: []datadogV2.CustomFrameworkRequirement{ { Name: "requirement", Controls: []datadogV2.CustomFrameworkControl{ { Name: "control", RulesId: []string{ "def-000-be9", }, }, }, }, }, }, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.UpdateCustomFramework(ctx, "create-framework-new", "10", body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.UpdateCustomFramework`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.UpdateCustomFramework`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Update a custom framework returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.CustomFrameworkControl; import com.datadog.api.client.v2.model.CustomFrameworkData; import com.datadog.api.client.v2.model.CustomFrameworkDataAttributes; import com.datadog.api.client.v2.model.CustomFrameworkRequirement; import com.datadog.api.client.v2.model.CustomFrameworkType; import com.datadog.api.client.v2.model.UpdateCustomFrameworkRequest; import com.datadog.api.client.v2.model.UpdateCustomFrameworkResponse; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); UpdateCustomFrameworkRequest body = new UpdateCustomFrameworkRequest() .data( new CustomFrameworkData() .type(CustomFrameworkType.CUSTOM_FRAMEWORK) .attributes( new CustomFrameworkDataAttributes() .name("name") .handle("create-framework-new") .version("10") .iconUrl("test-url") .requirements( Collections.singletonList( new CustomFrameworkRequirement() .name("requirement") .controls( Collections.singletonList( new CustomFrameworkControl() .name("control") .rulesId( Collections.singletonList( "def-000-be9")))))))); try { UpdateCustomFrameworkResponse result = apiInstance.updateCustomFramework("create-framework-new", "10", body); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#updateCustomFramework"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Update a custom framework returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.custom_framework_control import CustomFrameworkControl from datadog_api_client.v2.model.custom_framework_data import CustomFrameworkData from datadog_api_client.v2.model.custom_framework_data_attributes import CustomFrameworkDataAttributes from datadog_api_client.v2.model.custom_framework_requirement import CustomFrameworkRequirement from datadog_api_client.v2.model.custom_framework_type import CustomFrameworkType from datadog_api_client.v2.model.update_custom_framework_request import UpdateCustomFrameworkRequest body = UpdateCustomFrameworkRequest( data=CustomFrameworkData( type=CustomFrameworkType.CUSTOM_FRAMEWORK, attributes=CustomFrameworkDataAttributes( name="name", handle="create-framework-new", version="10", icon_url="test-url", requirements=[ CustomFrameworkRequirement( name="requirement", controls=[ CustomFrameworkControl( name="control", rules_id=[ "def-000-be9", ], ), ], ), ], ), ), ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.update_custom_framework(handle="create-framework-new", version="10", body=body) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Update a custom framework returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::UpdateCustomFrameworkRequest.new({ data: DatadogAPIClient::V2::CustomFrameworkData.new({ type: DatadogAPIClient::V2::CustomFrameworkType::CUSTOM_FRAMEWORK, attributes: DatadogAPIClient::V2::CustomFrameworkDataAttributes.new({ name: "name", handle: "create-framework-new", version: "10", icon_url: "test-url", requirements: [ DatadogAPIClient::V2::CustomFrameworkRequirement.new({ name: "requirement", controls: [ DatadogAPIClient::V2::CustomFrameworkControl.new({ name: "control", rules_id: [ "def-000-be9", ], }), ], }), ], }), }), }) p api_instance.update_custom_framework("create-framework-new", "10", body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Update a custom framework returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::CustomFrameworkControl; use datadog_api_client::datadogV2::model::CustomFrameworkData; use datadog_api_client::datadogV2::model::CustomFrameworkDataAttributes; use datadog_api_client::datadogV2::model::CustomFrameworkRequirement; use datadog_api_client::datadogV2::model::CustomFrameworkType; use datadog_api_client::datadogV2::model::UpdateCustomFrameworkRequest; #[tokio::main] async fn main() { let body = UpdateCustomFrameworkRequest::new(CustomFrameworkData::new( CustomFrameworkDataAttributes::new( "create-framework-new".to_string(), "name".to_string(), vec![CustomFrameworkRequirement::new( vec![CustomFrameworkControl::new( "control".to_string(), vec!["def-000-be9".to_string()], )], "requirement".to_string(), )], "10".to_string(), ) .icon_url("test-url".to_string()), CustomFrameworkType::CUSTOM_FRAMEWORK, )); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .update_custom_framework("create-framework-new".to_string(), "10".to_string(), body) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Update a custom framework returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiUpdateCustomFrameworkRequest = { body: { data: { type: "custom_framework", attributes: { name: "name", handle: "create-framework-new", version: "10", iconUrl: "test-url", requirements: [ { name: "requirement", controls: [ { name: "control", rulesId: ["def-000-be9"], }, ], }, ], }, }, }, handle: "create-framework-new", version: "10", }; apiInstance .updateCustomFramework(params) .then((data: v2.UpdateCustomFrameworkResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Delete a custom framework{% #delete-a-custom-framework %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ---------------------------------------------------------------------------------------------------------- | | ap1.datadoghq.com | DELETE https://api.ap1.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version} | | ap2.datadoghq.com | DELETE https://api.ap2.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version} | | app.datadoghq.eu | DELETE https://api.datadoghq.eu/api/v2/cloud_security_management/custom_frameworks/{handle}/{version} | | app.ddog-gov.com | DELETE https://api.ddog-gov.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version} | | app.datadoghq.com | DELETE https://api.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version} | | us3.datadoghq.com | DELETE https://api.us3.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version} | | us5.datadoghq.com | DELETE https://api.us5.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version} | ### Overview Delete a custom framework. This endpoint requires all of the following permissions: `security_monitoring_rules_read``security_monitoring_rules_write` OAuth apps require the `security_monitoring_rules_read, security_monitoring_rules_write` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Arguments #### Path Parameters | Name | Type | Description | | ------------------------- | ------ | --------------------- | | handle [*required*] | string | The framework handle | | version [*required*] | string | The framework version | ### Response {% tab title="200" %} OK {% tab title="Model" %} Response object to delete a custom framework. | Parent field | Field | Type | Description | | ------------ | ------------------------- | ------ | ------------------------------------------------------------------------------------------------------- | | | data [*required*] | object | Metadata for custom frameworks. | | data | attributes | object | Framework without requirements. | | attributes | description | string | Framework Description | | attributes | handle [*required*] | string | Framework Handle | | attributes | icon_url | string | Framework Icon URL | | attributes | name [*required*] | string | Framework Name | | attributes | version [*required*] | string | Framework Version | | data | id | string | The ID of the custom framework. | | data | type | enum | The type of the resource. The value must be `custom_framework`. Allowed enum values: `custom_framework` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "description": "this is a security description", "handle": "sec2", "icon_url": "https://example.com/icon.png", "name": "security-framework", "version": "2" }, "id": "handle-version", "type": "custom_framework" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="500" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport handle="CHANGE_ME"export version="CHANGE_ME"\# Curl commandcurl -X DELETE "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/${handle}/${version}" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Delete a custom framework returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.delete_custom_framework( handle="create-framework-new", version="10", ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Delete a custom framework returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new p api_instance.delete_custom_framework("create-framework-new", "10") ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Delete a custom framework returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.DeleteCustomFramework(ctx, "create-framework-new", "10") if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.DeleteCustomFramework`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.DeleteCustomFramework`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Delete a custom framework returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.DeleteCustomFrameworkResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { DeleteCustomFrameworkResponse result = apiInstance.deleteCustomFramework("create-framework-new", "10"); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#deleteCustomFramework"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Delete a custom framework returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .delete_custom_framework("create-framework-new".to_string(), "10".to_string()) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Delete a custom framework returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiDeleteCustomFrameworkRequest = { handle: "create-framework-new", version: "10", }; apiInstance .deleteCustomFramework(params) .then((data: v2.DeleteCustomFrameworkResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Get a custom framework{% #get-a-custom-framework %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version} | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version} | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/cloud_security_management/custom_frameworks/{handle}/{version} | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version} | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version} | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version} | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version} | ### Overview Get a custom framework. This endpoint requires the `security_monitoring_rules_read` permission. OAuth apps require the `security_monitoring_rules_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Arguments #### Path Parameters | Name | Type | Description | | ------------------------- | ------ | --------------------- | | handle [*required*] | string | The framework handle | | version [*required*] | string | The framework version | ### Response {% tab title="200" %} OK {% tab title="Model" %} Response object to get a custom framework. | Parent field | Field | Type | Description | | ------------ | ------------------------------ | -------- | ------------------------------------------------------------------------------------------------------- | | | data [*required*] | object | Contains type and attributes for custom frameworks. | | data | attributes [*required*] | object | Full Framework Data Attributes. | | attributes | handle [*required*] | string | Framework Handle | | attributes | icon_url | string | Framework Icon URL | | attributes | name [*required*] | string | Framework Name | | attributes | requirements [*required*] | [object] | Framework Requirements | | requirements | controls [*required*] | [object] | Requirement Controls. | | controls | name [*required*] | string | Control Name. | | controls | rules_id [*required*] | [string] | Rule IDs. | | requirements | name [*required*] | string | Requirement Name. | | attributes | version [*required*] | string | Framework Version | | data | id [*required*] | string | The ID of the custom framework. | | data | type [*required*] | enum | The type of the resource. The value must be `custom_framework`. Allowed enum values: `custom_framework` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "handle": "sec2", "icon_url": "https://example.com/icon.png", "name": "security-framework", "requirements": [ { "controls": [ { "name": "A1.2", "rules_id": [ "def-000-abc" ] } ], "name": "criteria" } ], "version": "2" }, "id": "handle-version", "type": "custom_framework" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="500" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport handle="CHANGE_ME"export version="CHANGE_ME"\# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/${handle}/${version}" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Get a custom framework returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.get_custom_framework( handle="create-framework-new", version="10", ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Get a custom framework returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new p api_instance.get_custom_framework("create-framework-new", "10") ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Get a custom framework returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.GetCustomFramework(ctx, "create-framework-new", "10") if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetCustomFramework`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetCustomFramework`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Get a custom framework returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.GetCustomFrameworkResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { GetCustomFrameworkResponse result = apiInstance.getCustomFramework("create-framework-new", "10"); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#getCustomFramework"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Get a custom framework returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .get_custom_framework("create-framework-new".to_string(), "10".to_string()) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Get a custom framework returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiGetCustomFrameworkRequest = { handle: "create-framework-new", version: "10", }; apiInstance .getCustomFramework(params) .then((data: v2.GetCustomFrameworkResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## List resource filters{% #list-resource-filters %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ----------------------------------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/cloud_security_management/resource_filters | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/cloud_security_management/resource_filters | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/cloud_security_management/resource_filters | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/cloud_security_management/resource_filters | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/cloud_security_management/resource_filters | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/cloud_security_management/resource_filters | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/cloud_security_management/resource_filters | ### Overview List resource filters. This endpoint requires the `security_monitoring_filters_read` permission. OAuth apps require the `security_monitoring_filters_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Arguments #### Query Strings | Name | Type | Description | | -------------- | ------- | -------------------------------------------------------------------------------------------------------------- | | cloud_provider | string | Filter resource filters by cloud provider (e.g. aws, gcp, azure). | | account_id | string | Filter resource filters by cloud provider account ID. This parameter is only valid when provider is specified. | | skip_cache | boolean | Skip cache for resource filters. | ### Response {% tab title="200" %} OK {% tab title="Model" %} The definition of `GetResourceEvaluationFiltersResponse` object. | Parent field | Field | Type | Description | | -------------------- | -------------------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------ | | | data [*required*] | object | The definition of `GetResourceFilterResponseData` object. | | data | attributes | object | Attributes of a resource filter. | | attributes | cloud_provider [*required*] | object | A map of cloud provider names (e.g., "aws", "gcp", "azure") to a map of account/resource IDs and their associated tag filters. | | additionalProperties | | object | | additionalProperties | | [string] | | attributes | uuid | string | The UUID of the resource filter. | | data | id | string | The `data` `id`. | | data | type | enum | Constant string to identify the request type. Allowed enum values: `csm_resource_filter` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "cloud_provider": { "": { "": [ "environment:production" ] } }, "uuid": "string" }, "id": "csm_resource_filter", "type": "csm_resource_filter" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/cloud_security_management/resource_filters" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ List resource filters returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.get_resource_evaluation_filters( cloud_provider="aws", account_id="123456789", ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # List resource filters returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new opts = { cloud_provider: "aws", account_id: "123456789", } p api_instance.get_resource_evaluation_filters(opts) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // List resource filters returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.GetResourceEvaluationFilters(ctx, *datadogV2.NewGetResourceEvaluationFiltersOptionalParameters().WithCloudProvider("aws").WithAccountId("123456789")) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetResourceEvaluationFilters`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetResourceEvaluationFilters`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // List resource filters returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.api.SecurityMonitoringApi.GetResourceEvaluationFiltersOptionalParameters; import com.datadog.api.client.v2.model.GetResourceEvaluationFiltersResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { GetResourceEvaluationFiltersResponse result = apiInstance.getResourceEvaluationFilters( new GetResourceEvaluationFiltersOptionalParameters() .cloudProvider("aws") .accountId("123456789")); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#getResourceEvaluationFilters"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // List resource filters returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::GetResourceEvaluationFiltersOptionalParams; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .get_resource_evaluation_filters( GetResourceEvaluationFiltersOptionalParams::default() .cloud_provider("aws".to_string()) .account_id("123456789".to_string()), ) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * List resource filters returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiGetResourceEvaluationFiltersRequest = { cloudProvider: "aws", accountId: "123456789", }; apiInstance .getResourceEvaluationFilters(params) .then((data: v2.GetResourceEvaluationFiltersResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Update resource filters{% #update-resource-filters %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ----------------------------------------------------------------------------------- | | ap1.datadoghq.com | PUT https://api.ap1.datadoghq.com/api/v2/cloud_security_management/resource_filters | | ap2.datadoghq.com | PUT https://api.ap2.datadoghq.com/api/v2/cloud_security_management/resource_filters | | app.datadoghq.eu | PUT https://api.datadoghq.eu/api/v2/cloud_security_management/resource_filters | | app.ddog-gov.com | PUT https://api.ddog-gov.com/api/v2/cloud_security_management/resource_filters | | app.datadoghq.com | PUT https://api.datadoghq.com/api/v2/cloud_security_management/resource_filters | | us3.datadoghq.com | PUT https://api.us3.datadoghq.com/api/v2/cloud_security_management/resource_filters | | us5.datadoghq.com | PUT https://api.us5.datadoghq.com/api/v2/cloud_security_management/resource_filters | ### Overview Update resource filters. This endpoint requires the `security_monitoring_filters_write` permission. OAuth apps require the `security_monitoring_filters_write` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Request #### Body Data (required) {% tab title="Model" %} | Parent field | Field | Type | Description | | -------------------- | -------------------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------ | | | data [*required*] | object | The definition of `UpdateResourceFilterRequestData` object. | | data | attributes [*required*] | object | Attributes of a resource filter. | | attributes | cloud_provider [*required*] | object | A map of cloud provider names (e.g., "aws", "gcp", "azure") to a map of account/resource IDs and their associated tag filters. | | additionalProperties | | object | | additionalProperties | | [string] | | attributes | uuid | string | The UUID of the resource filter. | | data | id | string | The `UpdateResourceEvaluationFiltersRequestData` `id`. | | data | type [*required*] | enum | Constant string to identify the request type. Allowed enum values: `csm_resource_filter` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "cloud_provider": { "aws": { "aws_account_id": [ "tag1:v1" ] } } }, "id": "csm_resource_filter", "type": "csm_resource_filter" } } ``` {% /tab %} ### Response {% tab title="201" %} OK {% tab title="Model" %} The definition of `UpdateResourceEvaluationFiltersResponse` object. | Parent field | Field | Type | Description | | -------------------- | -------------------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------ | | | data [*required*] | object | The definition of `UpdateResourceFilterResponseData` object. | | data | attributes [*required*] | object | Attributes of a resource filter. | | attributes | cloud_provider [*required*] | object | A map of cloud provider names (e.g., "aws", "gcp", "azure") to a map of account/resource IDs and their associated tag filters. | | additionalProperties | | object | | additionalProperties | | [string] | | attributes | uuid | string | The UUID of the resource filter. | | data | id | string | The `data` `id`. | | data | type [*required*] | enum | Constant string to identify the request type. Allowed enum values: `csm_resource_filter` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "cloud_provider": { "": { "": [ "environment:production" ] } }, "uuid": "string" }, "id": "csm_resource_filter", "type": "csm_resource_filter" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X PUT "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/cloud_security_management/resource_filters" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "attributes": { "cloud_provider": { "aws": { "aws_account_id": [ "tag1:v1" ] } } }, "id": "csm_resource_filter", "type": "csm_resource_filter" } } EOF ##### ```go // Update resource filters returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.UpdateResourceEvaluationFiltersRequest{ Data: datadogV2.UpdateResourceEvaluationFiltersRequestData{ Attributes: datadogV2.ResourceFilterAttributes{ CloudProvider: map[string]map[string][]string{ "aws": map[string][]string{ "aws_account_id": []string{ "tag1:v1", }, }, }, }, Id: datadog.PtrString("csm_resource_filter"), Type: datadogV2.RESOURCEFILTERREQUESTTYPE_CSM_RESOURCE_FILTER, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.UpdateResourceEvaluationFilters(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.UpdateResourceEvaluationFilters`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.UpdateResourceEvaluationFilters`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Update resource filters returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.ResourceFilterAttributes; import com.datadog.api.client.v2.model.ResourceFilterRequestType; import com.datadog.api.client.v2.model.UpdateResourceEvaluationFiltersRequest; import com.datadog.api.client.v2.model.UpdateResourceEvaluationFiltersRequestData; import com.datadog.api.client.v2.model.UpdateResourceEvaluationFiltersResponse; import java.util.Collections; import java.util.Map; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); UpdateResourceEvaluationFiltersRequest body = new UpdateResourceEvaluationFiltersRequest() .data( new UpdateResourceEvaluationFiltersRequestData() .attributes( new ResourceFilterAttributes() .cloudProvider( Map.ofEntries( Map.entry( "aws", Map.ofEntries( Map.entry( "aws_account_id", Collections.singletonList("tag1:v1"))))))) .id("csm_resource_filter") .type(ResourceFilterRequestType.CSM_RESOURCE_FILTER)); try { UpdateResourceEvaluationFiltersResponse result = apiInstance.updateResourceEvaluationFilters(body); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#updateResourceEvaluationFilters"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Update resource filters returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.resource_filter_attributes import ResourceFilterAttributes from datadog_api_client.v2.model.resource_filter_request_type import ResourceFilterRequestType from datadog_api_client.v2.model.update_resource_evaluation_filters_request import ( UpdateResourceEvaluationFiltersRequest, ) from datadog_api_client.v2.model.update_resource_evaluation_filters_request_data import ( UpdateResourceEvaluationFiltersRequestData, ) body = UpdateResourceEvaluationFiltersRequest( data=UpdateResourceEvaluationFiltersRequestData( attributes=ResourceFilterAttributes( cloud_provider=dict( aws=dict( aws_account_id=[ "tag1:v1", ], ), ), ), id="csm_resource_filter", type=ResourceFilterRequestType.CSM_RESOURCE_FILTER, ), ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.update_resource_evaluation_filters(body=body) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Update resource filters returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::UpdateResourceEvaluationFiltersRequest.new({ data: DatadogAPIClient::V2::UpdateResourceEvaluationFiltersRequestData.new({ attributes: DatadogAPIClient::V2::ResourceFilterAttributes.new({ cloud_provider: { aws: { aws_account_id: [ "tag1:v1", ], }, }, }), id: "csm_resource_filter", type: DatadogAPIClient::V2::ResourceFilterRequestType::CSM_RESOURCE_FILTER, }), }) p api_instance.update_resource_evaluation_filters(body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Update resource filters returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::ResourceFilterAttributes; use datadog_api_client::datadogV2::model::ResourceFilterRequestType; use datadog_api_client::datadogV2::model::UpdateResourceEvaluationFiltersRequest; use datadog_api_client::datadogV2::model::UpdateResourceEvaluationFiltersRequestData; use std::collections::BTreeMap; #[tokio::main] async fn main() { let body = UpdateResourceEvaluationFiltersRequest::new( UpdateResourceEvaluationFiltersRequestData::new( ResourceFilterAttributes::new(BTreeMap::from([( "aws".to_string(), BTreeMap::from([("aws_account_id".to_string(), vec!["tag1:v1".to_string()])]), )])), ResourceFilterRequestType::CSM_RESOURCE_FILTER, ) .id("csm_resource_filter".to_string()), ); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.update_resource_evaluation_filters(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Update resource filters returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiUpdateResourceEvaluationFiltersRequest = { body: { data: { attributes: { cloudProvider: { aws: { aws_account_id: ["tag1:v1"], }, }, }, id: "csm_resource_filter", type: "csm_resource_filter", }, }, }; apiInstance .updateResourceEvaluationFilters(params) .then((data: v2.UpdateResourceEvaluationFiltersResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Create a custom framework{% #create-a-custom-framework %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------------------- | | ap1.datadoghq.com | POST https://api.ap1.datadoghq.com/api/v2/cloud_security_management/custom_frameworks | | ap2.datadoghq.com | POST https://api.ap2.datadoghq.com/api/v2/cloud_security_management/custom_frameworks | | app.datadoghq.eu | POST https://api.datadoghq.eu/api/v2/cloud_security_management/custom_frameworks | | app.ddog-gov.com | POST https://api.ddog-gov.com/api/v2/cloud_security_management/custom_frameworks | | app.datadoghq.com | POST https://api.datadoghq.com/api/v2/cloud_security_management/custom_frameworks | | us3.datadoghq.com | POST https://api.us3.datadoghq.com/api/v2/cloud_security_management/custom_frameworks | | us5.datadoghq.com | POST https://api.us5.datadoghq.com/api/v2/cloud_security_management/custom_frameworks | ### Overview Create a custom framework. This endpoint requires all of the following permissions: `security_monitoring_rules_read``security_monitoring_rules_write` OAuth apps require the `security_monitoring_rules_read, security_monitoring_rules_write` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Request #### Body Data (required) {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------ | ------------------------------ | -------- | ------------------------------------------------------------------------------------------------------- | | | data [*required*] | object | Contains type and attributes for custom frameworks. | | data | attributes [*required*] | object | Framework Data Attributes. | | attributes | description | string | Framework Description | | attributes | handle [*required*] | string | Framework Handle | | attributes | icon_url | string | Framework Icon URL | | attributes | name [*required*] | string | Framework Name | | attributes | requirements [*required*] | [object] | Framework Requirements | | requirements | controls [*required*] | [object] | Requirement Controls. | | controls | name [*required*] | string | Control Name. | | controls | rules_id [*required*] | [string] | Rule IDs. | | requirements | name [*required*] | string | Requirement Name. | | attributes | version [*required*] | string | Framework Version | | data | type [*required*] | enum | The type of the resource. The value must be `custom_framework`. Allowed enum values: `custom_framework` | {% /tab %} {% tab title="Example" %} ```json { "data": { "type": "custom_framework", "attributes": { "name": "name", "handle": "create-framework-new", "version": "10", "icon_url": "test-url", "requirements": [ { "name": "requirement", "controls": [ { "name": "control", "rules_id": [ "def-000-be9" ] } ] } ] } } } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} Response object to create a custom framework. | Parent field | Field | Type | Description | | ------------ | ---------------------------- | ------ | ------------------------------------------------------------------------------------------------------- | | | data [*required*] | object | Contains type and attributes for custom frameworks. | | data | attributes [*required*] | object | Framework Handle and Version. | | attributes | handle | string | Framework Handle | | attributes | version | string | Framework Version | | data | id [*required*] | string | The ID of the custom framework. | | data | type [*required*] | enum | The type of the resource. The value must be `custom_framework`. Allowed enum values: `custom_framework` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "handle": "sec2", "version": "2" }, "id": "handle-version", "type": "custom_framework" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="409" %} Conflict {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="500" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/cloud_security_management/custom_frameworks" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "type": "custom_framework", "attributes": { "name": "name", "handle": "create-framework-new", "version": "10", "icon_url": "test-url", "requirements": [ { "name": "requirement", "controls": [ { "name": "control", "rules_id": [ "def-000-be9" ] } ] } ] } } } EOF ##### ```go // Create a custom framework returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.CreateCustomFrameworkRequest{ Data: datadogV2.CustomFrameworkData{ Type: datadogV2.CUSTOMFRAMEWORKTYPE_CUSTOM_FRAMEWORK, Attributes: datadogV2.CustomFrameworkDataAttributes{ Name: "name", Handle: "create-framework-new", Version: "10", IconUrl: datadog.PtrString("test-url"), Requirements: []datadogV2.CustomFrameworkRequirement{ { Name: "requirement", Controls: []datadogV2.CustomFrameworkControl{ { Name: "control", RulesId: []string{ "def-000-be9", }, }, }, }, }, }, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.CreateCustomFramework(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateCustomFramework`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateCustomFramework`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Create a custom framework returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.CreateCustomFrameworkRequest; import com.datadog.api.client.v2.model.CreateCustomFrameworkResponse; import com.datadog.api.client.v2.model.CustomFrameworkControl; import com.datadog.api.client.v2.model.CustomFrameworkData; import com.datadog.api.client.v2.model.CustomFrameworkDataAttributes; import com.datadog.api.client.v2.model.CustomFrameworkRequirement; import com.datadog.api.client.v2.model.CustomFrameworkType; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); CreateCustomFrameworkRequest body = new CreateCustomFrameworkRequest() .data( new CustomFrameworkData() .type(CustomFrameworkType.CUSTOM_FRAMEWORK) .attributes( new CustomFrameworkDataAttributes() .name("name") .handle("create-framework-new") .version("10") .iconUrl("test-url") .requirements( Collections.singletonList( new CustomFrameworkRequirement() .name("requirement") .controls( Collections.singletonList( new CustomFrameworkControl() .name("control") .rulesId( Collections.singletonList( "def-000-be9")))))))); try { CreateCustomFrameworkResponse result = apiInstance.createCustomFramework(body); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#createCustomFramework"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Create a custom framework returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.create_custom_framework_request import CreateCustomFrameworkRequest from datadog_api_client.v2.model.custom_framework_control import CustomFrameworkControl from datadog_api_client.v2.model.custom_framework_data import CustomFrameworkData from datadog_api_client.v2.model.custom_framework_data_attributes import CustomFrameworkDataAttributes from datadog_api_client.v2.model.custom_framework_requirement import CustomFrameworkRequirement from datadog_api_client.v2.model.custom_framework_type import CustomFrameworkType body = CreateCustomFrameworkRequest( data=CustomFrameworkData( type=CustomFrameworkType.CUSTOM_FRAMEWORK, attributes=CustomFrameworkDataAttributes( name="name", handle="create-framework-new", version="10", icon_url="test-url", requirements=[ CustomFrameworkRequirement( name="requirement", controls=[ CustomFrameworkControl( name="control", rules_id=[ "def-000-be9", ], ), ], ), ], ), ), ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.create_custom_framework(body=body) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Create a custom framework returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::CreateCustomFrameworkRequest.new({ data: DatadogAPIClient::V2::CustomFrameworkData.new({ type: DatadogAPIClient::V2::CustomFrameworkType::CUSTOM_FRAMEWORK, attributes: DatadogAPIClient::V2::CustomFrameworkDataAttributes.new({ name: "name", handle: "create-framework-new", version: "10", icon_url: "test-url", requirements: [ DatadogAPIClient::V2::CustomFrameworkRequirement.new({ name: "requirement", controls: [ DatadogAPIClient::V2::CustomFrameworkControl.new({ name: "control", rules_id: [ "def-000-be9", ], }), ], }), ], }), }), }) p api_instance.create_custom_framework(body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Create a custom framework returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::CreateCustomFrameworkRequest; use datadog_api_client::datadogV2::model::CustomFrameworkControl; use datadog_api_client::datadogV2::model::CustomFrameworkData; use datadog_api_client::datadogV2::model::CustomFrameworkDataAttributes; use datadog_api_client::datadogV2::model::CustomFrameworkRequirement; use datadog_api_client::datadogV2::model::CustomFrameworkType; #[tokio::main] async fn main() { let body = CreateCustomFrameworkRequest::new(CustomFrameworkData::new( CustomFrameworkDataAttributes::new( "create-framework-new".to_string(), "name".to_string(), vec![CustomFrameworkRequirement::new( vec![CustomFrameworkControl::new( "control".to_string(), vec!["def-000-be9".to_string()], )], "requirement".to_string(), )], "10".to_string(), ) .icon_url("test-url".to_string()), CustomFrameworkType::CUSTOM_FRAMEWORK, )); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.create_custom_framework(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Create a custom framework returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiCreateCustomFrameworkRequest = { body: { data: { type: "custom_framework", attributes: { name: "name", handle: "create-framework-new", version: "10", iconUrl: "test-url", requirements: [ { name: "requirement", controls: [ { name: "control", rulesId: ["def-000-be9"], }, ], }, ], }, }, }, }; apiInstance .createCustomFramework(params) .then((data: v2.CreateCustomFrameworkResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Get all security filters{% #get-all-security-filters %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/security_filters | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/security_filters | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/security_monitoring/configuration/security_filters | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/security_monitoring/configuration/security_filters | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/security_monitoring/configuration/security_filters | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/security_filters | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters | ### Overview Get the list of configured security filters with their definitions. This endpoint requires the `security_monitoring_filters_read` permission. OAuth apps require the `security_monitoring_filters_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Response {% tab title="200" %} OK {% tab title="Model" %} All the available security filters objects. | Parent field | Field | Type | Description | | ----------------- | ------------------ | -------- | ---------------------------------------------------------------------------------------------------------------- | | | data | [object] | A list of security filters objects. | | data | attributes | object | The object describing a security filter. | | attributes | exclusion_filters | [object] | The list of exclusion filters applied in this security filter. | | exclusion_filters | name | string | The exclusion filter name. | | exclusion_filters | query | string | The exclusion filter query. | | attributes | filtered_data_type | enum | The filtered data type. Allowed enum values: `logs` | | attributes | is_builtin | boolean | Whether the security filter is the built-in filter. | | attributes | is_enabled | boolean | Whether the security filter is enabled. | | attributes | name | string | The security filter name. | | attributes | query | string | The security filter query. Logs accepted by this query will be accepted by this filter. | | attributes | version | int32 | The version of the security filter. | | data | id | string | The ID of the security filter. | | data | type | enum | The type of the resource. The value should always be `security_filters`. Allowed enum values: `security_filters` | | | meta | object | Optional metadata associated to the response. | | meta | warning | string | A warning message. | {% /tab %} {% tab title="Example" %} ```json { "data": [ { "attributes": { "exclusion_filters": [ { "name": "Exclude staging", "query": "source:staging" } ], "filtered_data_type": "logs", "is_builtin": false, "is_enabled": false, "name": "Custom security filter", "query": "service:api", "version": 1 }, "id": "3dd-0uc-h1s", "type": "security_filters" } ], "meta": { "warning": "All the security filters are disabled. As a result, no logs are being analyzed." } } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Get all security filters returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.list_security_filters() print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Get all security filters returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new p api_instance.list_security_filters() ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Get all security filters returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.ListSecurityFilters(ctx) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListSecurityFilters`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListSecurityFilters`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Get all security filters returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityFiltersResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { SecurityFiltersResponse result = apiInstance.listSecurityFilters(); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#listSecurityFilters"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Get all security filters returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.list_security_filters().await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Get all security filters returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); apiInstance .listSecurityFilters() .then((data: v2.SecurityFiltersResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Create a security filter{% #create-a-security-filter %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | -------------------------------------------------------------------------------------------- | | ap1.datadoghq.com | POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/security_filters | | ap2.datadoghq.com | POST https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/security_filters | | app.datadoghq.eu | POST https://api.datadoghq.eu/api/v2/security_monitoring/configuration/security_filters | | app.ddog-gov.com | POST https://api.ddog-gov.com/api/v2/security_monitoring/configuration/security_filters | | app.datadoghq.com | POST https://api.datadoghq.com/api/v2/security_monitoring/configuration/security_filters | | us3.datadoghq.com | POST https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/security_filters | | us5.datadoghq.com | POST https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters | ### Overview Create a security filter. See the [security filter guide](https://docs.datadoghq.com/security_platform/guide/how-to-setup-security-filters-using-security-monitoring-api/) for more examples. This endpoint requires the `security_monitoring_filters_write` permission. OAuth apps require the `security_monitoring_filters_write` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Request #### Body Data (required) The definition of the new security filter. {% tab title="Model" %} | Parent field | Field | Type | Description | | ----------------- | ------------------------------------ | -------- | ---------------------------------------------------------------------------------------------------------------- | | | data [*required*] | object | Object for a single security filter. | | data | attributes [*required*] | object | Object containing the attributes of the security filter to be created. | | attributes | exclusion_filters [*required*] | [object] | Exclusion filters to exclude some logs from the security filter. | | exclusion_filters | name [*required*] | string | Exclusion filter name. | | exclusion_filters | query [*required*] | string | Exclusion filter query. Logs that match this query are excluded from the security filter. | | attributes | filtered_data_type [*required*] | enum | The filtered data type. Allowed enum values: `logs` | | attributes | is_enabled [*required*] | boolean | Whether the security filter is enabled. | | attributes | name [*required*] | string | The name of the security filter. | | attributes | query [*required*] | string | The query of the security filter. | | data | type [*required*] | enum | The type of the resource. The value should always be `security_filters`. Allowed enum values: `security_filters` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "exclusion_filters": [ { "name": "Exclude staging", "query": "source:staging" } ], "filtered_data_type": "logs", "is_enabled": true, "name": "Example-Security-Monitoring", "query": "service:ExampleSecurityMonitoring" }, "type": "security_filters" } } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} Response object which includes a single security filter. | Parent field | Field | Type | Description | | ----------------- | ------------------ | -------- | ---------------------------------------------------------------------------------------------------------------- | | | data | object | The security filter's properties. | | data | attributes | object | The object describing a security filter. | | attributes | exclusion_filters | [object] | The list of exclusion filters applied in this security filter. | | exclusion_filters | name | string | The exclusion filter name. | | exclusion_filters | query | string | The exclusion filter query. | | attributes | filtered_data_type | enum | The filtered data type. Allowed enum values: `logs` | | attributes | is_builtin | boolean | Whether the security filter is the built-in filter. | | attributes | is_enabled | boolean | Whether the security filter is enabled. | | attributes | name | string | The security filter name. | | attributes | query | string | The security filter query. Logs accepted by this query will be accepted by this filter. | | attributes | version | int32 | The version of the security filter. | | data | id | string | The ID of the security filter. | | data | type | enum | The type of the resource. The value should always be `security_filters`. Allowed enum values: `security_filters` | | | meta | object | Optional metadata associated to the response. | | meta | warning | string | A warning message. | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "exclusion_filters": [ { "name": "Exclude staging", "query": "source:staging" } ], "filtered_data_type": "logs", "is_builtin": false, "is_enabled": false, "name": "Custom security filter", "query": "service:api", "version": 1 }, "id": "3dd-0uc-h1s", "type": "security_filters" }, "meta": { "warning": "All the security filters are disabled. As a result, no logs are being analyzed." } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="409" %} Conflict {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "attributes": { "exclusion_filters": [ { "name": "Exclude staging", "query": "source:staging" } ], "filtered_data_type": "logs", "is_enabled": true, "name": "Example-Security-Monitoring", "query": "service:ExampleSecurityMonitoring" }, "type": "security_filters" } } EOF ##### ```go // Create a security filter returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.SecurityFilterCreateRequest{ Data: datadogV2.SecurityFilterCreateData{ Attributes: datadogV2.SecurityFilterCreateAttributes{ ExclusionFilters: []datadogV2.SecurityFilterExclusionFilter{ { Name: "Exclude staging", Query: "source:staging", }, }, FilteredDataType: datadogV2.SECURITYFILTERFILTEREDDATATYPE_LOGS, IsEnabled: true, Name: "Example-Security-Monitoring", Query: "service:ExampleSecurityMonitoring", }, Type: datadogV2.SECURITYFILTERTYPE_SECURITY_FILTERS, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.CreateSecurityFilter(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityFilter`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityFilter`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Create a security filter returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityFilterCreateAttributes; import com.datadog.api.client.v2.model.SecurityFilterCreateData; import com.datadog.api.client.v2.model.SecurityFilterCreateRequest; import com.datadog.api.client.v2.model.SecurityFilterExclusionFilter; import com.datadog.api.client.v2.model.SecurityFilterFilteredDataType; import com.datadog.api.client.v2.model.SecurityFilterResponse; import com.datadog.api.client.v2.model.SecurityFilterType; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); SecurityFilterCreateRequest body = new SecurityFilterCreateRequest() .data( new SecurityFilterCreateData() .attributes( new SecurityFilterCreateAttributes() .exclusionFilters( Collections.singletonList( new SecurityFilterExclusionFilter() .name("Exclude staging") .query("source:staging"))) .filteredDataType(SecurityFilterFilteredDataType.LOGS) .isEnabled(true) .name("Example-Security-Monitoring") .query("service:ExampleSecurityMonitoring")) .type(SecurityFilterType.SECURITY_FILTERS)); try { SecurityFilterResponse result = apiInstance.createSecurityFilter(body); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#createSecurityFilter"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Create a security filter returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.security_filter_create_attributes import SecurityFilterCreateAttributes from datadog_api_client.v2.model.security_filter_create_data import SecurityFilterCreateData from datadog_api_client.v2.model.security_filter_create_request import SecurityFilterCreateRequest from datadog_api_client.v2.model.security_filter_exclusion_filter import SecurityFilterExclusionFilter from datadog_api_client.v2.model.security_filter_filtered_data_type import SecurityFilterFilteredDataType from datadog_api_client.v2.model.security_filter_type import SecurityFilterType body = SecurityFilterCreateRequest( data=SecurityFilterCreateData( attributes=SecurityFilterCreateAttributes( exclusion_filters=[ SecurityFilterExclusionFilter( name="Exclude staging", query="source:staging", ), ], filtered_data_type=SecurityFilterFilteredDataType.LOGS, is_enabled=True, name="Example-Security-Monitoring", query="service:ExampleSecurityMonitoring", ), type=SecurityFilterType.SECURITY_FILTERS, ), ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.create_security_filter(body=body) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Create a security filter returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::SecurityFilterCreateRequest.new({ data: DatadogAPIClient::V2::SecurityFilterCreateData.new({ attributes: DatadogAPIClient::V2::SecurityFilterCreateAttributes.new({ exclusion_filters: [ DatadogAPIClient::V2::SecurityFilterExclusionFilter.new({ name: "Exclude staging", query: "source:staging", }), ], filtered_data_type: DatadogAPIClient::V2::SecurityFilterFilteredDataType::LOGS, is_enabled: true, name: "Example-Security-Monitoring", query: "service:ExampleSecurityMonitoring", }), type: DatadogAPIClient::V2::SecurityFilterType::SECURITY_FILTERS, }), }) p api_instance.create_security_filter(body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Create a security filter returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::SecurityFilterCreateAttributes; use datadog_api_client::datadogV2::model::SecurityFilterCreateData; use datadog_api_client::datadogV2::model::SecurityFilterCreateRequest; use datadog_api_client::datadogV2::model::SecurityFilterExclusionFilter; use datadog_api_client::datadogV2::model::SecurityFilterFilteredDataType; use datadog_api_client::datadogV2::model::SecurityFilterType; #[tokio::main] async fn main() { let body = SecurityFilterCreateRequest::new(SecurityFilterCreateData::new( SecurityFilterCreateAttributes::new( vec![SecurityFilterExclusionFilter::new( "Exclude staging".to_string(), "source:staging".to_string(), )], SecurityFilterFilteredDataType::LOGS, true, "Example-Security-Monitoring".to_string(), "service:ExampleSecurityMonitoring".to_string(), ), SecurityFilterType::SECURITY_FILTERS, )); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.create_security_filter(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Create a security filter returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiCreateSecurityFilterRequest = { body: { data: { attributes: { exclusionFilters: [ { name: "Exclude staging", query: "source:staging", }, ], filteredDataType: "logs", isEnabled: true, name: "Example-Security-Monitoring", query: "service:ExampleSecurityMonitoring", }, type: "security_filters", }, }, }; apiInstance .createSecurityFilter(params) .then((data: v2.SecurityFilterResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Get a security filter{% #get-a-security-filter %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ---------------------------------------------------------------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id} | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id} | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/security_monitoring/configuration/security_filters/{security_filter_id} | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id} | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id} | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id} | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id} | ### Overview Get the details of a specific security filter. See the [security filter guide](https://docs.datadoghq.com/security_platform/guide/how-to-setup-security-filters-using-security-monitoring-api/) for more examples. This endpoint requires the `security_monitoring_filters_read` permission. OAuth apps require the `security_monitoring_filters_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Arguments #### Path Parameters | Name | Type | Description | | ------------------------------------ | ------ | ------------------------------ | | security_filter_id [*required*] | string | The ID of the security filter. | ### Response {% tab title="200" %} OK {% tab title="Model" %} Response object which includes a single security filter. | Parent field | Field | Type | Description | | ----------------- | ------------------ | -------- | ---------------------------------------------------------------------------------------------------------------- | | | data | object | The security filter's properties. | | data | attributes | object | The object describing a security filter. | | attributes | exclusion_filters | [object] | The list of exclusion filters applied in this security filter. | | exclusion_filters | name | string | The exclusion filter name. | | exclusion_filters | query | string | The exclusion filter query. | | attributes | filtered_data_type | enum | The filtered data type. Allowed enum values: `logs` | | attributes | is_builtin | boolean | Whether the security filter is the built-in filter. | | attributes | is_enabled | boolean | Whether the security filter is enabled. | | attributes | name | string | The security filter name. | | attributes | query | string | The security filter query. Logs accepted by this query will be accepted by this filter. | | attributes | version | int32 | The version of the security filter. | | data | id | string | The ID of the security filter. | | data | type | enum | The type of the resource. The value should always be `security_filters`. Allowed enum values: `security_filters` | | | meta | object | Optional metadata associated to the response. | | meta | warning | string | A warning message. | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "exclusion_filters": [ { "name": "Exclude staging", "query": "source:staging" } ], "filtered_data_type": "logs", "is_builtin": false, "is_enabled": false, "name": "Custom security filter", "query": "service:api", "version": 1 }, "id": "3dd-0uc-h1s", "type": "security_filters" }, "meta": { "warning": "All the security filters are disabled. As a result, no logs are being analyzed." } } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport security_filter_id="CHANGE_ME"\# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/${security_filter_id}" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Get a security filter returns "OK" response """ from os import environ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi # there is a valid "security_filter" in the system SECURITY_FILTER_DATA_ID = environ["SECURITY_FILTER_DATA_ID"] configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.get_security_filter( security_filter_id=SECURITY_FILTER_DATA_ID, ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Get a security filter returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new # there is a valid "security_filter" in the system SECURITY_FILTER_DATA_ID = ENV["SECURITY_FILTER_DATA_ID"] p api_instance.get_security_filter(SECURITY_FILTER_DATA_ID) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Get a security filter returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { // there is a valid "security_filter" in the system SecurityFilterDataID := os.Getenv("SECURITY_FILTER_DATA_ID") ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.GetSecurityFilter(ctx, SecurityFilterDataID) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSecurityFilter`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSecurityFilter`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Get a security filter returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityFilterResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); // there is a valid "security_filter" in the system String SECURITY_FILTER_DATA_ID = System.getenv("SECURITY_FILTER_DATA_ID"); try { SecurityFilterResponse result = apiInstance.getSecurityFilter(SECURITY_FILTER_DATA_ID); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#getSecurityFilter"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Get a security filter returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { // there is a valid "security_filter" in the system let security_filter_data_id = std::env::var("SECURITY_FILTER_DATA_ID").unwrap(); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .get_security_filter(security_filter_data_id.clone()) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Get a security filter returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); // there is a valid "security_filter" in the system const SECURITY_FILTER_DATA_ID = process.env.SECURITY_FILTER_DATA_ID as string; const params: v2.SecurityMonitoringApiGetSecurityFilterRequest = { securityFilterId: SECURITY_FILTER_DATA_ID, }; apiInstance .getSecurityFilter(params) .then((data: v2.SecurityFilterResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Update a security filter{% #update-a-security-filter %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------------------------------------------------ | | ap1.datadoghq.com | PATCH https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id} | | ap2.datadoghq.com | PATCH https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id} | | app.datadoghq.eu | PATCH https://api.datadoghq.eu/api/v2/security_monitoring/configuration/security_filters/{security_filter_id} | | app.ddog-gov.com | PATCH https://api.ddog-gov.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id} | | app.datadoghq.com | PATCH https://api.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id} | | us3.datadoghq.com | PATCH https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id} | | us5.datadoghq.com | PATCH https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id} | ### Overview Update a specific security filter. Returns the security filter object when the request is successful. This endpoint requires the `security_monitoring_filters_write` permission. OAuth apps require the `security_monitoring_filters_write` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Arguments #### Path Parameters | Name | Type | Description | | ------------------------------------ | ------ | ------------------------------ | | security_filter_id [*required*] | string | The ID of the security filter. | ### Request #### Body Data (required) New definition of the security filter. {% tab title="Model" %} | Parent field | Field | Type | Description | | ----------------- | ---------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------- | | | data [*required*] | object | The new security filter properties. | | data | attributes [*required*] | object | The security filters properties to be updated. | | attributes | exclusion_filters | [object] | Exclusion filters to exclude some logs from the security filter. | | exclusion_filters | name [*required*] | string | Exclusion filter name. | | exclusion_filters | query [*required*] | string | Exclusion filter query. Logs that match this query are excluded from the security filter. | | attributes | filtered_data_type | enum | The filtered data type. Allowed enum values: `logs` | | attributes | is_enabled | boolean | Whether the security filter is enabled. | | attributes | name | string | The name of the security filter. | | attributes | query | string | The query of the security filter. | | attributes | version | int32 | The version of the security filter to update. | | data | type [*required*] | enum | The type of the resource. The value should always be `security_filters`. Allowed enum values: `security_filters` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "exclusion_filters": [], "filtered_data_type": "logs", "is_enabled": true, "name": "Example-Security-Monitoring", "query": "service:ExampleSecurityMonitoring", "version": 1 }, "type": "security_filters" } } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} Response object which includes a single security filter. | Parent field | Field | Type | Description | | ----------------- | ------------------ | -------- | ---------------------------------------------------------------------------------------------------------------- | | | data | object | The security filter's properties. | | data | attributes | object | The object describing a security filter. | | attributes | exclusion_filters | [object] | The list of exclusion filters applied in this security filter. | | exclusion_filters | name | string | The exclusion filter name. | | exclusion_filters | query | string | The exclusion filter query. | | attributes | filtered_data_type | enum | The filtered data type. Allowed enum values: `logs` | | attributes | is_builtin | boolean | Whether the security filter is the built-in filter. | | attributes | is_enabled | boolean | Whether the security filter is enabled. | | attributes | name | string | The security filter name. | | attributes | query | string | The security filter query. Logs accepted by this query will be accepted by this filter. | | attributes | version | int32 | The version of the security filter. | | data | id | string | The ID of the security filter. | | data | type | enum | The type of the resource. The value should always be `security_filters`. Allowed enum values: `security_filters` | | | meta | object | Optional metadata associated to the response. | | meta | warning | string | A warning message. | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "exclusion_filters": [ { "name": "Exclude staging", "query": "source:staging" } ], "filtered_data_type": "logs", "is_builtin": false, "is_enabled": false, "name": "Custom security filter", "query": "service:api", "version": 1 }, "id": "3dd-0uc-h1s", "type": "security_filters" }, "meta": { "warning": "All the security filters are disabled. As a result, no logs are being analyzed." } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="409" %} Concurrent Modification {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport security_filter_id="CHANGE_ME"\# Curl commandcurl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/${security_filter_id}" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "attributes": { "exclusion_filters": [], "filtered_data_type": "logs", "is_enabled": true, "name": "Example-Security-Monitoring", "query": "service:ExampleSecurityMonitoring", "version": 1 }, "type": "security_filters" } } EOF ##### ```go // Update a security filter returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { // there is a valid "security_filter" in the system SecurityFilterDataID := os.Getenv("SECURITY_FILTER_DATA_ID") body := datadogV2.SecurityFilterUpdateRequest{ Data: datadogV2.SecurityFilterUpdateData{ Attributes: datadogV2.SecurityFilterUpdateAttributes{ ExclusionFilters: []datadogV2.SecurityFilterExclusionFilter{}, FilteredDataType: datadogV2.SECURITYFILTERFILTEREDDATATYPE_LOGS.Ptr(), IsEnabled: datadog.PtrBool(true), Name: datadog.PtrString("Example-Security-Monitoring"), Query: datadog.PtrString("service:ExampleSecurityMonitoring"), Version: datadog.PtrInt32(1), }, Type: datadogV2.SECURITYFILTERTYPE_SECURITY_FILTERS, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.UpdateSecurityFilter(ctx, SecurityFilterDataID, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.UpdateSecurityFilter`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.UpdateSecurityFilter`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Update a security filter returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityFilterFilteredDataType; import com.datadog.api.client.v2.model.SecurityFilterResponse; import com.datadog.api.client.v2.model.SecurityFilterType; import com.datadog.api.client.v2.model.SecurityFilterUpdateAttributes; import com.datadog.api.client.v2.model.SecurityFilterUpdateData; import com.datadog.api.client.v2.model.SecurityFilterUpdateRequest; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); // there is a valid "security_filter" in the system String SECURITY_FILTER_DATA_ID = System.getenv("SECURITY_FILTER_DATA_ID"); SecurityFilterUpdateRequest body = new SecurityFilterUpdateRequest() .data( new SecurityFilterUpdateData() .attributes( new SecurityFilterUpdateAttributes() .filteredDataType(SecurityFilterFilteredDataType.LOGS) .isEnabled(true) .name("Example-Security-Monitoring") .query("service:ExampleSecurityMonitoring") .version(1)) .type(SecurityFilterType.SECURITY_FILTERS)); try { SecurityFilterResponse result = apiInstance.updateSecurityFilter(SECURITY_FILTER_DATA_ID, body); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#updateSecurityFilter"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Update a security filter returns "OK" response """ from os import environ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.security_filter_filtered_data_type import SecurityFilterFilteredDataType from datadog_api_client.v2.model.security_filter_type import SecurityFilterType from datadog_api_client.v2.model.security_filter_update_attributes import SecurityFilterUpdateAttributes from datadog_api_client.v2.model.security_filter_update_data import SecurityFilterUpdateData from datadog_api_client.v2.model.security_filter_update_request import SecurityFilterUpdateRequest # there is a valid "security_filter" in the system SECURITY_FILTER_DATA_ID = environ["SECURITY_FILTER_DATA_ID"] body = SecurityFilterUpdateRequest( data=SecurityFilterUpdateData( attributes=SecurityFilterUpdateAttributes( exclusion_filters=[], filtered_data_type=SecurityFilterFilteredDataType.LOGS, is_enabled=True, name="Example-Security-Monitoring", query="service:ExampleSecurityMonitoring", version=1, ), type=SecurityFilterType.SECURITY_FILTERS, ), ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.update_security_filter(security_filter_id=SECURITY_FILTER_DATA_ID, body=body) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Update a security filter returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new # there is a valid "security_filter" in the system SECURITY_FILTER_DATA_ID = ENV["SECURITY_FILTER_DATA_ID"] body = DatadogAPIClient::V2::SecurityFilterUpdateRequest.new({ data: DatadogAPIClient::V2::SecurityFilterUpdateData.new({ attributes: DatadogAPIClient::V2::SecurityFilterUpdateAttributes.new({ exclusion_filters: [], filtered_data_type: DatadogAPIClient::V2::SecurityFilterFilteredDataType::LOGS, is_enabled: true, name: "Example-Security-Monitoring", query: "service:ExampleSecurityMonitoring", version: 1, }), type: DatadogAPIClient::V2::SecurityFilterType::SECURITY_FILTERS, }), }) p api_instance.update_security_filter(SECURITY_FILTER_DATA_ID, body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Update a security filter returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::SecurityFilterFilteredDataType; use datadog_api_client::datadogV2::model::SecurityFilterType; use datadog_api_client::datadogV2::model::SecurityFilterUpdateAttributes; use datadog_api_client::datadogV2::model::SecurityFilterUpdateData; use datadog_api_client::datadogV2::model::SecurityFilterUpdateRequest; #[tokio::main] async fn main() { // there is a valid "security_filter" in the system let security_filter_data_id = std::env::var("SECURITY_FILTER_DATA_ID").unwrap(); let body = SecurityFilterUpdateRequest::new(SecurityFilterUpdateData::new( SecurityFilterUpdateAttributes::new() .exclusion_filters(vec![]) .filtered_data_type(SecurityFilterFilteredDataType::LOGS) .is_enabled(true) .name("Example-Security-Monitoring".to_string()) .query("service:ExampleSecurityMonitoring".to_string()) .version(1), SecurityFilterType::SECURITY_FILTERS, )); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .update_security_filter(security_filter_data_id.clone(), body) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Update a security filter returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); // there is a valid "security_filter" in the system const SECURITY_FILTER_DATA_ID = process.env.SECURITY_FILTER_DATA_ID as string; const params: v2.SecurityMonitoringApiUpdateSecurityFilterRequest = { body: { data: { attributes: { exclusionFilters: [], filteredDataType: "logs", isEnabled: true, name: "Example-Security-Monitoring", query: "service:ExampleSecurityMonitoring", version: 1, }, type: "security_filters", }, }, securityFilterId: SECURITY_FILTER_DATA_ID, }; apiInstance .updateSecurityFilter(params) .then((data: v2.SecurityFilterResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Delete a security filter{% #delete-a-security-filter %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------------------------------------------------- | | ap1.datadoghq.com | DELETE https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id} | | ap2.datadoghq.com | DELETE https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id} | | app.datadoghq.eu | DELETE https://api.datadoghq.eu/api/v2/security_monitoring/configuration/security_filters/{security_filter_id} | | app.ddog-gov.com | DELETE https://api.ddog-gov.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id} | | app.datadoghq.com | DELETE https://api.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id} | | us3.datadoghq.com | DELETE https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id} | | us5.datadoghq.com | DELETE https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id} | ### Overview Delete a specific security filter. This endpoint requires the `security_monitoring_filters_write` permission. OAuth apps require the `security_monitoring_filters_write` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Arguments #### Path Parameters | Name | Type | Description | | ------------------------------------ | ------ | ------------------------------ | | security_filter_id [*required*] | string | The ID of the security filter. | ### Response {% tab title="204" %} OK {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport security_filter_id="CHANGE_ME"\# Curl commandcurl -X DELETE "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/${security_filter_id}" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Delete a security filter returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) api_instance.delete_security_filter( security_filter_id="security_filter_id", ) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Delete a security filter returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new api_instance.delete_security_filter("security_filter_id") ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Delete a security filter returns "OK" response package main import ( "context" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) r, err := api.DeleteSecurityFilter(ctx, "security_filter_id") if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.DeleteSecurityFilter`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Delete a security filter returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { apiInstance.deleteSecurityFilter("security_filter_id"); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#deleteSecurityFilter"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Delete a security filter returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .delete_security_filter("security_filter_id".to_string()) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Delete a security filter returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiDeleteSecurityFilterRequest = { securityFilterId: "security_filter_id", }; apiInstance .deleteSecurityFilter(params) .then((data: any) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Get all suppression rules{% #get-all-suppression-rules %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | --------------------------------------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/suppressions | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/suppressions | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/security_monitoring/configuration/suppressions | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/security_monitoring/configuration/suppressions | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/suppressions | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions | ### Overview Get the list of all suppression rules. OAuth apps require the `security_monitoring_suppressions_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Arguments #### Query Strings | Name | Type | Description | | ------------ | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | query | string | Query string. | | sort | enum | Attribute used to sort the list of suppression rules. Prefix with `-` to sort in descending order.Allowed enum values: `name, start_date, expiration_date, update_date, enabled, -name, -start_date, -expiration_date, -update_date, -creation_date` | | page[size] | integer | Size for a given page. Use `-1` to return all items. | | page[number] | integer | Specific page number to return. | ### Response {% tab title="200" %} OK {% tab title="Model" %} Response object containing the available suppression rules with pagination metadata. | Parent field | Field | Type | Description | | ------------ | -------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data | [object] | A list of suppressions objects. | | data | attributes | object | The attributes of the suppression rule. | | attributes | creation_date | int64 | A Unix millisecond timestamp given the creation date of the suppression rule. | | attributes | creator | object | A user. | | creator | handle | string | The handle of the user. | | creator | name | string | The name of the user. | | attributes | data_exclusion_query | string | An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule. | | attributes | description | string | A description for the suppression rule. | | attributes | editable | boolean | Whether the suppression rule is editable. | | attributes | enabled | boolean | Whether the suppression rule is enabled. | | attributes | expiration_date | int64 | A Unix millisecond timestamp giving an expiration date for the suppression rule. After this date, it won't suppress signals anymore. | | attributes | name | string | The name of the suppression rule. | | attributes | rule_query | string | The rule query of the suppression rule, with the same syntax as the search bar for detection rules. | | attributes | start_date | int64 | A Unix millisecond timestamp giving the start date for the suppression rule. After this date, it starts suppressing signals. | | attributes | suppression_query | string | The suppression query of the suppression rule. If a signal matches this query, it is suppressed and not triggered. Same syntax as the queries to search signals in the signal explorer. | | attributes | tags | [string] | List of tags associated with the suppression rule. | | attributes | update_date | int64 | A Unix millisecond timestamp given the update date of the suppression rule. | | attributes | updater | object | A user. | | updater | handle | string | The handle of the user. | | updater | name | string | The name of the user. | | attributes | version | int32 | The version of the suppression rule; it starts at 1, and is incremented at each update. | | data | id | string | The ID of the suppression rule. | | data | type | enum | The type of the resource. The value should always be `suppressions`. Allowed enum values: `suppressions` | | | meta | object | Metadata for the suppression list response. | | meta | page | object | Pagination metadata. | | page | pageNumber | int64 | Current page number. | | page | pageSize | int64 | Current page size. | | page | totalCount | int64 | Total count of suppressions. | {% /tab %} {% tab title="Example" %} ```json { "data": [ { "attributes": { "creation_date": "integer", "creator": { "handle": "john.doe@datadoghq.com", "name": "John Doe" }, "data_exclusion_query": "source:cloudtrail account_id:12345", "description": "This rule suppresses low-severity signals in staging environments.", "editable": true, "enabled": true, "expiration_date": 1703187336000, "name": "Custom suppression", "rule_query": "type:log_detection source:cloudtrail", "start_date": 1703187336000, "suppression_query": "env:staging status:low", "tags": [ "technique:T1110-brute-force", "source:cloudtrail" ], "update_date": "integer", "updater": { "handle": "john.doe@datadoghq.com", "name": "John Doe" }, "version": 42 }, "id": "3dd-0uc-h1s", "type": "suppressions" } ], "meta": { "page": { "pageNumber": 0, "pageSize": 2, "totalCount": 2 } } } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Get all suppression rules returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.list_security_monitoring_suppressions() print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Get all suppression rules returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new p api_instance.list_security_monitoring_suppressions() ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Get all suppression rules returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.ListSecurityMonitoringSuppressions(ctx, *datadogV2.NewListSecurityMonitoringSuppressionsOptionalParameters()) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListSecurityMonitoringSuppressions`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListSecurityMonitoringSuppressions`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Get all suppression rules returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringPaginatedSuppressionsResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { SecurityMonitoringPaginatedSuppressionsResponse result = apiInstance.listSecurityMonitoringSuppressions(); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#listSecurityMonitoringSuppressions"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Get all suppression rules returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::ListSecurityMonitoringSuppressionsOptionalParams; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .list_security_monitoring_suppressions( ListSecurityMonitoringSuppressionsOptionalParams::default(), ) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Get all suppression rules returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); apiInstance .listSecurityMonitoringSuppressions() .then((data: v2.SecurityMonitoringPaginatedSuppressionsResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Create a suppression rule{% #create-a-suppression-rule %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ---------------------------------------------------------------------------------------- | | ap1.datadoghq.com | POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/suppressions | | ap2.datadoghq.com | POST https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/suppressions | | app.datadoghq.eu | POST https://api.datadoghq.eu/api/v2/security_monitoring/configuration/suppressions | | app.ddog-gov.com | POST https://api.ddog-gov.com/api/v2/security_monitoring/configuration/suppressions | | app.datadoghq.com | POST https://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions | | us3.datadoghq.com | POST https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/suppressions | | us5.datadoghq.com | POST https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions | ### Overview Create a new suppression rule. OAuth apps require the `security_monitoring_suppressions_write` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Request #### Body Data (required) The definition of the new suppression rule. {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------ | ---------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data [*required*] | object | Object for a single suppression rule. | | data | attributes [*required*] | object | Object containing the attributes of the suppression rule to be created. | | attributes | data_exclusion_query | string | An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule. | | attributes | description | string | A description for the suppression rule. | | attributes | enabled [*required*] | boolean | Whether the suppression rule is enabled. | | attributes | expiration_date | int64 | A Unix millisecond timestamp giving an expiration date for the suppression rule. After this date, it won't suppress signals anymore. | | attributes | name [*required*] | string | The name of the suppression rule. | | attributes | rule_query [*required*] | string | The rule query of the suppression rule, with the same syntax as the search bar for detection rules. | | attributes | start_date | int64 | A Unix millisecond timestamp giving the start date for the suppression rule. After this date, it starts suppressing signals. | | attributes | suppression_query | string | The suppression query of the suppression rule. If a signal matches this query, it is suppressed and is not triggered. It uses the same syntax as the queries to search signals in the Signals Explorer. | | attributes | tags | [string] | List of tags associated with the suppression rule. | | data | type [*required*] | enum | The type of the resource. The value should always be `suppressions`. Allowed enum values: `suppressions` | {% /tab %} {% tab title="Example" %} ##### ```json { "data": { "attributes": { "description": "This rule suppresses low-severity signals in staging environments.", "enabled": true, "start_date": 1637493071000, "expiration_date": 1638443471000, "name": "Example-Security-Monitoring", "rule_query": "type:log_detection source:cloudtrail", "suppression_query": "env:staging status:low", "tags": [ "technique:T1110-brute-force", "source:cloudtrail" ] }, "type": "suppressions" } } ``` ##### ```json { "data": { "attributes": { "description": "This rule suppresses low-severity signals in staging environments.", "enabled": true, "start_date": 1637493071000, "expiration_date": 1638443471000, "name": "Example-Security-Monitoring", "rule_query": "type:log_detection source:cloudtrail", "data_exclusion_query": "account_id:12345" }, "type": "suppressions" } } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} Response object containing a single suppression rule. | Parent field | Field | Type | Description | | ------------ | -------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data | object | The suppression rule's properties. | | data | attributes | object | The attributes of the suppression rule. | | attributes | creation_date | int64 | A Unix millisecond timestamp given the creation date of the suppression rule. | | attributes | creator | object | A user. | | creator | handle | string | The handle of the user. | | creator | name | string | The name of the user. | | attributes | data_exclusion_query | string | An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule. | | attributes | description | string | A description for the suppression rule. | | attributes | editable | boolean | Whether the suppression rule is editable. | | attributes | enabled | boolean | Whether the suppression rule is enabled. | | attributes | expiration_date | int64 | A Unix millisecond timestamp giving an expiration date for the suppression rule. After this date, it won't suppress signals anymore. | | attributes | name | string | The name of the suppression rule. | | attributes | rule_query | string | The rule query of the suppression rule, with the same syntax as the search bar for detection rules. | | attributes | start_date | int64 | A Unix millisecond timestamp giving the start date for the suppression rule. After this date, it starts suppressing signals. | | attributes | suppression_query | string | The suppression query of the suppression rule. If a signal matches this query, it is suppressed and not triggered. Same syntax as the queries to search signals in the signal explorer. | | attributes | tags | [string] | List of tags associated with the suppression rule. | | attributes | update_date | int64 | A Unix millisecond timestamp given the update date of the suppression rule. | | attributes | updater | object | A user. | | updater | handle | string | The handle of the user. | | updater | name | string | The name of the user. | | attributes | version | int32 | The version of the suppression rule; it starts at 1, and is incremented at each update. | | data | id | string | The ID of the suppression rule. | | data | type | enum | The type of the resource. The value should always be `suppressions`. Allowed enum values: `suppressions` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "creation_date": "integer", "creator": { "handle": "john.doe@datadoghq.com", "name": "John Doe" }, "data_exclusion_query": "source:cloudtrail account_id:12345", "description": "This rule suppresses low-severity signals in staging environments.", "editable": true, "enabled": true, "expiration_date": 1703187336000, "name": "Custom suppression", "rule_query": "type:log_detection source:cloudtrail", "start_date": 1703187336000, "suppression_query": "env:staging status:low", "tags": [ "technique:T1110-brute-force", "source:cloudtrail" ], "update_date": "integer", "updater": { "handle": "john.doe@datadoghq.com", "name": "John Doe" }, "version": 42 }, "id": "3dd-0uc-h1s", "type": "suppressions" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="409" %} Conflict {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "attributes": { "description": "This rule suppresses low-severity signals in staging environments.", "enabled": true, "start_date": 1637493071000, "expiration_date": 1638443471000, "name": "Example-Security-Monitoring", "rule_query": "type:log_detection source:cloudtrail", "suppression_query": "env:staging status:low", "tags": [ "technique:T1110-brute-force", "source:cloudtrail" ] }, "type": "suppressions" } } EOF ##### \# Curl commandcurl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "attributes": { "description": "This rule suppresses low-severity signals in staging environments.", "enabled": true, "start_date": 1637493071000, "expiration_date": 1638443471000, "name": "Example-Security-Monitoring", "rule_query": "type:log_detection source:cloudtrail", "data_exclusion_query": "account_id:12345" }, "type": "suppressions" } } EOF ##### ```go // Create a suppression rule returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.SecurityMonitoringSuppressionCreateRequest{ Data: datadogV2.SecurityMonitoringSuppressionCreateData{ Attributes: datadogV2.SecurityMonitoringSuppressionCreateAttributes{ Description: datadog.PtrString("This rule suppresses low-severity signals in staging environments."), Enabled: true, StartDate: datadog.PtrInt64(1637493071000), ExpirationDate: datadog.PtrInt64(1638443471000), Name: "Example-Security-Monitoring", RuleQuery: "type:log_detection source:cloudtrail", SuppressionQuery: datadog.PtrString("env:staging status:low"), Tags: []string{ "technique:T1110-brute-force", "source:cloudtrail", }, }, Type: datadogV2.SECURITYMONITORINGSUPPRESSIONTYPE_SUPPRESSIONS, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.CreateSecurityMonitoringSuppression(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringSuppression`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityMonitoringSuppression`:\n%s\n", responseContent) } ``` ##### ```go // Create a suppression rule with an exclusion query returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.SecurityMonitoringSuppressionCreateRequest{ Data: datadogV2.SecurityMonitoringSuppressionCreateData{ Attributes: datadogV2.SecurityMonitoringSuppressionCreateAttributes{ Description: datadog.PtrString("This rule suppresses low-severity signals in staging environments."), Enabled: true, StartDate: datadog.PtrInt64(1637493071000), ExpirationDate: datadog.PtrInt64(1638443471000), Name: "Example-Security-Monitoring", RuleQuery: "type:log_detection source:cloudtrail", DataExclusionQuery: datadog.PtrString("account_id:12345"), }, Type: datadogV2.SECURITYMONITORINGSUPPRESSIONTYPE_SUPPRESSIONS, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.CreateSecurityMonitoringSuppression(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringSuppression`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityMonitoringSuppression`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Create a suppression rule returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionCreateAttributes; import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionCreateData; import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionCreateRequest; import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionResponse; import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionType; import java.util.Arrays; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); SecurityMonitoringSuppressionCreateRequest body = new SecurityMonitoringSuppressionCreateRequest() .data( new SecurityMonitoringSuppressionCreateData() .attributes( new SecurityMonitoringSuppressionCreateAttributes() .description( "This rule suppresses low-severity signals in staging" + " environments.") .enabled(true) .startDate(1637493071000L) .expirationDate(1638443471000L) .name("Example-Security-Monitoring") .ruleQuery("type:log_detection source:cloudtrail") .suppressionQuery("env:staging status:low") .tags( Arrays.asList("technique:T1110-brute-force", "source:cloudtrail"))) .type(SecurityMonitoringSuppressionType.SUPPRESSIONS)); try { SecurityMonitoringSuppressionResponse result = apiInstance.createSecurityMonitoringSuppression(body); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#createSecurityMonitoringSuppression"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` ##### ```java // Create a suppression rule with an exclusion query returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionCreateAttributes; import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionCreateData; import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionCreateRequest; import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionResponse; import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionType; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); SecurityMonitoringSuppressionCreateRequest body = new SecurityMonitoringSuppressionCreateRequest() .data( new SecurityMonitoringSuppressionCreateData() .attributes( new SecurityMonitoringSuppressionCreateAttributes() .description( "This rule suppresses low-severity signals in staging" + " environments.") .enabled(true) .startDate(1637493071000L) .expirationDate(1638443471000L) .name("Example-Security-Monitoring") .ruleQuery("type:log_detection source:cloudtrail") .dataExclusionQuery("account_id:12345")) .type(SecurityMonitoringSuppressionType.SUPPRESSIONS)); try { SecurityMonitoringSuppressionResponse result = apiInstance.createSecurityMonitoringSuppression(body); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#createSecurityMonitoringSuppression"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Create a suppression rule returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.security_monitoring_suppression_create_attributes import ( SecurityMonitoringSuppressionCreateAttributes, ) from datadog_api_client.v2.model.security_monitoring_suppression_create_data import ( SecurityMonitoringSuppressionCreateData, ) from datadog_api_client.v2.model.security_monitoring_suppression_create_request import ( SecurityMonitoringSuppressionCreateRequest, ) from datadog_api_client.v2.model.security_monitoring_suppression_type import SecurityMonitoringSuppressionType body = SecurityMonitoringSuppressionCreateRequest( data=SecurityMonitoringSuppressionCreateData( attributes=SecurityMonitoringSuppressionCreateAttributes( description="This rule suppresses low-severity signals in staging environments.", enabled=True, start_date=1637493071000, expiration_date=1638443471000, name="Example-Security-Monitoring", rule_query="type:log_detection source:cloudtrail", suppression_query="env:staging status:low", tags=[ "technique:T1110-brute-force", "source:cloudtrail", ], ), type=SecurityMonitoringSuppressionType.SUPPRESSIONS, ), ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.create_security_monitoring_suppression(body=body) print(response) ``` ##### ```python """ Create a suppression rule with an exclusion query returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.security_monitoring_suppression_create_attributes import ( SecurityMonitoringSuppressionCreateAttributes, ) from datadog_api_client.v2.model.security_monitoring_suppression_create_data import ( SecurityMonitoringSuppressionCreateData, ) from datadog_api_client.v2.model.security_monitoring_suppression_create_request import ( SecurityMonitoringSuppressionCreateRequest, ) from datadog_api_client.v2.model.security_monitoring_suppression_type import SecurityMonitoringSuppressionType body = SecurityMonitoringSuppressionCreateRequest( data=SecurityMonitoringSuppressionCreateData( attributes=SecurityMonitoringSuppressionCreateAttributes( description="This rule suppresses low-severity signals in staging environments.", enabled=True, start_date=1637493071000, expiration_date=1638443471000, name="Example-Security-Monitoring", rule_query="type:log_detection source:cloudtrail", data_exclusion_query="account_id:12345", ), type=SecurityMonitoringSuppressionType.SUPPRESSIONS, ), ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.create_security_monitoring_suppression(body=body) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Create a suppression rule returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateRequest.new({ data: DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateData.new({ attributes: DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateAttributes.new({ description: "This rule suppresses low-severity signals in staging environments.", enabled: true, start_date: 1637493071000, expiration_date: 1638443471000, name: "Example-Security-Monitoring", rule_query: "type:log_detection source:cloudtrail", suppression_query: "env:staging status:low", tags: [ "technique:T1110-brute-force", "source:cloudtrail", ], }), type: DatadogAPIClient::V2::SecurityMonitoringSuppressionType::SUPPRESSIONS, }), }) p api_instance.create_security_monitoring_suppression(body) ``` ##### ```ruby # Create a suppression rule with an exclusion query returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateRequest.new({ data: DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateData.new({ attributes: DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateAttributes.new({ description: "This rule suppresses low-severity signals in staging environments.", enabled: true, start_date: 1637493071000, expiration_date: 1638443471000, name: "Example-Security-Monitoring", rule_query: "type:log_detection source:cloudtrail", data_exclusion_query: "account_id:12345", }), type: DatadogAPIClient::V2::SecurityMonitoringSuppressionType::SUPPRESSIONS, }), }) p api_instance.create_security_monitoring_suppression(body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Create a suppression rule returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionCreateAttributes; use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionCreateData; use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionCreateRequest; use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionType; #[tokio::main] async fn main() { let body = SecurityMonitoringSuppressionCreateRequest::new( SecurityMonitoringSuppressionCreateData::new( SecurityMonitoringSuppressionCreateAttributes::new( true, "Example-Security-Monitoring".to_string(), "type:log_detection source:cloudtrail".to_string(), ) .description( "This rule suppresses low-severity signals in staging environments.".to_string(), ) .expiration_date(1638443471000) .start_date(1637493071000) .suppression_query("env:staging status:low".to_string()) .tags(vec![ "technique:T1110-brute-force".to_string(), "source:cloudtrail".to_string(), ]), SecurityMonitoringSuppressionType::SUPPRESSIONS, ), ); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.create_security_monitoring_suppression(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` ##### ```rust // Create a suppression rule with an exclusion query returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionCreateAttributes; use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionCreateData; use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionCreateRequest; use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionType; #[tokio::main] async fn main() { let body = SecurityMonitoringSuppressionCreateRequest::new( SecurityMonitoringSuppressionCreateData::new( SecurityMonitoringSuppressionCreateAttributes::new( true, "Example-Security-Monitoring".to_string(), "type:log_detection source:cloudtrail".to_string(), ) .data_exclusion_query("account_id:12345".to_string()) .description( "This rule suppresses low-severity signals in staging environments.".to_string(), ) .expiration_date(1638443471000) .start_date(1637493071000), SecurityMonitoringSuppressionType::SUPPRESSIONS, ), ); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.create_security_monitoring_suppression(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Create a suppression rule returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiCreateSecurityMonitoringSuppressionRequest = { body: { data: { attributes: { description: "This rule suppresses low-severity signals in staging environments.", enabled: true, startDate: 1637493071000, expirationDate: 1638443471000, name: "Example-Security-Monitoring", ruleQuery: "type:log_detection source:cloudtrail", suppressionQuery: "env:staging status:low", tags: ["technique:T1110-brute-force", "source:cloudtrail"], }, type: "suppressions", }, }, }; apiInstance .createSecurityMonitoringSuppression(params) .then((data: v2.SecurityMonitoringSuppressionResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` ##### ```typescript /** * Create a suppression rule with an exclusion query returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiCreateSecurityMonitoringSuppressionRequest = { body: { data: { attributes: { description: "This rule suppresses low-severity signals in staging environments.", enabled: true, startDate: 1637493071000, expirationDate: 1638443471000, name: "Example-Security-Monitoring", ruleQuery: "type:log_detection source:cloudtrail", dataExclusionQuery: "account_id:12345", }, type: "suppressions", }, }, }; apiInstance .createSecurityMonitoringSuppression(params) .then((data: v2.SecurityMonitoringSuppressionResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Get a suppression rule{% #get-a-suppression-rule %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | -------------------------------------------------------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id} | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id} | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/security_monitoring/configuration/suppressions/{suppression_id} | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id} | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id} | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id} | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id} | ### Overview Get the details of a specific suppression rule. OAuth apps require the `security_monitoring_suppressions_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Arguments #### Path Parameters | Name | Type | Description | | -------------------------------- | ------ | ------------------------------ | | suppression_id [*required*] | string | The ID of the suppression rule | ### Response {% tab title="200" %} OK {% tab title="Model" %} Response object containing a single suppression rule. | Parent field | Field | Type | Description | | ------------ | -------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data | object | The suppression rule's properties. | | data | attributes | object | The attributes of the suppression rule. | | attributes | creation_date | int64 | A Unix millisecond timestamp given the creation date of the suppression rule. | | attributes | creator | object | A user. | | creator | handle | string | The handle of the user. | | creator | name | string | The name of the user. | | attributes | data_exclusion_query | string | An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule. | | attributes | description | string | A description for the suppression rule. | | attributes | editable | boolean | Whether the suppression rule is editable. | | attributes | enabled | boolean | Whether the suppression rule is enabled. | | attributes | expiration_date | int64 | A Unix millisecond timestamp giving an expiration date for the suppression rule. After this date, it won't suppress signals anymore. | | attributes | name | string | The name of the suppression rule. | | attributes | rule_query | string | The rule query of the suppression rule, with the same syntax as the search bar for detection rules. | | attributes | start_date | int64 | A Unix millisecond timestamp giving the start date for the suppression rule. After this date, it starts suppressing signals. | | attributes | suppression_query | string | The suppression query of the suppression rule. If a signal matches this query, it is suppressed and not triggered. Same syntax as the queries to search signals in the signal explorer. | | attributes | tags | [string] | List of tags associated with the suppression rule. | | attributes | update_date | int64 | A Unix millisecond timestamp given the update date of the suppression rule. | | attributes | updater | object | A user. | | updater | handle | string | The handle of the user. | | updater | name | string | The name of the user. | | attributes | version | int32 | The version of the suppression rule; it starts at 1, and is incremented at each update. | | data | id | string | The ID of the suppression rule. | | data | type | enum | The type of the resource. The value should always be `suppressions`. Allowed enum values: `suppressions` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "creation_date": "integer", "creator": { "handle": "john.doe@datadoghq.com", "name": "John Doe" }, "data_exclusion_query": "source:cloudtrail account_id:12345", "description": "This rule suppresses low-severity signals in staging environments.", "editable": true, "enabled": true, "expiration_date": 1703187336000, "name": "Custom suppression", "rule_query": "type:log_detection source:cloudtrail", "start_date": 1703187336000, "suppression_query": "env:staging status:low", "tags": [ "technique:T1110-brute-force", "source:cloudtrail" ], "update_date": "integer", "updater": { "handle": "john.doe@datadoghq.com", "name": "John Doe" }, "version": 42 }, "id": "3dd-0uc-h1s", "type": "suppressions" } } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport suppression_id="CHANGE_ME"\# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/${suppression_id}" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Get a suppression rule returns "OK" response """ from os import environ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi # there is a valid "suppression" in the system SUPPRESSION_DATA_ID = environ["SUPPRESSION_DATA_ID"] configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.get_security_monitoring_suppression( suppression_id=SUPPRESSION_DATA_ID, ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Get a suppression rule returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new # there is a valid "suppression" in the system SUPPRESSION_DATA_ID = ENV["SUPPRESSION_DATA_ID"] p api_instance.get_security_monitoring_suppression(SUPPRESSION_DATA_ID) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Get a suppression rule returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { // there is a valid "suppression" in the system SuppressionDataID := os.Getenv("SUPPRESSION_DATA_ID") ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.GetSecurityMonitoringSuppression(ctx, SuppressionDataID) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSecurityMonitoringSuppression`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSecurityMonitoringSuppression`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Get a suppression rule returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); // there is a valid "suppression" in the system String SUPPRESSION_DATA_ID = System.getenv("SUPPRESSION_DATA_ID"); try { SecurityMonitoringSuppressionResponse result = apiInstance.getSecurityMonitoringSuppression(SUPPRESSION_DATA_ID); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#getSecurityMonitoringSuppression"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Get a suppression rule returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { // there is a valid "suppression" in the system let suppression_data_id = std::env::var("SUPPRESSION_DATA_ID").unwrap(); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .get_security_monitoring_suppression(suppression_data_id.clone()) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Get a suppression rule returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); // there is a valid "suppression" in the system const SUPPRESSION_DATA_ID = process.env.SUPPRESSION_DATA_ID as string; const params: v2.SecurityMonitoringApiGetSecurityMonitoringSuppressionRequest = { suppressionId: SUPPRESSION_DATA_ID, }; apiInstance .getSecurityMonitoringSuppression(params) .then((data: v2.SecurityMonitoringSuppressionResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Update a suppression rule{% #update-a-suppression-rule %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ---------------------------------------------------------------------------------------------------------- | | ap1.datadoghq.com | PATCH https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id} | | ap2.datadoghq.com | PATCH https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id} | | app.datadoghq.eu | PATCH https://api.datadoghq.eu/api/v2/security_monitoring/configuration/suppressions/{suppression_id} | | app.ddog-gov.com | PATCH https://api.ddog-gov.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id} | | app.datadoghq.com | PATCH https://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id} | | us3.datadoghq.com | PATCH https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id} | | us5.datadoghq.com | PATCH https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id} | ### Overview Update a specific suppression rule. OAuth apps require the `security_monitoring_suppressions_write` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Arguments #### Path Parameters | Name | Type | Description | | -------------------------------- | ------ | ------------------------------ | | suppression_id [*required*] | string | The ID of the suppression rule | ### Request #### Body Data (required) New definition of the suppression rule. Supports partial updates. {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------ | ---------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data [*required*] | object | The new suppression properties; partial updates are supported. | | data | attributes [*required*] | object | The suppression rule properties to be updated. | | attributes | data_exclusion_query | string | An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule. | | attributes | description | string | A description for the suppression rule. | | attributes | enabled | boolean | Whether the suppression rule is enabled. | | attributes | expiration_date | int64 | A Unix millisecond timestamp giving an expiration date for the suppression rule. After this date, it won't suppress signals anymore. If unset, the expiration date of the suppression rule is left untouched. If set to `null`, the expiration date is removed. | | attributes | name | string | The name of the suppression rule. | | attributes | rule_query | string | The rule query of the suppression rule, with the same syntax as the search bar for detection rules. | | attributes | start_date | int64 | A Unix millisecond timestamp giving the start date for the suppression rule. After this date, it starts suppressing signals. If unset, the start date of the suppression rule is left untouched. If set to `null`, the start date is removed. | | attributes | suppression_query | string | The suppression query of the suppression rule. If a signal matches this query, it is suppressed and not triggered. Same syntax as the queries to search signals in the signal explorer. | | attributes | tags | [string] | List of tags associated with the suppression rule. | | attributes | version | int32 | The current version of the suppression. This is optional, but it can help prevent concurrent modifications. | | data | type [*required*] | enum | The type of the resource. The value should always be `suppressions`. Allowed enum values: `suppressions` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "suppression_query": "env:staging status:low" }, "type": "suppressions" } } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} Response object containing a single suppression rule. | Parent field | Field | Type | Description | | ------------ | -------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data | object | The suppression rule's properties. | | data | attributes | object | The attributes of the suppression rule. | | attributes | creation_date | int64 | A Unix millisecond timestamp given the creation date of the suppression rule. | | attributes | creator | object | A user. | | creator | handle | string | The handle of the user. | | creator | name | string | The name of the user. | | attributes | data_exclusion_query | string | An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule. | | attributes | description | string | A description for the suppression rule. | | attributes | editable | boolean | Whether the suppression rule is editable. | | attributes | enabled | boolean | Whether the suppression rule is enabled. | | attributes | expiration_date | int64 | A Unix millisecond timestamp giving an expiration date for the suppression rule. After this date, it won't suppress signals anymore. | | attributes | name | string | The name of the suppression rule. | | attributes | rule_query | string | The rule query of the suppression rule, with the same syntax as the search bar for detection rules. | | attributes | start_date | int64 | A Unix millisecond timestamp giving the start date for the suppression rule. After this date, it starts suppressing signals. | | attributes | suppression_query | string | The suppression query of the suppression rule. If a signal matches this query, it is suppressed and not triggered. Same syntax as the queries to search signals in the signal explorer. | | attributes | tags | [string] | List of tags associated with the suppression rule. | | attributes | update_date | int64 | A Unix millisecond timestamp given the update date of the suppression rule. | | attributes | updater | object | A user. | | updater | handle | string | The handle of the user. | | updater | name | string | The name of the user. | | attributes | version | int32 | The version of the suppression rule; it starts at 1, and is incremented at each update. | | data | id | string | The ID of the suppression rule. | | data | type | enum | The type of the resource. The value should always be `suppressions`. Allowed enum values: `suppressions` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "creation_date": "integer", "creator": { "handle": "john.doe@datadoghq.com", "name": "John Doe" }, "data_exclusion_query": "source:cloudtrail account_id:12345", "description": "This rule suppresses low-severity signals in staging environments.", "editable": true, "enabled": true, "expiration_date": 1703187336000, "name": "Custom suppression", "rule_query": "type:log_detection source:cloudtrail", "start_date": 1703187336000, "suppression_query": "env:staging status:low", "tags": [ "technique:T1110-brute-force", "source:cloudtrail" ], "update_date": "integer", "updater": { "handle": "john.doe@datadoghq.com", "name": "John Doe" }, "version": 42 }, "id": "3dd-0uc-h1s", "type": "suppressions" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="409" %} Concurrent Modification {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport suppression_id="CHANGE_ME"\# Curl commandcurl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/${suppression_id}" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "attributes": { "suppression_query": "env:staging status:low" }, "type": "suppressions" } } EOF ##### ```go // Update a suppression rule returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { // there is a valid "suppression" in the system SuppressionDataID := os.Getenv("SUPPRESSION_DATA_ID") body := datadogV2.SecurityMonitoringSuppressionUpdateRequest{ Data: datadogV2.SecurityMonitoringSuppressionUpdateData{ Attributes: datadogV2.SecurityMonitoringSuppressionUpdateAttributes{ SuppressionQuery: datadog.PtrString("env:staging status:low"), }, Type: datadogV2.SECURITYMONITORINGSUPPRESSIONTYPE_SUPPRESSIONS, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.UpdateSecurityMonitoringSuppression(ctx, SuppressionDataID, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.UpdateSecurityMonitoringSuppression`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.UpdateSecurityMonitoringSuppression`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Update a suppression rule returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionResponse; import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionType; import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionUpdateAttributes; import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionUpdateData; import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionUpdateRequest; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); // there is a valid "suppression" in the system String SUPPRESSION_DATA_ID = System.getenv("SUPPRESSION_DATA_ID"); SecurityMonitoringSuppressionUpdateRequest body = new SecurityMonitoringSuppressionUpdateRequest() .data( new SecurityMonitoringSuppressionUpdateData() .attributes( new SecurityMonitoringSuppressionUpdateAttributes() .suppressionQuery("env:staging status:low")) .type(SecurityMonitoringSuppressionType.SUPPRESSIONS)); try { SecurityMonitoringSuppressionResponse result = apiInstance.updateSecurityMonitoringSuppression(SUPPRESSION_DATA_ID, body); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#updateSecurityMonitoringSuppression"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Update a suppression rule returns "OK" response """ from os import environ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.security_monitoring_suppression_type import SecurityMonitoringSuppressionType from datadog_api_client.v2.model.security_monitoring_suppression_update_attributes import ( SecurityMonitoringSuppressionUpdateAttributes, ) from datadog_api_client.v2.model.security_monitoring_suppression_update_data import ( SecurityMonitoringSuppressionUpdateData, ) from datadog_api_client.v2.model.security_monitoring_suppression_update_request import ( SecurityMonitoringSuppressionUpdateRequest, ) # there is a valid "suppression" in the system SUPPRESSION_DATA_ID = environ["SUPPRESSION_DATA_ID"] body = SecurityMonitoringSuppressionUpdateRequest( data=SecurityMonitoringSuppressionUpdateData( attributes=SecurityMonitoringSuppressionUpdateAttributes( suppression_query="env:staging status:low", ), type=SecurityMonitoringSuppressionType.SUPPRESSIONS, ), ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.update_security_monitoring_suppression(suppression_id=SUPPRESSION_DATA_ID, body=body) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Update a suppression rule returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new # there is a valid "suppression" in the system SUPPRESSION_DATA_ID = ENV["SUPPRESSION_DATA_ID"] body = DatadogAPIClient::V2::SecurityMonitoringSuppressionUpdateRequest.new({ data: DatadogAPIClient::V2::SecurityMonitoringSuppressionUpdateData.new({ attributes: DatadogAPIClient::V2::SecurityMonitoringSuppressionUpdateAttributes.new({ suppression_query: "env:staging status:low", }), type: DatadogAPIClient::V2::SecurityMonitoringSuppressionType::SUPPRESSIONS, }), }) p api_instance.update_security_monitoring_suppression(SUPPRESSION_DATA_ID, body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Update a suppression rule returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionType; use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionUpdateAttributes; use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionUpdateData; use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionUpdateRequest; #[tokio::main] async fn main() { // there is a valid "suppression" in the system let suppression_data_id = std::env::var("SUPPRESSION_DATA_ID").unwrap(); let body = SecurityMonitoringSuppressionUpdateRequest::new( SecurityMonitoringSuppressionUpdateData::new( SecurityMonitoringSuppressionUpdateAttributes::new() .suppression_query("env:staging status:low".to_string()), SecurityMonitoringSuppressionType::SUPPRESSIONS, ), ); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .update_security_monitoring_suppression(suppression_data_id.clone(), body) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Update a suppression rule returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); // there is a valid "suppression" in the system const SUPPRESSION_DATA_ID = process.env.SUPPRESSION_DATA_ID as string; const params: v2.SecurityMonitoringApiUpdateSecurityMonitoringSuppressionRequest = { body: { data: { attributes: { suppressionQuery: "env:staging status:low", }, type: "suppressions", }, }, suppressionId: SUPPRESSION_DATA_ID, }; apiInstance .updateSecurityMonitoringSuppression(params) .then((data: v2.SecurityMonitoringSuppressionResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Delete a suppression rule{% #delete-a-suppression-rule %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ----------------------------------------------------------------------------------------------------------- | | ap1.datadoghq.com | DELETE https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id} | | ap2.datadoghq.com | DELETE https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id} | | app.datadoghq.eu | DELETE https://api.datadoghq.eu/api/v2/security_monitoring/configuration/suppressions/{suppression_id} | | app.ddog-gov.com | DELETE https://api.ddog-gov.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id} | | app.datadoghq.com | DELETE https://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id} | | us3.datadoghq.com | DELETE https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id} | | us5.datadoghq.com | DELETE https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id} | ### Overview Delete a specific suppression rule. OAuth apps require the `security_monitoring_suppressions_write` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Arguments #### Path Parameters | Name | Type | Description | | -------------------------------- | ------ | ------------------------------ | | suppression_id [*required*] | string | The ID of the suppression rule | ### Response {% tab title="204" %} OK {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport suppression_id="CHANGE_ME"\# Curl commandcurl -X DELETE "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/${suppression_id}" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Delete a suppression rule returns "OK" response """ from os import environ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi # there is a valid "suppression" in the system SUPPRESSION_DATA_ID = environ["SUPPRESSION_DATA_ID"] configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) api_instance.delete_security_monitoring_suppression( suppression_id=SUPPRESSION_DATA_ID, ) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Delete a suppression rule returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new # there is a valid "suppression" in the system SUPPRESSION_DATA_ID = ENV["SUPPRESSION_DATA_ID"] api_instance.delete_security_monitoring_suppression(SUPPRESSION_DATA_ID) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Delete a suppression rule returns "OK" response package main import ( "context" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { // there is a valid "suppression" in the system SuppressionDataID := os.Getenv("SUPPRESSION_DATA_ID") ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) r, err := api.DeleteSecurityMonitoringSuppression(ctx, SuppressionDataID) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.DeleteSecurityMonitoringSuppression`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Delete a suppression rule returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); // there is a valid "suppression" in the system String SUPPRESSION_DATA_ID = System.getenv("SUPPRESSION_DATA_ID"); try { apiInstance.deleteSecurityMonitoringSuppression(SUPPRESSION_DATA_ID); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#deleteSecurityMonitoringSuppression"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Delete a suppression rule returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { // there is a valid "suppression" in the system let suppression_data_id = std::env::var("SUPPRESSION_DATA_ID").unwrap(); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .delete_security_monitoring_suppression(suppression_data_id.clone()) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Delete a suppression rule returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); // there is a valid "suppression" in the system const SUPPRESSION_DATA_ID = process.env.SUPPRESSION_DATA_ID as string; const params: v2.SecurityMonitoringApiDeleteSecurityMonitoringSuppressionRequest = { suppressionId: SUPPRESSION_DATA_ID, }; apiInstance .deleteSecurityMonitoringSuppression(params) .then((data: any) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Validate a suppression rule{% #validate-a-suppression-rule %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | --------------------------------------------------------------------------------------------------- | | ap1.datadoghq.com | POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/validation | | ap2.datadoghq.com | POST https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/validation | | app.datadoghq.eu | POST https://api.datadoghq.eu/api/v2/security_monitoring/configuration/suppressions/validation | | app.ddog-gov.com | POST https://api.ddog-gov.com/api/v2/security_monitoring/configuration/suppressions/validation | | app.datadoghq.com | POST https://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/validation | | us3.datadoghq.com | POST https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/validation | | us5.datadoghq.com | POST https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/validation | ### Overview Validate a suppression rule. This endpoint requires the `security_monitoring_suppressions_write` permission. OAuth apps require the `security_monitoring_suppressions_write` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Request #### Body Data (required) {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------ | ---------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data [*required*] | object | Object for a single suppression rule. | | data | attributes [*required*] | object | Object containing the attributes of the suppression rule to be created. | | attributes | data_exclusion_query | string | An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule. | | attributes | description | string | A description for the suppression rule. | | attributes | enabled [*required*] | boolean | Whether the suppression rule is enabled. | | attributes | expiration_date | int64 | A Unix millisecond timestamp giving an expiration date for the suppression rule. After this date, it won't suppress signals anymore. | | attributes | name [*required*] | string | The name of the suppression rule. | | attributes | rule_query [*required*] | string | The rule query of the suppression rule, with the same syntax as the search bar for detection rules. | | attributes | start_date | int64 | A Unix millisecond timestamp giving the start date for the suppression rule. After this date, it starts suppressing signals. | | attributes | suppression_query | string | The suppression query of the suppression rule. If a signal matches this query, it is suppressed and is not triggered. It uses the same syntax as the queries to search signals in the Signals Explorer. | | attributes | tags | [string] | List of tags associated with the suppression rule. | | data | type [*required*] | enum | The type of the resource. The value should always be `suppressions`. Allowed enum values: `suppressions` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "data_exclusion_query": "source:cloudtrail account_id:12345", "description": "This rule suppresses low-severity signals in staging environments.", "enabled": true, "name": "Custom suppression", "rule_query": "type:log_detection source:cloudtrail" }, "type": "suppressions" } } ``` {% /tab %} ### Response {% tab title="204" %} OK {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/validation" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "attributes": { "data_exclusion_query": "source:cloudtrail account_id:12345", "description": "This rule suppresses low-severity signals in staging environments.", "enabled": true, "name": "Custom suppression", "rule_query": "type:log_detection source:cloudtrail" }, "type": "suppressions" } } EOF ##### ```go // Validate a suppression rule returns "OK" response package main import ( "context" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.SecurityMonitoringSuppressionCreateRequest{ Data: datadogV2.SecurityMonitoringSuppressionCreateData{ Attributes: datadogV2.SecurityMonitoringSuppressionCreateAttributes{ DataExclusionQuery: datadog.PtrString("source:cloudtrail account_id:12345"), Description: datadog.PtrString("This rule suppresses low-severity signals in staging environments."), Enabled: true, Name: "Custom suppression", RuleQuery: "type:log_detection source:cloudtrail", }, Type: datadogV2.SECURITYMONITORINGSUPPRESSIONTYPE_SUPPRESSIONS, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) r, err := api.ValidateSecurityMonitoringSuppression(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ValidateSecurityMonitoringSuppression`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Validate a suppression rule returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionCreateAttributes; import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionCreateData; import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionCreateRequest; import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionType; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); SecurityMonitoringSuppressionCreateRequest body = new SecurityMonitoringSuppressionCreateRequest() .data( new SecurityMonitoringSuppressionCreateData() .attributes( new SecurityMonitoringSuppressionCreateAttributes() .dataExclusionQuery("source:cloudtrail account_id:12345") .description( "This rule suppresses low-severity signals in staging" + " environments.") .enabled(true) .name("Custom suppression") .ruleQuery("type:log_detection source:cloudtrail")) .type(SecurityMonitoringSuppressionType.SUPPRESSIONS)); try { apiInstance.validateSecurityMonitoringSuppression(body); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#validateSecurityMonitoringSuppression"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Validate a suppression rule returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.security_monitoring_suppression_create_attributes import ( SecurityMonitoringSuppressionCreateAttributes, ) from datadog_api_client.v2.model.security_monitoring_suppression_create_data import ( SecurityMonitoringSuppressionCreateData, ) from datadog_api_client.v2.model.security_monitoring_suppression_create_request import ( SecurityMonitoringSuppressionCreateRequest, ) from datadog_api_client.v2.model.security_monitoring_suppression_type import SecurityMonitoringSuppressionType body = SecurityMonitoringSuppressionCreateRequest( data=SecurityMonitoringSuppressionCreateData( attributes=SecurityMonitoringSuppressionCreateAttributes( data_exclusion_query="source:cloudtrail account_id:12345", description="This rule suppresses low-severity signals in staging environments.", enabled=True, name="Custom suppression", rule_query="type:log_detection source:cloudtrail", ), type=SecurityMonitoringSuppressionType.SUPPRESSIONS, ), ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) api_instance.validate_security_monitoring_suppression(body=body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Validate a suppression rule returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateRequest.new({ data: DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateData.new({ attributes: DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateAttributes.new({ data_exclusion_query: "source:cloudtrail account_id:12345", description: "This rule suppresses low-severity signals in staging environments.", enabled: true, name: "Custom suppression", rule_query: "type:log_detection source:cloudtrail", }), type: DatadogAPIClient::V2::SecurityMonitoringSuppressionType::SUPPRESSIONS, }), }) api_instance.validate_security_monitoring_suppression(body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Validate a suppression rule returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionCreateAttributes; use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionCreateData; use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionCreateRequest; use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionType; #[tokio::main] async fn main() { let body = SecurityMonitoringSuppressionCreateRequest::new( SecurityMonitoringSuppressionCreateData::new( SecurityMonitoringSuppressionCreateAttributes::new( true, "Custom suppression".to_string(), "type:log_detection source:cloudtrail".to_string(), ) .data_exclusion_query("source:cloudtrail account_id:12345".to_string()) .description( "This rule suppresses low-severity signals in staging environments.".to_string(), ), SecurityMonitoringSuppressionType::SUPPRESSIONS, ), ); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.validate_security_monitoring_suppression(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Validate a suppression rule returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiValidateSecurityMonitoringSuppressionRequest = { body: { data: { attributes: { dataExclusionQuery: "source:cloudtrail account_id:12345", description: "This rule suppresses low-severity signals in staging environments.", enabled: true, name: "Custom suppression", ruleQuery: "type:log_detection source:cloudtrail", }, type: "suppressions", }, }, }; apiInstance .validateSecurityMonitoringSuppression(params) .then((data: any) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Get suppressions affecting future rule{% #get-suppressions-affecting-future-rule %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ---------------------------------------------------------------------------------------------- | | ap1.datadoghq.com | POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/rules | | ap2.datadoghq.com | POST https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/rules | | app.datadoghq.eu | POST https://api.datadoghq.eu/api/v2/security_monitoring/configuration/suppressions/rules | | app.ddog-gov.com | POST https://api.ddog-gov.com/api/v2/security_monitoring/configuration/suppressions/rules | | app.datadoghq.com | POST https://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/rules | | us3.datadoghq.com | POST https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/rules | | us5.datadoghq.com | POST https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/rules | ### Overview Get the list of suppressions that would affect a rule. OAuth apps require the `security_monitoring_suppressions_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Request #### Body Data (required) {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------------------ | ----------------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Option 1 | object | Create a new rule. | | Option 1 | calculatedFields | [object] | Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined. | | calculatedFields | expression [*required*] | string | Expression. | | calculatedFields | name [*required*] | string | Field name. | | Option 1 | cases [*required*] | [object] | Cases for generating signals. | | cases | actions | [object] | Action to perform for each rule case. | | actions | options | object | Options for the rule action | | options | duration | int64 | Duration of the action in seconds. 0 indicates no expiration. | | options | flaggedIPType | enum | Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: `SUSPICIOUS,FLAGGED` | | options | userBehaviorName | string | Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule. | | actions | type | enum | The action type. Allowed enum values: `block_ip,block_user,user_behavior,flag_ip` | | cases | condition | string | A case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated based on the event counts in the previously defined queries. | | cases | name | string | Name of the case. | | cases | notifications | [string] | Notification targets. | | cases | status [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 1 | filters | [object] | Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules. | | filters | action | enum | The type of filtering action. Allowed enum values: `require,suppress` | | filters | query | string | Query for selecting logs to apply the filtering action. | | Option 1 | groupSignalsBy | [string] | Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups. | | Option 1 | hasExtendedTitle | boolean | Whether the notifications include the triggering group-by values in their title. | | Option 1 | isEnabled [*required*] | boolean | Whether the rule is enabled. | | Option 1 | message [*required*] | string | Message for generated signals. | | Option 1 | name [*required*] | string | The name of the rule. | | Option 1 | options [*required*] | object | Options. | | options | anomalyDetectionOptions | object | Options on anomaly detection method. | | anomalyDetectionOptions | bucketDuration | enum | Duration in seconds of the time buckets used to aggregate events matched by the rule. Must be greater than or equal to 300. Allowed enum values: `300,600,900,1800,3600,10800` | | anomalyDetectionOptions | detectionTolerance | enum | An optional parameter that sets how permissive anomaly detection is. Higher values require higher deviations before triggering a signal. Allowed enum values: `1,2,3,4,5` | | anomalyDetectionOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | anomalyDetectionOptions | learningDuration | enum | Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. Allowed enum values: `1,6,12,24,48,168,336` | | anomalyDetectionOptions | learningPeriodBaseline | int64 | An optional override baseline to apply while the rule is in the learning period. Must be greater than or equal to 0. | | options | complianceRuleOptions | object | Options for cloud_configuration rules. Fields `resourceType` and `regoRule` are mandatory when managing custom `cloud_configuration` rules. | | complianceRuleOptions | complexRule | boolean | Whether the rule is a complex one. Must be set to true if `regoRule.resourceTypes` contains more than one item. Defaults to false. | | complianceRuleOptions | regoRule | object | Rule details. | | regoRule | policy [*required*] | string | The policy written in `rego`, see: [https://www.openpolicyagent.org/docs/latest/policy-language/](https://www.openpolicyagent.org/docs/latest/policy-language/) | | regoRule | resourceTypes [*required*] | [string] | List of resource types that will be evaluated upon. Must have at least one element. | | complianceRuleOptions | resourceType | string | Main resource type to be checked by the rule. It should be specified again in `regoRule.resourceTypes`. | | options | decreaseCriticalityBasedOnEnv | boolean | If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: `CRITICAL` in production becomes `HIGH` in non-production, `HIGH` becomes `MEDIUM` and so on. `INFO` remains `INFO`. The decrement is applied when the environment tag of the signal starts with `staging`, `test` or `dev`. | | options | detectionMethod | enum | The detection method. Allowed enum values: `threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection` | | options | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | hardcodedEvaluatorType | enum | Hardcoded evaluator type. Allowed enum values: `log4shell` | | options | impossibleTravelOptions | object | Options on impossible travel detection method. | | impossibleTravelOptions | baselineUserLocations | boolean | If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. | | options | keepAlive | enum | Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | maxSignalDuration | enum | A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | newValueOptions | object | Options on new value detection method. | | newValueOptions | forgetAfter | enum | The duration in days after which a learned value is forgotten. Allowed enum values: `1,2,7,14,21,28` | | newValueOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | newValueOptions | learningDuration | enum | The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: `0,1,7` | | newValueOptions | learningMethod | enum | The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: `duration,threshold` | | newValueOptions | learningThreshold | enum | A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: `0,1` | | options | sequenceDetectionOptions | object | Options on sequence detection method. | | sequenceDetectionOptions | stepTransitions | [object] | Transitions defining the allowed order of steps and their evaluation windows. | | stepTransitions | child | string | Name of the child step. | | stepTransitions | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | stepTransitions | parent | string | Name of the parent step. | | sequenceDetectionOptions | steps | [object] | Steps that define the conditions to be matched in sequence. | | steps | condition | string | Condition referencing rule queries (e.g., `a > 0`). | | steps | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | steps | name | string | Unique name identifying the step. | | options | thirdPartyRuleOptions | object | Options on third party detection method. | | thirdPartyRuleOptions | defaultNotifications | [string] | Notification targets for the logs that do not correspond to any of the cases. | | thirdPartyRuleOptions | defaultStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyRuleOptions | rootQueries | [object] | Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert. | | rootQueries | groupByFields | [string] | Fields to group by. | | rootQueries | query | string | Query to run on logs. | | thirdPartyRuleOptions | signalTitleTemplate | string | A template for the signal title; if omitted, the title is generated based on the case name. | | Option 1 | queries [*required*] | [object] | Queries for selecting logs which are part of the rule. | | queries | aggregation | enum | The aggregation type. Allowed enum values: `count,cardinality,sum,max,new_value,geo_data,event_count,none` | | queries | customQueryExtension | string | Query extension to append to the logs query. | | queries | dataSource | enum | Source of events, either logs, audit trail, or Datadog events. `app_sec_spans` is deprecated in favor of `spans`. Allowed enum values: `logs,audit,app_sec_spans,spans,security_runtime,network,events` | | queries | distinctFields | [string] | Field for which the cardinality is measured. Sent as an array. | | queries | groupByFields | [string] | Fields to group by. | | queries | hasOptionalGroupByFields | boolean | When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with `N/A`, replacing the missing values. | | queries | index | string | **This field is currently unstable and might be removed in a minor version upgrade.** The index to run the query on, if the `dataSource` is `logs`. Only used for scheduled rules - in other words, when the `schedulingOptions` field is present in the rule payload. | | queries | indexes | [string] | List of indexes to query when the `dataSource` is `logs`. Only used for scheduled rules, such as when the `schedulingOptions` field is present in the rule payload. | | queries | metric | string | **DEPRECATED**: (Deprecated) The target field to aggregate over when using the sum or max aggregations. `metrics` field should be used instead. | | queries | metrics | [string] | Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values. | | queries | name | string | Name of the query. | | queries | query | string | Query to run on logs. | | Option 1 | referenceTables | [object] | Reference tables for the rule. | | referenceTables | checkPresence | boolean | Whether to include or exclude the matched values. | | referenceTables | columnName | string | The name of the column in the reference table. | | referenceTables | logFieldPath | string | The field in the log to match against the reference table. | | referenceTables | ruleQueryName | string | The name of the query to apply the reference table to. | | referenceTables | tableName | string | The name of the reference table. | | Option 1 | schedulingOptions | object | Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs. | | schedulingOptions | rrule | string | Schedule for the rule queries, written in RRULE syntax. See [RFC](https://icalendar.org/iCalendar-RFC-5545/3-8-5-3-recurrence-rule.html) for syntax reference. | | schedulingOptions | start | string | Start date for the schedule, in ISO 8601 format without timezone. | | schedulingOptions | timezone | string | Time zone of the start date, in the [tz database](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) format. | | Option 1 | tags | [string] | Tags for generated signals. | | Option 1 | thirdPartyCases | [object] | Cases for generating signals from third-party rules. Only available for third-party rules. | | thirdPartyCases | name | string | Name of the case. | | thirdPartyCases | notifications | [string] | Notification targets for each case. | | thirdPartyCases | query | string | A query to map a third party event to this case. | | thirdPartyCases | status [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 1 | type | enum | The rule type. Allowed enum values: `api_security,application_security,log_detection,workload_activity,workload_security` | | | Option 2 | object | Create a new signal correlation rule. | | Option 2 | cases [*required*] | [object] | Cases for generating signals. | | cases | actions | [object] | Action to perform for each rule case. | | actions | options | object | Options for the rule action | | options | duration | int64 | Duration of the action in seconds. 0 indicates no expiration. | | options | flaggedIPType | enum | Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: `SUSPICIOUS,FLAGGED` | | options | userBehaviorName | string | Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule. | | actions | type | enum | The action type. Allowed enum values: `block_ip,block_user,user_behavior,flag_ip` | | cases | condition | string | A case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated based on the event counts in the previously defined queries. | | cases | name | string | Name of the case. | | cases | notifications | [string] | Notification targets. | | cases | status [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 2 | filters | [object] | Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules. | | filters | action | enum | The type of filtering action. Allowed enum values: `require,suppress` | | filters | query | string | Query for selecting logs to apply the filtering action. | | Option 2 | hasExtendedTitle | boolean | Whether the notifications include the triggering group-by values in their title. | | Option 2 | isEnabled [*required*] | boolean | Whether the rule is enabled. | | Option 2 | message [*required*] | string | Message for generated signals. | | Option 2 | name [*required*] | string | The name of the rule. | | Option 2 | options [*required*] | object | Options. | | options | anomalyDetectionOptions | object | Options on anomaly detection method. | | anomalyDetectionOptions | bucketDuration | enum | Duration in seconds of the time buckets used to aggregate events matched by the rule. Must be greater than or equal to 300. Allowed enum values: `300,600,900,1800,3600,10800` | | anomalyDetectionOptions | detectionTolerance | enum | An optional parameter that sets how permissive anomaly detection is. Higher values require higher deviations before triggering a signal. Allowed enum values: `1,2,3,4,5` | | anomalyDetectionOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | anomalyDetectionOptions | learningDuration | enum | Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. Allowed enum values: `1,6,12,24,48,168,336` | | anomalyDetectionOptions | learningPeriodBaseline | int64 | An optional override baseline to apply while the rule is in the learning period. Must be greater than or equal to 0. | | options | complianceRuleOptions | object | Options for cloud_configuration rules. Fields `resourceType` and `regoRule` are mandatory when managing custom `cloud_configuration` rules. | | complianceRuleOptions | complexRule | boolean | Whether the rule is a complex one. Must be set to true if `regoRule.resourceTypes` contains more than one item. Defaults to false. | | complianceRuleOptions | regoRule | object | Rule details. | | regoRule | policy [*required*] | string | The policy written in `rego`, see: [https://www.openpolicyagent.org/docs/latest/policy-language/](https://www.openpolicyagent.org/docs/latest/policy-language/) | | regoRule | resourceTypes [*required*] | [string] | List of resource types that will be evaluated upon. Must have at least one element. | | complianceRuleOptions | resourceType | string | Main resource type to be checked by the rule. It should be specified again in `regoRule.resourceTypes`. | | options | decreaseCriticalityBasedOnEnv | boolean | If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: `CRITICAL` in production becomes `HIGH` in non-production, `HIGH` becomes `MEDIUM` and so on. `INFO` remains `INFO`. The decrement is applied when the environment tag of the signal starts with `staging`, `test` or `dev`. | | options | detectionMethod | enum | The detection method. Allowed enum values: `threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection` | | options | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | hardcodedEvaluatorType | enum | Hardcoded evaluator type. Allowed enum values: `log4shell` | | options | impossibleTravelOptions | object | Options on impossible travel detection method. | | impossibleTravelOptions | baselineUserLocations | boolean | If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. | | options | keepAlive | enum | Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | maxSignalDuration | enum | A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | newValueOptions | object | Options on new value detection method. | | newValueOptions | forgetAfter | enum | The duration in days after which a learned value is forgotten. Allowed enum values: `1,2,7,14,21,28` | | newValueOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | newValueOptions | learningDuration | enum | The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: `0,1,7` | | newValueOptions | learningMethod | enum | The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: `duration,threshold` | | newValueOptions | learningThreshold | enum | A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: `0,1` | | options | sequenceDetectionOptions | object | Options on sequence detection method. | | sequenceDetectionOptions | stepTransitions | [object] | Transitions defining the allowed order of steps and their evaluation windows. | | stepTransitions | child | string | Name of the child step. | | stepTransitions | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | stepTransitions | parent | string | Name of the parent step. | | sequenceDetectionOptions | steps | [object] | Steps that define the conditions to be matched in sequence. | | steps | condition | string | Condition referencing rule queries (e.g., `a > 0`). | | steps | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | steps | name | string | Unique name identifying the step. | | options | thirdPartyRuleOptions | object | Options on third party detection method. | | thirdPartyRuleOptions | defaultNotifications | [string] | Notification targets for the logs that do not correspond to any of the cases. | | thirdPartyRuleOptions | defaultStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyRuleOptions | rootQueries | [object] | Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert. | | rootQueries | groupByFields | [string] | Fields to group by. | | rootQueries | query | string | Query to run on logs. | | thirdPartyRuleOptions | signalTitleTemplate | string | A template for the signal title; if omitted, the title is generated based on the case name. | | Option 2 | queries [*required*] | [object] | Queries for selecting signals which are part of the rule. | | queries | aggregation | enum | The aggregation type. Allowed enum values: `count,cardinality,sum,max,new_value,geo_data,event_count,none` | | queries | correlatedByFields | [string] | Fields to group by. | | queries | correlatedQueryIndex | int32 | Index of the rule query used to retrieve the correlated field. | | queries | metrics | [string] | Group of target fields to aggregate over. | | queries | name | string | Name of the query. | | queries | ruleId [*required*] | string | Rule ID to match on signals. | | Option 2 | tags | [string] | Tags for generated signals. | | Option 2 | type | enum | The rule type. Allowed enum values: `signal_correlation` | | | Option 3 | object | Create a new cloud configuration rule. | | Option 3 | cases [*required*] | [object] | Description of generated findings and signals (severity and channels to be notified in case of a signal). Must contain exactly one item. | | cases | notifications | [string] | Notification targets for each rule case. | | cases | status [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 3 | complianceSignalOptions [*required*] | object | How to generate compliance signals. Useful for cloud_configuration rules only. | | complianceSignalOptions | defaultActivationStatus | boolean | The default activation status. | | complianceSignalOptions | defaultGroupByFields | [string] | The default group by fields. | | complianceSignalOptions | userActivationStatus | boolean | Whether signals will be sent. | | complianceSignalOptions | userGroupByFields | [string] | Fields to use to group findings by when sending signals. | | Option 3 | filters | [object] | Additional queries to filter matched events before they are processed. | | filters | action | enum | The type of filtering action. Allowed enum values: `require,suppress` | | filters | query | string | Query for selecting logs to apply the filtering action. | | Option 3 | isEnabled [*required*] | boolean | Whether the rule is enabled. | | Option 3 | message [*required*] | string | Message in markdown format for generated findings and signals. | | Option 3 | name [*required*] | string | The name of the rule. | | Option 3 | options [*required*] | object | Options on cloud configuration rules. | | options | complianceRuleOptions [*required*] | object | Options for cloud_configuration rules. Fields `resourceType` and `regoRule` are mandatory when managing custom `cloud_configuration` rules. | | complianceRuleOptions | complexRule | boolean | Whether the rule is a complex one. Must be set to true if `regoRule.resourceTypes` contains more than one item. Defaults to false. | | complianceRuleOptions | regoRule | object | Rule details. | | regoRule | policy [*required*] | string | The policy written in `rego`, see: [https://www.openpolicyagent.org/docs/latest/policy-language/](https://www.openpolicyagent.org/docs/latest/policy-language/) | | regoRule | resourceTypes [*required*] | [string] | List of resource types that will be evaluated upon. Must have at least one element. | | complianceRuleOptions | resourceType | string | Main resource type to be checked by the rule. It should be specified again in `regoRule.resourceTypes`. | | Option 3 | tags | [string] | Tags for generated findings and signals. | | Option 3 | type | enum | The rule type. Allowed enum values: `cloud_configuration` | {% /tab %} {% tab title="Example" %} ```json { "name": "Example-Security-Monitoring", "queries": [ { "query": "@test:true", "aggregation": "count", "groupByFields": [], "distinctFields": [], "metrics": [] } ], "filters": [], "cases": [ { "name": "", "status": "info", "condition": "a > 0", "notifications": [] } ], "options": { "evaluationWindow": 900, "keepAlive": 3600, "maxSignalDuration": 86400 }, "message": "Test rule", "tags": [], "isEnabled": true, "type": "log_detection" } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} Response object containing the available suppression rules. | Parent field | Field | Type | Description | | ------------ | -------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data | [object] | A list of suppressions objects. | | data | attributes | object | The attributes of the suppression rule. | | attributes | creation_date | int64 | A Unix millisecond timestamp given the creation date of the suppression rule. | | attributes | creator | object | A user. | | creator | handle | string | The handle of the user. | | creator | name | string | The name of the user. | | attributes | data_exclusion_query | string | An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule. | | attributes | description | string | A description for the suppression rule. | | attributes | editable | boolean | Whether the suppression rule is editable. | | attributes | enabled | boolean | Whether the suppression rule is enabled. | | attributes | expiration_date | int64 | A Unix millisecond timestamp giving an expiration date for the suppression rule. After this date, it won't suppress signals anymore. | | attributes | name | string | The name of the suppression rule. | | attributes | rule_query | string | The rule query of the suppression rule, with the same syntax as the search bar for detection rules. | | attributes | start_date | int64 | A Unix millisecond timestamp giving the start date for the suppression rule. After this date, it starts suppressing signals. | | attributes | suppression_query | string | The suppression query of the suppression rule. If a signal matches this query, it is suppressed and not triggered. Same syntax as the queries to search signals in the signal explorer. | | attributes | tags | [string] | List of tags associated with the suppression rule. | | attributes | update_date | int64 | A Unix millisecond timestamp given the update date of the suppression rule. | | attributes | updater | object | A user. | | updater | handle | string | The handle of the user. | | updater | name | string | The name of the user. | | attributes | version | int32 | The version of the suppression rule; it starts at 1, and is incremented at each update. | | data | id | string | The ID of the suppression rule. | | data | type | enum | The type of the resource. The value should always be `suppressions`. Allowed enum values: `suppressions` | {% /tab %} {% tab title="Example" %} ```json { "data": [ { "attributes": { "creation_date": "integer", "creator": { "handle": "john.doe@datadoghq.com", "name": "John Doe" }, "data_exclusion_query": "source:cloudtrail account_id:12345", "description": "This rule suppresses low-severity signals in staging environments.", "editable": true, "enabled": true, "expiration_date": 1703187336000, "name": "Custom suppression", "rule_query": "type:log_detection source:cloudtrail", "start_date": 1703187336000, "suppression_query": "env:staging status:low", "tags": [ "technique:T1110-brute-force", "source:cloudtrail" ], "update_date": "integer", "updater": { "handle": "john.doe@datadoghq.com", "name": "John Doe" }, "version": 42 }, "id": "3dd-0uc-h1s", "type": "suppressions" } ] } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/rules" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "name": "Example-Security-Monitoring", "queries": [ { "query": "@test:true", "aggregation": "count", "groupByFields": [], "distinctFields": [], "metrics": [] } ], "filters": [], "cases": [ { "name": "", "status": "info", "condition": "a > 0", "notifications": [] } ], "options": { "evaluationWindow": 900, "keepAlive": 3600, "maxSignalDuration": 86400 }, "message": "Test rule", "tags": [], "isEnabled": true, "type": "log_detection" } EOF ##### ```go // Get suppressions affecting future rule returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.SecurityMonitoringRuleCreatePayload{ SecurityMonitoringStandardRuleCreatePayload: &datadogV2.SecurityMonitoringStandardRuleCreatePayload{ Name: "Example-Security-Monitoring", Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{ { Query: datadog.PtrString("@test:true"), Aggregation: datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(), GroupByFields: []string{}, DistinctFields: []string{}, Metrics: []string{}, }, }, Filters: []datadogV2.SecurityMonitoringFilter{}, Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{ { Name: datadog.PtrString(""), Status: datadogV2.SECURITYMONITORINGRULESEVERITY_INFO, Condition: datadog.PtrString("a > 0"), Notifications: []string{}, }, }, Options: datadogV2.SecurityMonitoringRuleOptions{ EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(), KeepAlive: datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ONE_HOUR.Ptr(), MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ONE_DAY.Ptr(), }, Message: "Test rule", Tags: []string{}, IsEnabled: true, Type: datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(), }} ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.GetSuppressionsAffectingFutureRule(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSuppressionsAffectingFutureRule`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSuppressionsAffectingFutureRule`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Get suppressions affecting future rule returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate; import com.datadog.api.client.v2.model.SecurityMonitoringRuleCreatePayload; import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow; import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive; import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration; import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions; import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation; import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity; import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate; import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleCreatePayload; import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery; import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionsResponse; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); SecurityMonitoringRuleCreatePayload body = new SecurityMonitoringRuleCreatePayload( new SecurityMonitoringStandardRuleCreatePayload() .name("Example-Security-Monitoring") .queries( Collections.singletonList( new SecurityMonitoringStandardRuleQuery() .query("@test:true") .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT))) .cases( Collections.singletonList( new SecurityMonitoringRuleCaseCreate() .name("") .status(SecurityMonitoringRuleSeverity.INFO) .condition("a > 0"))) .options( new SecurityMonitoringRuleOptions() .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES) .keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR) .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.ONE_DAY)) .message("Test rule") .isEnabled(true) .type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION)); try { SecurityMonitoringSuppressionsResponse result = apiInstance.getSuppressionsAffectingFutureRule(body); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#getSuppressionsAffectingFutureRule"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Get suppressions affecting future rule returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import ( SecurityMonitoringRuleEvaluationWindow, ) from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import ( SecurityMonitoringRuleMaxSignalDuration, ) from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import ( SecurityMonitoringRuleQueryAggregation, ) from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate from datadog_api_client.v2.model.security_monitoring_standard_rule_create_payload import ( SecurityMonitoringStandardRuleCreatePayload, ) from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery body = SecurityMonitoringStandardRuleCreatePayload( name="Example-Security-Monitoring", queries=[ SecurityMonitoringStandardRuleQuery( query="@test:true", aggregation=SecurityMonitoringRuleQueryAggregation.COUNT, group_by_fields=[], distinct_fields=[], metrics=[], ), ], filters=[], cases=[ SecurityMonitoringRuleCaseCreate( name="", status=SecurityMonitoringRuleSeverity.INFO, condition="a > 0", notifications=[], ), ], options=SecurityMonitoringRuleOptions( evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES, keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR, max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY, ), message="Test rule", tags=[], is_enabled=True, type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION, ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.get_suppressions_affecting_future_rule(body=body) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Get suppressions affecting future rule returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::SecurityMonitoringStandardRuleCreatePayload.new({ name: "Example-Security-Monitoring", queries: [ DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({ query: "@test:true", aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT, group_by_fields: [], distinct_fields: [], metrics: [], }), ], filters: [], cases: [ DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({ name: "", status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO, condition: "a > 0", notifications: [], }), ], options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({ evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES, keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ONE_HOUR, max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ONE_DAY, }), message: "Test rule", tags: [], is_enabled: true, type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION, }) p api_instance.get_suppressions_affecting_future_rule(body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Get suppressions affecting future rule returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCreatePayload; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate; use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleCreatePayload; use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery; #[tokio::main] async fn main() { let body = SecurityMonitoringRuleCreatePayload::SecurityMonitoringStandardRuleCreatePayload(Box::new( SecurityMonitoringStandardRuleCreatePayload::new( vec![ SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO) .condition("a > 0".to_string()) .name("".to_string()) .notifications(vec![]), ], true, "Test rule".to_string(), "Example-Security-Monitoring".to_string(), SecurityMonitoringRuleOptions::new() .evaluation_window(SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES) .keep_alive(SecurityMonitoringRuleKeepAlive::ONE_HOUR) .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::ONE_DAY), vec![SecurityMonitoringStandardRuleQuery::new() .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT) .distinct_fields(vec![]) .group_by_fields(vec![]) .metrics(vec![]) .query("@test:true".to_string())], ) .filters(vec![]) .tags(vec![]) .type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION), )); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.get_suppressions_affecting_future_rule(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Get suppressions affecting future rule returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiGetSuppressionsAffectingFutureRuleRequest = { body: { name: "Example-Security-Monitoring", queries: [ { query: "@test:true", aggregation: "count", groupByFields: [], distinctFields: [], metrics: [], }, ], filters: [], cases: [ { name: "", status: "info", condition: "a > 0", notifications: [], }, ], options: { evaluationWindow: 900, keepAlive: 3600, maxSignalDuration: 86400, }, message: "Test rule", tags: [], isEnabled: true, type: "log_detection", }, }; apiInstance .getSuppressionsAffectingFutureRule(params) .then((data: v2.SecurityMonitoringSuppressionsResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Get suppressions affecting a specific rule{% #get-suppressions-affecting-a-specific-rule %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/rules/{rule_id} | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/rules/{rule_id} | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/security_monitoring/configuration/suppressions/rules/{rule_id} | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/security_monitoring/configuration/suppressions/rules/{rule_id} | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/rules/{rule_id} | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/rules/{rule_id} | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/rules/{rule_id} | ### Overview Get the list of suppressions that affect a specific existing rule by its ID. OAuth apps require the `security_monitoring_suppressions_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Arguments #### Path Parameters | Name | Type | Description | | ------------------------- | ------ | ------------------- | | rule_id [*required*] | string | The ID of the rule. | ### Response {% tab title="200" %} OK {% tab title="Model" %} Response object containing the available suppression rules. | Parent field | Field | Type | Description | | ------------ | -------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data | [object] | A list of suppressions objects. | | data | attributes | object | The attributes of the suppression rule. | | attributes | creation_date | int64 | A Unix millisecond timestamp given the creation date of the suppression rule. | | attributes | creator | object | A user. | | creator | handle | string | The handle of the user. | | creator | name | string | The name of the user. | | attributes | data_exclusion_query | string | An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule. | | attributes | description | string | A description for the suppression rule. | | attributes | editable | boolean | Whether the suppression rule is editable. | | attributes | enabled | boolean | Whether the suppression rule is enabled. | | attributes | expiration_date | int64 | A Unix millisecond timestamp giving an expiration date for the suppression rule. After this date, it won't suppress signals anymore. | | attributes | name | string | The name of the suppression rule. | | attributes | rule_query | string | The rule query of the suppression rule, with the same syntax as the search bar for detection rules. | | attributes | start_date | int64 | A Unix millisecond timestamp giving the start date for the suppression rule. After this date, it starts suppressing signals. | | attributes | suppression_query | string | The suppression query of the suppression rule. If a signal matches this query, it is suppressed and not triggered. Same syntax as the queries to search signals in the signal explorer. | | attributes | tags | [string] | List of tags associated with the suppression rule. | | attributes | update_date | int64 | A Unix millisecond timestamp given the update date of the suppression rule. | | attributes | updater | object | A user. | | updater | handle | string | The handle of the user. | | updater | name | string | The name of the user. | | attributes | version | int32 | The version of the suppression rule; it starts at 1, and is incremented at each update. | | data | id | string | The ID of the suppression rule. | | data | type | enum | The type of the resource. The value should always be `suppressions`. Allowed enum values: `suppressions` | {% /tab %} {% tab title="Example" %} ```json { "data": [ { "attributes": { "creation_date": "integer", "creator": { "handle": "john.doe@datadoghq.com", "name": "John Doe" }, "data_exclusion_query": "source:cloudtrail account_id:12345", "description": "This rule suppresses low-severity signals in staging environments.", "editable": true, "enabled": true, "expiration_date": 1703187336000, "name": "Custom suppression", "rule_query": "type:log_detection source:cloudtrail", "start_date": 1703187336000, "suppression_query": "env:staging status:low", "tags": [ "technique:T1110-brute-force", "source:cloudtrail" ], "update_date": "integer", "updater": { "handle": "john.doe@datadoghq.com", "name": "John Doe" }, "version": 42 }, "id": "3dd-0uc-h1s", "type": "suppressions" } ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport rule_id="CHANGE_ME"\# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/rules/${rule_id}" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Get suppressions affecting a specific rule returns "OK" response """ from os import environ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi # there is a valid "security_rule" in the system SECURITY_RULE_ID = environ["SECURITY_RULE_ID"] configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.get_suppressions_affecting_rule( rule_id=SECURITY_RULE_ID, ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Get suppressions affecting a specific rule returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new # there is a valid "security_rule" in the system SECURITY_RULE_ID = ENV["SECURITY_RULE_ID"] p api_instance.get_suppressions_affecting_rule(SECURITY_RULE_ID) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Get suppressions affecting a specific rule returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { // there is a valid "security_rule" in the system SecurityRuleID := os.Getenv("SECURITY_RULE_ID") ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.GetSuppressionsAffectingRule(ctx, SecurityRuleID) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSuppressionsAffectingRule`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSuppressionsAffectingRule`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Get suppressions affecting a specific rule returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionsResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); // there is a valid "security_rule" in the system String SECURITY_RULE_ID = System.getenv("SECURITY_RULE_ID"); try { SecurityMonitoringSuppressionsResponse result = apiInstance.getSuppressionsAffectingRule(SECURITY_RULE_ID); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#getSuppressionsAffectingRule"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Get suppressions affecting a specific rule returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { // there is a valid "security_rule" in the system let security_rule_id = std::env::var("SECURITY_RULE_ID").unwrap(); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .get_suppressions_affecting_rule(security_rule_id.clone()) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Get suppressions affecting a specific rule returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); // there is a valid "security_rule" in the system const SECURITY_RULE_ID = process.env.SECURITY_RULE_ID as string; const params: v2.SecurityMonitoringApiGetSuppressionsAffectingRuleRequest = { ruleId: SECURITY_RULE_ID, }; apiInstance .getSuppressionsAffectingRule(params) .then((data: v2.SecurityMonitoringSuppressionsResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Get a suppression's version history{% #get-a-suppressions-version-history %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------------------------------------------------------ | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}/version_history | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}/version_history | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/security_monitoring/configuration/suppressions/{suppression_id}/version_history | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}/version_history | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}/version_history | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}/version_history | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}/version_history | ### Overview Get a suppression's version history. OAuth apps require the `security_monitoring_suppressions_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Arguments #### Path Parameters | Name | Type | Description | | -------------------------------- | ------ | ------------------------------ | | suppression_id [*required*] | string | The ID of the suppression rule | #### Query Strings | Name | Type | Description | | ------------ | ------- | -------------------------------------------------------- | | page[size] | integer | Size for a given page. The maximum allowed value is 100. | | page[number] | integer | Specific page number to return. | ### Response {% tab title="200" %} OK {% tab title="Model" %} Response for getting the suppression version history. | Parent field | Field | Type | Description | | -------------------- | -------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data | object | Data for the suppression version history. | | data | attributes | object | Response object containing the version history of a suppression. | | attributes | count | int32 | The number of suppression versions. | | attributes | data | object | The version history of a suppression. | | additionalProperties | | object | A suppression version with a list of updates. | | | changes | [object] | A list of changes. | | changes | change | string | The new value of the field. | | changes | field | string | The field that was changed. | | changes | type | enum | The type of change. Allowed enum values: `create,update,delete` | | | suppression | object | The attributes of the suppression rule. | | suppression | creation_date | int64 | A Unix millisecond timestamp given the creation date of the suppression rule. | | suppression | creator | object | A user. | | creator | handle | string | The handle of the user. | | creator | name | string | The name of the user. | | suppression | data_exclusion_query | string | An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule. | | suppression | description | string | A description for the suppression rule. | | suppression | editable | boolean | Whether the suppression rule is editable. | | suppression | enabled | boolean | Whether the suppression rule is enabled. | | suppression | expiration_date | int64 | A Unix millisecond timestamp giving an expiration date for the suppression rule. After this date, it won't suppress signals anymore. | | suppression | name | string | The name of the suppression rule. | | suppression | rule_query | string | The rule query of the suppression rule, with the same syntax as the search bar for detection rules. | | suppression | start_date | int64 | A Unix millisecond timestamp giving the start date for the suppression rule. After this date, it starts suppressing signals. | | suppression | suppression_query | string | The suppression query of the suppression rule. If a signal matches this query, it is suppressed and not triggered. Same syntax as the queries to search signals in the signal explorer. | | suppression | tags | [string] | List of tags associated with the suppression rule. | | suppression | update_date | int64 | A Unix millisecond timestamp given the update date of the suppression rule. | | suppression | updater | object | A user. | | updater | handle | string | The handle of the user. | | updater | name | string | The name of the user. | | suppression | version | int32 | The version of the suppression rule; it starts at 1, and is incremented at each update. | | data | id | string | ID of the suppression. | | data | type | enum | Type of data. Allowed enum values: `suppression_version_history` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "count": "integer", "data": { "": { "changes": [ { "change": "cloud_provider:aws", "field": "Tags", "type": "string" } ], "suppression": { "creation_date": "integer", "creator": { "handle": "john.doe@datadoghq.com", "name": "John Doe" }, "data_exclusion_query": "source:cloudtrail account_id:12345", "description": "This rule suppresses low-severity signals in staging environments.", "editable": true, "enabled": true, "expiration_date": 1703187336000, "name": "Custom suppression", "rule_query": "type:log_detection source:cloudtrail", "start_date": 1703187336000, "suppression_query": "env:staging status:low", "tags": [ "technique:T1110-brute-force", "source:cloudtrail" ], "update_date": "integer", "updater": { "handle": "john.doe@datadoghq.com", "name": "John Doe" }, "version": 42 } } } }, "id": "string", "type": "string" } } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport suppression_id="CHANGE_ME"\# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/${suppression_id}/version_history" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Get a suppression's version history returns "OK" response """ from os import environ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi # there is a valid "suppression" in the system SUPPRESSION_DATA_ID = environ["SUPPRESSION_DATA_ID"] configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.get_suppression_version_history( suppression_id=SUPPRESSION_DATA_ID, ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Get a suppression's version history returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new # there is a valid "suppression" in the system SUPPRESSION_DATA_ID = ENV["SUPPRESSION_DATA_ID"] p api_instance.get_suppression_version_history(SUPPRESSION_DATA_ID) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Get a suppression's version history returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { // there is a valid "suppression" in the system SuppressionDataID := os.Getenv("SUPPRESSION_DATA_ID") ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.GetSuppressionVersionHistory(ctx, SuppressionDataID, *datadogV2.NewGetSuppressionVersionHistoryOptionalParameters()) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSuppressionVersionHistory`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSuppressionVersionHistory`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Get a suppression's version history returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.GetSuppressionVersionHistoryResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); // there is a valid "suppression" in the system String SUPPRESSION_DATA_ID = System.getenv("SUPPRESSION_DATA_ID"); try { GetSuppressionVersionHistoryResponse result = apiInstance.getSuppressionVersionHistory(SUPPRESSION_DATA_ID); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#getSuppressionVersionHistory"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Get a suppression's version history returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::GetSuppressionVersionHistoryOptionalParams; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { // there is a valid "suppression" in the system let suppression_data_id = std::env::var("SUPPRESSION_DATA_ID").unwrap(); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .get_suppression_version_history( suppression_data_id.clone(), GetSuppressionVersionHistoryOptionalParams::default(), ) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Get a suppression's version history returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); // there is a valid "suppression" in the system const SUPPRESSION_DATA_ID = process.env.SUPPRESSION_DATA_ID as string; const params: v2.SecurityMonitoringApiGetSuppressionVersionHistoryRequest = { suppressionId: SUPPRESSION_DATA_ID, }; apiInstance .getSuppressionVersionHistory(params) .then((data: v2.GetSuppressionVersionHistoryResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Get all critical assets{% #get-all-critical-assets %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------------------------ | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/security_monitoring/configuration/critical_assets | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/security_monitoring/configuration/critical_assets | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets | ### Overview Get the list of all critical assets. OAuth apps require the `security_monitoring_critical_assets_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Response {% tab title="200" %} OK {% tab title="Model" %} Response object containing the available critical assets. | Parent field | Field | Type | Description | | ------------ | ------------------ | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data | [object] | A list of critical assets objects. | | data | attributes | object | The attributes of the critical asset. | | attributes | creation_author_id | int64 | ID of user who created the critical asset. | | attributes | creation_date | int64 | A Unix millisecond timestamp given the creation date of the critical asset. | | attributes | creator | object | A user. | | creator | handle | string | The handle of the user. | | creator | name | string | The name of the user. | | attributes | enabled | boolean | Whether the critical asset is enabled. | | attributes | query | string | The query for the critical asset. It uses the same syntax as the queries to search signals in the Signals Explorer. | | attributes | rule_query | string | The rule query of the critical asset, with the same syntax as the search bar for detection rules. This determines which rules this critical asset will apply to. | | attributes | severity | enum | Severity associated with this critical asset. Either an explicit severity can be set, or the severity can be increased or decreased, or the severity can be left unchanged (no-op). Allowed enum values: `info,low,medium,high,critical,increase,decrease,no-op` | | attributes | tags | [string] | List of tags associated with the critical asset. | | attributes | update_author_id | int64 | ID of user who updated the critical asset. | | attributes | update_date | int64 | A Unix millisecond timestamp given the update date of the critical asset. | | attributes | updater | object | A user. | | updater | handle | string | The handle of the user. | | updater | name | string | The name of the user. | | attributes | version | int32 | The version of the critical asset; it starts at 1, and is incremented at each update. | | data | id | string | The ID of the critical asset. | | data | type | enum | The type of the resource. The value should always be `critical_assets`. Allowed enum values: `critical_assets` | {% /tab %} {% tab title="Example" %} ```json { "data": [ { "attributes": { "creation_author_id": 367742, "creation_date": "integer", "creator": { "handle": "john.doe@datadoghq.com", "name": "John Doe" }, "enabled": true, "query": "security:monitoring", "rule_query": "type:log_detection source:cloudtrail", "severity": "increase", "tags": [ "team:database", "source:cloudtrail" ], "update_author_id": 367743, "update_date": "integer", "updater": { "handle": "john.doe@datadoghq.com", "name": "John Doe" }, "version": 2 }, "id": "4e2435a5-6670-4b8f-baff-46083cd1c250", "type": "critical_assets" } ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Get all critical assets returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.list_security_monitoring_critical_assets() print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Get all critical assets returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new p api_instance.list_security_monitoring_critical_assets() ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Get all critical assets returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.ListSecurityMonitoringCriticalAssets(ctx, *datadogV2.NewListSecurityMonitoringCriticalAssetsOptionalParameters()) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListSecurityMonitoringCriticalAssets`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListSecurityMonitoringCriticalAssets`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Get all critical assets returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringCriticalAssetsResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { SecurityMonitoringCriticalAssetsResponse result = apiInstance.listSecurityMonitoringCriticalAssets(); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#listSecurityMonitoringCriticalAssets"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Get all critical assets returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::ListSecurityMonitoringCriticalAssetsOptionalParams; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .list_security_monitoring_critical_assets( ListSecurityMonitoringCriticalAssetsOptionalParams::default(), ) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Get all critical assets returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); apiInstance .listSecurityMonitoringCriticalAssets() .then((data: v2.SecurityMonitoringCriticalAssetsResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Create a critical asset{% #create-a-critical-asset %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------------------------- | | ap1.datadoghq.com | POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets | | ap2.datadoghq.com | POST https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets | | app.datadoghq.eu | POST https://api.datadoghq.eu/api/v2/security_monitoring/configuration/critical_assets | | app.ddog-gov.com | POST https://api.ddog-gov.com/api/v2/security_monitoring/configuration/critical_assets | | app.datadoghq.com | POST https://api.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets | | us3.datadoghq.com | POST https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets | | us5.datadoghq.com | POST https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets | ### Overview Create a new critical asset. OAuth apps require the `security_monitoring_critical_assets_write` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Request #### Body Data (required) The definition of the new critical asset. {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------ | ---------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data [*required*] | object | Object for a single critical asset. | | data | attributes [*required*] | object | Object containing the attributes of the critical asset to be created. | | attributes | enabled | boolean | Whether the critical asset is enabled. Defaults to `true` if not specified. | | attributes | query [*required*] | string | The query for the critical asset. It uses the same syntax as the queries to search signals in the Signals Explorer. | | attributes | rule_query [*required*] | string | The rule query of the critical asset, with the same syntax as the search bar for detection rules. This determines which rules this critical asset will apply to. | | attributes | severity [*required*] | enum | Severity associated with this critical asset. Either an explicit severity can be set, or the severity can be increased or decreased, or the severity can be left unchanged (no-op). Allowed enum values: `info,low,medium,high,critical,increase,decrease,no-op` | | attributes | tags | [string] | List of tags associated with the critical asset. | | data | type [*required*] | enum | The type of the resource. The value should always be `critical_assets`. Allowed enum values: `critical_assets` | {% /tab %} {% tab title="Example" %} ```json { "data": { "type": "critical_assets", "attributes": { "query": "host:examplesecuritymonitoring", "rule_query": "type:(log_detection OR signal_correlation OR workload_security OR application_security) source:cloudtrail", "severity": "decrease", "tags": [ "team:security", "env:test" ] } } } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} Response object containing a single critical asset. | Parent field | Field | Type | Description | | ------------ | ------------------ | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data | object | The critical asset's properties. | | data | attributes | object | The attributes of the critical asset. | | attributes | creation_author_id | int64 | ID of user who created the critical asset. | | attributes | creation_date | int64 | A Unix millisecond timestamp given the creation date of the critical asset. | | attributes | creator | object | A user. | | creator | handle | string | The handle of the user. | | creator | name | string | The name of the user. | | attributes | enabled | boolean | Whether the critical asset is enabled. | | attributes | query | string | The query for the critical asset. It uses the same syntax as the queries to search signals in the Signals Explorer. | | attributes | rule_query | string | The rule query of the critical asset, with the same syntax as the search bar for detection rules. This determines which rules this critical asset will apply to. | | attributes | severity | enum | Severity associated with this critical asset. Either an explicit severity can be set, or the severity can be increased or decreased, or the severity can be left unchanged (no-op). Allowed enum values: `info,low,medium,high,critical,increase,decrease,no-op` | | attributes | tags | [string] | List of tags associated with the critical asset. | | attributes | update_author_id | int64 | ID of user who updated the critical asset. | | attributes | update_date | int64 | A Unix millisecond timestamp given the update date of the critical asset. | | attributes | updater | object | A user. | | updater | handle | string | The handle of the user. | | updater | name | string | The name of the user. | | attributes | version | int32 | The version of the critical asset; it starts at 1, and is incremented at each update. | | data | id | string | The ID of the critical asset. | | data | type | enum | The type of the resource. The value should always be `critical_assets`. Allowed enum values: `critical_assets` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "creation_author_id": 367742, "creation_date": "integer", "creator": { "handle": "john.doe@datadoghq.com", "name": "John Doe" }, "enabled": true, "query": "security:monitoring", "rule_query": "type:log_detection source:cloudtrail", "severity": "increase", "tags": [ "team:database", "source:cloudtrail" ], "update_author_id": 367743, "update_date": "integer", "updater": { "handle": "john.doe@datadoghq.com", "name": "John Doe" }, "version": 2 }, "id": "4e2435a5-6670-4b8f-baff-46083cd1c250", "type": "critical_assets" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="409" %} Conflict {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "type": "critical_assets", "attributes": { "query": "host:examplesecuritymonitoring", "rule_query": "type:(log_detection OR signal_correlation OR workload_security OR application_security) source:cloudtrail", "severity": "decrease", "tags": [ "team:security", "env:test" ] } } } EOF ##### ```go // Create a critical asset returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.SecurityMonitoringCriticalAssetCreateRequest{ Data: datadogV2.SecurityMonitoringCriticalAssetCreateData{ Type: datadogV2.SECURITYMONITORINGCRITICALASSETTYPE_CRITICAL_ASSETS, Attributes: datadogV2.SecurityMonitoringCriticalAssetCreateAttributes{ Query: "host:examplesecuritymonitoring", RuleQuery: "type:(log_detection OR signal_correlation OR workload_security OR application_security) source:cloudtrail", Severity: datadogV2.SECURITYMONITORINGCRITICALASSETSEVERITY_DECREASE, Tags: []string{ "team:security", "env:test", }, }, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.CreateSecurityMonitoringCriticalAsset(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringCriticalAsset`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityMonitoringCriticalAsset`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Create a critical asset returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringCriticalAssetCreateAttributes; import com.datadog.api.client.v2.model.SecurityMonitoringCriticalAssetCreateData; import com.datadog.api.client.v2.model.SecurityMonitoringCriticalAssetCreateRequest; import com.datadog.api.client.v2.model.SecurityMonitoringCriticalAssetResponse; import com.datadog.api.client.v2.model.SecurityMonitoringCriticalAssetSeverity; import com.datadog.api.client.v2.model.SecurityMonitoringCriticalAssetType; import java.util.Arrays; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); SecurityMonitoringCriticalAssetCreateRequest body = new SecurityMonitoringCriticalAssetCreateRequest() .data( new SecurityMonitoringCriticalAssetCreateData() .type(SecurityMonitoringCriticalAssetType.CRITICAL_ASSETS) .attributes( new SecurityMonitoringCriticalAssetCreateAttributes() .query("host:examplesecuritymonitoring") .ruleQuery( "type:(log_detection OR signal_correlation OR workload_security OR" + " application_security) source:cloudtrail") .severity(SecurityMonitoringCriticalAssetSeverity.DECREASE) .tags(Arrays.asList("team:security", "env:test")))); try { SecurityMonitoringCriticalAssetResponse result = apiInstance.createSecurityMonitoringCriticalAsset(body); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#createSecurityMonitoringCriticalAsset"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Create a critical asset returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.security_monitoring_critical_asset_create_attributes import ( SecurityMonitoringCriticalAssetCreateAttributes, ) from datadog_api_client.v2.model.security_monitoring_critical_asset_create_data import ( SecurityMonitoringCriticalAssetCreateData, ) from datadog_api_client.v2.model.security_monitoring_critical_asset_create_request import ( SecurityMonitoringCriticalAssetCreateRequest, ) from datadog_api_client.v2.model.security_monitoring_critical_asset_severity import ( SecurityMonitoringCriticalAssetSeverity, ) from datadog_api_client.v2.model.security_monitoring_critical_asset_type import SecurityMonitoringCriticalAssetType body = SecurityMonitoringCriticalAssetCreateRequest( data=SecurityMonitoringCriticalAssetCreateData( type=SecurityMonitoringCriticalAssetType.CRITICAL_ASSETS, attributes=SecurityMonitoringCriticalAssetCreateAttributes( query="host:examplesecuritymonitoring", rule_query="type:(log_detection OR signal_correlation OR workload_security OR application_security) source:cloudtrail", severity=SecurityMonitoringCriticalAssetSeverity.DECREASE, tags=[ "team:security", "env:test", ], ), ), ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.create_security_monitoring_critical_asset(body=body) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Create a critical asset returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::SecurityMonitoringCriticalAssetCreateRequest.new({ data: DatadogAPIClient::V2::SecurityMonitoringCriticalAssetCreateData.new({ type: DatadogAPIClient::V2::SecurityMonitoringCriticalAssetType::CRITICAL_ASSETS, attributes: DatadogAPIClient::V2::SecurityMonitoringCriticalAssetCreateAttributes.new({ query: "host:examplesecuritymonitoring", rule_query: "type:(log_detection OR signal_correlation OR workload_security OR application_security) source:cloudtrail", severity: DatadogAPIClient::V2::SecurityMonitoringCriticalAssetSeverity::DECREASE, tags: [ "team:security", "env:test", ], }), }), }) p api_instance.create_security_monitoring_critical_asset(body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Create a critical asset returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::SecurityMonitoringCriticalAssetCreateAttributes; use datadog_api_client::datadogV2::model::SecurityMonitoringCriticalAssetCreateData; use datadog_api_client::datadogV2::model::SecurityMonitoringCriticalAssetCreateRequest; use datadog_api_client::datadogV2::model::SecurityMonitoringCriticalAssetSeverity; use datadog_api_client::datadogV2::model::SecurityMonitoringCriticalAssetType; #[tokio::main] async fn main() { let body = SecurityMonitoringCriticalAssetCreateRequest::new( SecurityMonitoringCriticalAssetCreateData::new( SecurityMonitoringCriticalAssetCreateAttributes::new( "host:examplesecuritymonitoring".to_string(), "type:(log_detection OR signal_correlation OR workload_security OR application_security) source:cloudtrail".to_string(), SecurityMonitoringCriticalAssetSeverity::DECREASE, ).tags(vec!["team:security".to_string(), "env:test".to_string()]), SecurityMonitoringCriticalAssetType::CRITICAL_ASSETS, ), ); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.create_security_monitoring_critical_asset(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Create a critical asset returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiCreateSecurityMonitoringCriticalAssetRequest = { body: { data: { type: "critical_assets", attributes: { query: "host:examplesecuritymonitoring", ruleQuery: "type:(log_detection OR signal_correlation OR workload_security OR application_security) source:cloudtrail", severity: "decrease", tags: ["team:security", "env:test"], }, }, }, }; apiInstance .createSecurityMonitoringCriticalAsset(params) .then((data: v2.SecurityMonitoringCriticalAssetResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Get a critical asset{% #get-a-critical-asset %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | -------------------------------------------------------------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id} | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id} | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id} | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id} | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id} | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id} | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id} | ### Overview Get the details of a specific critical asset. OAuth apps require the `security_monitoring_critical_assets_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Arguments #### Path Parameters | Name | Type | Description | | ----------------------------------- | ------ | ----------------------------- | | critical_asset_id [*required*] | string | The ID of the critical asset. | ### Response {% tab title="200" %} OK {% tab title="Model" %} Response object containing a single critical asset. | Parent field | Field | Type | Description | | ------------ | ------------------ | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data | object | The critical asset's properties. | | data | attributes | object | The attributes of the critical asset. | | attributes | creation_author_id | int64 | ID of user who created the critical asset. | | attributes | creation_date | int64 | A Unix millisecond timestamp given the creation date of the critical asset. | | attributes | creator | object | A user. | | creator | handle | string | The handle of the user. | | creator | name | string | The name of the user. | | attributes | enabled | boolean | Whether the critical asset is enabled. | | attributes | query | string | The query for the critical asset. It uses the same syntax as the queries to search signals in the Signals Explorer. | | attributes | rule_query | string | The rule query of the critical asset, with the same syntax as the search bar for detection rules. This determines which rules this critical asset will apply to. | | attributes | severity | enum | Severity associated with this critical asset. Either an explicit severity can be set, or the severity can be increased or decreased, or the severity can be left unchanged (no-op). Allowed enum values: `info,low,medium,high,critical,increase,decrease,no-op` | | attributes | tags | [string] | List of tags associated with the critical asset. | | attributes | update_author_id | int64 | ID of user who updated the critical asset. | | attributes | update_date | int64 | A Unix millisecond timestamp given the update date of the critical asset. | | attributes | updater | object | A user. | | updater | handle | string | The handle of the user. | | updater | name | string | The name of the user. | | attributes | version | int32 | The version of the critical asset; it starts at 1, and is incremented at each update. | | data | id | string | The ID of the critical asset. | | data | type | enum | The type of the resource. The value should always be `critical_assets`. Allowed enum values: `critical_assets` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "creation_author_id": 367742, "creation_date": "integer", "creator": { "handle": "john.doe@datadoghq.com", "name": "John Doe" }, "enabled": true, "query": "security:monitoring", "rule_query": "type:log_detection source:cloudtrail", "severity": "increase", "tags": [ "team:database", "source:cloudtrail" ], "update_author_id": 367743, "update_date": "integer", "updater": { "handle": "john.doe@datadoghq.com", "name": "John Doe" }, "version": 2 }, "id": "4e2435a5-6670-4b8f-baff-46083cd1c250", "type": "critical_assets" } } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport critical_asset_id="CHANGE_ME"\# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/${critical_asset_id}" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Get a critical asset returns "OK" response """ from os import environ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi # there is a valid "critical_asset" in the system CRITICAL_ASSET_DATA_ID = environ["CRITICAL_ASSET_DATA_ID"] configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.get_security_monitoring_critical_asset( critical_asset_id=CRITICAL_ASSET_DATA_ID, ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Get a critical asset returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new # there is a valid "critical_asset" in the system CRITICAL_ASSET_DATA_ID = ENV["CRITICAL_ASSET_DATA_ID"] p api_instance.get_security_monitoring_critical_asset(CRITICAL_ASSET_DATA_ID) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Get a critical asset returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { // there is a valid "critical_asset" in the system CriticalAssetDataID := os.Getenv("CRITICAL_ASSET_DATA_ID") ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.GetSecurityMonitoringCriticalAsset(ctx, CriticalAssetDataID) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSecurityMonitoringCriticalAsset`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSecurityMonitoringCriticalAsset`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Get a critical asset returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringCriticalAssetResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); // there is a valid "critical_asset" in the system String CRITICAL_ASSET_DATA_ID = System.getenv("CRITICAL_ASSET_DATA_ID"); try { SecurityMonitoringCriticalAssetResponse result = apiInstance.getSecurityMonitoringCriticalAsset(CRITICAL_ASSET_DATA_ID); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#getSecurityMonitoringCriticalAsset"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Get a critical asset returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { // there is a valid "critical_asset" in the system let critical_asset_data_id = std::env::var("CRITICAL_ASSET_DATA_ID").unwrap(); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .get_security_monitoring_critical_asset(critical_asset_data_id.clone()) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Get a critical asset returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); // there is a valid "critical_asset" in the system const CRITICAL_ASSET_DATA_ID = process.env.CRITICAL_ASSET_DATA_ID as string; const params: v2.SecurityMonitoringApiGetSecurityMonitoringCriticalAssetRequest = { criticalAssetId: CRITICAL_ASSET_DATA_ID, }; apiInstance .getSecurityMonitoringCriticalAsset(params) .then((data: v2.SecurityMonitoringCriticalAssetResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Update a critical asset{% #update-a-critical-asset %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ---------------------------------------------------------------------------------------------------------------- | | ap1.datadoghq.com | PATCH https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id} | | ap2.datadoghq.com | PATCH https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id} | | app.datadoghq.eu | PATCH https://api.datadoghq.eu/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id} | | app.ddog-gov.com | PATCH https://api.ddog-gov.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id} | | app.datadoghq.com | PATCH https://api.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id} | | us3.datadoghq.com | PATCH https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id} | | us5.datadoghq.com | PATCH https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id} | ### Overview Update a specific critical asset. OAuth apps require the `security_monitoring_critical_assets_write` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Arguments #### Path Parameters | Name | Type | Description | | ----------------------------------- | ------ | ----------------------------- | | critical_asset_id [*required*] | string | The ID of the critical asset. | ### Request #### Body Data (required) New definition of the critical asset. Supports partial updates. {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------ | ---------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data [*required*] | object | The new critical asset properties; partial updates are supported. | | data | attributes [*required*] | object | The critical asset properties to be updated. | | attributes | enabled | boolean | Whether the critical asset is enabled. | | attributes | query | string | The query for the critical asset. It uses the same syntax as the queries to search signals in the Signals Explorer. | | attributes | rule_query | string | The rule query of the critical asset, with the same syntax as the search bar for detection rules. This determines which rules this critical asset will apply to. | | attributes | severity | enum | Severity associated with this critical asset. Either an explicit severity can be set, or the severity can be increased or decreased, or the severity can be left unchanged (no-op). Allowed enum values: `info,low,medium,high,critical,increase,decrease,no-op` | | attributes | tags | [string] | List of tags associated with the critical asset. | | attributes | version | int32 | The version of the critical asset being updated. Used for optimistic locking to prevent concurrent modifications. | | data | type [*required*] | enum | The type of the resource. The value should always be `critical_assets`. Allowed enum values: `critical_assets` | {% /tab %} {% tab title="Example" %} ```json { "data": { "type": "critical_assets", "attributes": { "enabled": false, "query": "no:alert", "rule_query": "type:(log_detection OR signal_correlation OR workload_security OR application_security) ruleId:djg-ktx-ipq", "severity": "decrease", "tags": [ "env:production" ], "version": 1 } } } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} Response object containing a single critical asset. | Parent field | Field | Type | Description | | ------------ | ------------------ | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data | object | The critical asset's properties. | | data | attributes | object | The attributes of the critical asset. | | attributes | creation_author_id | int64 | ID of user who created the critical asset. | | attributes | creation_date | int64 | A Unix millisecond timestamp given the creation date of the critical asset. | | attributes | creator | object | A user. | | creator | handle | string | The handle of the user. | | creator | name | string | The name of the user. | | attributes | enabled | boolean | Whether the critical asset is enabled. | | attributes | query | string | The query for the critical asset. It uses the same syntax as the queries to search signals in the Signals Explorer. | | attributes | rule_query | string | The rule query of the critical asset, with the same syntax as the search bar for detection rules. This determines which rules this critical asset will apply to. | | attributes | severity | enum | Severity associated with this critical asset. Either an explicit severity can be set, or the severity can be increased or decreased, or the severity can be left unchanged (no-op). Allowed enum values: `info,low,medium,high,critical,increase,decrease,no-op` | | attributes | tags | [string] | List of tags associated with the critical asset. | | attributes | update_author_id | int64 | ID of user who updated the critical asset. | | attributes | update_date | int64 | A Unix millisecond timestamp given the update date of the critical asset. | | attributes | updater | object | A user. | | updater | handle | string | The handle of the user. | | updater | name | string | The name of the user. | | attributes | version | int32 | The version of the critical asset; it starts at 1, and is incremented at each update. | | data | id | string | The ID of the critical asset. | | data | type | enum | The type of the resource. The value should always be `critical_assets`. Allowed enum values: `critical_assets` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "creation_author_id": 367742, "creation_date": "integer", "creator": { "handle": "john.doe@datadoghq.com", "name": "John Doe" }, "enabled": true, "query": "security:monitoring", "rule_query": "type:log_detection source:cloudtrail", "severity": "increase", "tags": [ "team:database", "source:cloudtrail" ], "update_author_id": 367743, "update_date": "integer", "updater": { "handle": "john.doe@datadoghq.com", "name": "John Doe" }, "version": 2 }, "id": "4e2435a5-6670-4b8f-baff-46083cd1c250", "type": "critical_assets" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="409" %} Concurrent Modification {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport critical_asset_id="CHANGE_ME"\# Curl commandcurl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/${critical_asset_id}" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "type": "critical_assets", "attributes": { "enabled": false, "query": "no:alert", "rule_query": "type:(log_detection OR signal_correlation OR workload_security OR application_security) ruleId:djg-ktx-ipq", "severity": "decrease", "tags": [ "env:production" ], "version": 1 } } } EOF ##### ```go // Update a critical asset returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { // there is a valid "critical_asset" in the system CriticalAssetDataID := os.Getenv("CRITICAL_ASSET_DATA_ID") body := datadogV2.SecurityMonitoringCriticalAssetUpdateRequest{ Data: datadogV2.SecurityMonitoringCriticalAssetUpdateData{ Type: datadogV2.SECURITYMONITORINGCRITICALASSETTYPE_CRITICAL_ASSETS, Attributes: datadogV2.SecurityMonitoringCriticalAssetUpdateAttributes{ Enabled: datadog.PtrBool(false), Query: datadog.PtrString("no:alert"), RuleQuery: datadog.PtrString("type:(log_detection OR signal_correlation OR workload_security OR application_security) ruleId:djg-ktx-ipq"), Severity: datadogV2.SECURITYMONITORINGCRITICALASSETSEVERITY_DECREASE.Ptr(), Tags: []string{ "env:production", }, Version: datadog.PtrInt32(1), }, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.UpdateSecurityMonitoringCriticalAsset(ctx, CriticalAssetDataID, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.UpdateSecurityMonitoringCriticalAsset`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.UpdateSecurityMonitoringCriticalAsset`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Update a critical asset returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringCriticalAssetResponse; import com.datadog.api.client.v2.model.SecurityMonitoringCriticalAssetSeverity; import com.datadog.api.client.v2.model.SecurityMonitoringCriticalAssetType; import com.datadog.api.client.v2.model.SecurityMonitoringCriticalAssetUpdateAttributes; import com.datadog.api.client.v2.model.SecurityMonitoringCriticalAssetUpdateData; import com.datadog.api.client.v2.model.SecurityMonitoringCriticalAssetUpdateRequest; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); // there is a valid "critical_asset" in the system String CRITICAL_ASSET_DATA_ID = System.getenv("CRITICAL_ASSET_DATA_ID"); SecurityMonitoringCriticalAssetUpdateRequest body = new SecurityMonitoringCriticalAssetUpdateRequest() .data( new SecurityMonitoringCriticalAssetUpdateData() .type(SecurityMonitoringCriticalAssetType.CRITICAL_ASSETS) .attributes( new SecurityMonitoringCriticalAssetUpdateAttributes() .enabled(false) .query("no:alert") .ruleQuery( "type:(log_detection OR signal_correlation OR workload_security OR" + " application_security) ruleId:djg-ktx-ipq") .severity(SecurityMonitoringCriticalAssetSeverity.DECREASE) .tags(Collections.singletonList("env:production")) .version(1))); try { SecurityMonitoringCriticalAssetResponse result = apiInstance.updateSecurityMonitoringCriticalAsset(CRITICAL_ASSET_DATA_ID, body); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#updateSecurityMonitoringCriticalAsset"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Update a critical asset returns "OK" response """ from os import environ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.security_monitoring_critical_asset_severity import ( SecurityMonitoringCriticalAssetSeverity, ) from datadog_api_client.v2.model.security_monitoring_critical_asset_type import SecurityMonitoringCriticalAssetType from datadog_api_client.v2.model.security_monitoring_critical_asset_update_attributes import ( SecurityMonitoringCriticalAssetUpdateAttributes, ) from datadog_api_client.v2.model.security_monitoring_critical_asset_update_data import ( SecurityMonitoringCriticalAssetUpdateData, ) from datadog_api_client.v2.model.security_monitoring_critical_asset_update_request import ( SecurityMonitoringCriticalAssetUpdateRequest, ) # there is a valid "critical_asset" in the system CRITICAL_ASSET_DATA_ID = environ["CRITICAL_ASSET_DATA_ID"] body = SecurityMonitoringCriticalAssetUpdateRequest( data=SecurityMonitoringCriticalAssetUpdateData( type=SecurityMonitoringCriticalAssetType.CRITICAL_ASSETS, attributes=SecurityMonitoringCriticalAssetUpdateAttributes( enabled=False, query="no:alert", rule_query="type:(log_detection OR signal_correlation OR workload_security OR application_security) ruleId:djg-ktx-ipq", severity=SecurityMonitoringCriticalAssetSeverity.DECREASE, tags=[ "env:production", ], version=1, ), ), ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.update_security_monitoring_critical_asset( critical_asset_id=CRITICAL_ASSET_DATA_ID, body=body ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Update a critical asset returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new # there is a valid "critical_asset" in the system CRITICAL_ASSET_DATA_ID = ENV["CRITICAL_ASSET_DATA_ID"] body = DatadogAPIClient::V2::SecurityMonitoringCriticalAssetUpdateRequest.new({ data: DatadogAPIClient::V2::SecurityMonitoringCriticalAssetUpdateData.new({ type: DatadogAPIClient::V2::SecurityMonitoringCriticalAssetType::CRITICAL_ASSETS, attributes: DatadogAPIClient::V2::SecurityMonitoringCriticalAssetUpdateAttributes.new({ enabled: false, query: "no:alert", rule_query: "type:(log_detection OR signal_correlation OR workload_security OR application_security) ruleId:djg-ktx-ipq", severity: DatadogAPIClient::V2::SecurityMonitoringCriticalAssetSeverity::DECREASE, tags: [ "env:production", ], version: 1, }), }), }) p api_instance.update_security_monitoring_critical_asset(CRITICAL_ASSET_DATA_ID, body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Update a critical asset returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::SecurityMonitoringCriticalAssetSeverity; use datadog_api_client::datadogV2::model::SecurityMonitoringCriticalAssetType; use datadog_api_client::datadogV2::model::SecurityMonitoringCriticalAssetUpdateAttributes; use datadog_api_client::datadogV2::model::SecurityMonitoringCriticalAssetUpdateData; use datadog_api_client::datadogV2::model::SecurityMonitoringCriticalAssetUpdateRequest; #[tokio::main] async fn main() { // there is a valid "critical_asset" in the system let critical_asset_data_id = std::env::var("CRITICAL_ASSET_DATA_ID").unwrap(); let body = SecurityMonitoringCriticalAssetUpdateRequest::new( SecurityMonitoringCriticalAssetUpdateData::new( SecurityMonitoringCriticalAssetUpdateAttributes::new() .enabled(false) .query("no:alert".to_string()) .rule_query( "type:(log_detection OR signal_correlation OR workload_security OR application_security) ruleId:djg-ktx-ipq".to_string(), ) .severity(SecurityMonitoringCriticalAssetSeverity::DECREASE) .tags(vec!["env:production".to_string()]) .version(1), SecurityMonitoringCriticalAssetType::CRITICAL_ASSETS, ), ); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .update_security_monitoring_critical_asset(critical_asset_data_id.clone(), body) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Update a critical asset returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); // there is a valid "critical_asset" in the system const CRITICAL_ASSET_DATA_ID = process.env.CRITICAL_ASSET_DATA_ID as string; const params: v2.SecurityMonitoringApiUpdateSecurityMonitoringCriticalAssetRequest = { body: { data: { type: "critical_assets", attributes: { enabled: false, query: "no:alert", ruleQuery: "type:(log_detection OR signal_correlation OR workload_security OR application_security) ruleId:djg-ktx-ipq", severity: "decrease", tags: ["env:production"], version: 1, }, }, }, criticalAssetId: CRITICAL_ASSET_DATA_ID, }; apiInstance .updateSecurityMonitoringCriticalAsset(params) .then((data: v2.SecurityMonitoringCriticalAssetResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Delete a critical asset{% #delete-a-critical-asset %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ----------------------------------------------------------------------------------------------------------------- | | ap1.datadoghq.com | DELETE https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id} | | ap2.datadoghq.com | DELETE https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id} | | app.datadoghq.eu | DELETE https://api.datadoghq.eu/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id} | | app.ddog-gov.com | DELETE https://api.ddog-gov.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id} | | app.datadoghq.com | DELETE https://api.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id} | | us3.datadoghq.com | DELETE https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id} | | us5.datadoghq.com | DELETE https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id} | ### Overview Delete a specific critical asset. OAuth apps require the `security_monitoring_critical_assets_write` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Arguments #### Path Parameters | Name | Type | Description | | ----------------------------------- | ------ | ----------------------------- | | critical_asset_id [*required*] | string | The ID of the critical asset. | ### Response {% tab title="204" %} OK {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport critical_asset_id="CHANGE_ME"\# Curl commandcurl -X DELETE "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/${critical_asset_id}" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Delete a critical asset returns "OK" response """ from os import environ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi # there is a valid "critical_asset" in the system CRITICAL_ASSET_DATA_ID = environ["CRITICAL_ASSET_DATA_ID"] configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) api_instance.delete_security_monitoring_critical_asset( critical_asset_id=CRITICAL_ASSET_DATA_ID, ) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Delete a critical asset returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new # there is a valid "critical_asset" in the system CRITICAL_ASSET_DATA_ID = ENV["CRITICAL_ASSET_DATA_ID"] api_instance.delete_security_monitoring_critical_asset(CRITICAL_ASSET_DATA_ID) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Delete a critical asset returns "OK" response package main import ( "context" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { // there is a valid "critical_asset" in the system CriticalAssetDataID := os.Getenv("CRITICAL_ASSET_DATA_ID") ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) r, err := api.DeleteSecurityMonitoringCriticalAsset(ctx, CriticalAssetDataID) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.DeleteSecurityMonitoringCriticalAsset`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Delete a critical asset returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); // there is a valid "critical_asset" in the system String CRITICAL_ASSET_DATA_ID = System.getenv("CRITICAL_ASSET_DATA_ID"); try { apiInstance.deleteSecurityMonitoringCriticalAsset(CRITICAL_ASSET_DATA_ID); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#deleteSecurityMonitoringCriticalAsset"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Delete a critical asset returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { // there is a valid "critical_asset" in the system let critical_asset_data_id = std::env::var("CRITICAL_ASSET_DATA_ID").unwrap(); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .delete_security_monitoring_critical_asset(critical_asset_data_id.clone()) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Delete a critical asset returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); // there is a valid "critical_asset" in the system const CRITICAL_ASSET_DATA_ID = process.env.CRITICAL_ASSET_DATA_ID as string; const params: v2.SecurityMonitoringApiDeleteSecurityMonitoringCriticalAssetRequest = { criticalAssetId: CRITICAL_ASSET_DATA_ID, }; apiInstance .deleteSecurityMonitoringCriticalAsset(params) .then((data: any) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Get critical assets affecting a specific rule{% #get-critical-assets-affecting-a-specific-rule %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ---------------------------------------------------------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/rules/{rule_id} | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/rules/{rule_id} | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/security_monitoring/configuration/critical_assets/rules/{rule_id} | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/security_monitoring/configuration/critical_assets/rules/{rule_id} | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/rules/{rule_id} | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/rules/{rule_id} | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/rules/{rule_id} | ### Overview Get the list of critical assets that affect a specific existing rule by the rule's ID. OAuth apps require the `security_monitoring_critical_assets_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Arguments #### Path Parameters | Name | Type | Description | | ------------------------- | ------ | ------------------- | | rule_id [*required*] | string | The ID of the rule. | ### Response {% tab title="200" %} OK {% tab title="Model" %} Response object containing the available critical assets. | Parent field | Field | Type | Description | | ------------ | ------------------ | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data | [object] | A list of critical assets objects. | | data | attributes | object | The attributes of the critical asset. | | attributes | creation_author_id | int64 | ID of user who created the critical asset. | | attributes | creation_date | int64 | A Unix millisecond timestamp given the creation date of the critical asset. | | attributes | creator | object | A user. | | creator | handle | string | The handle of the user. | | creator | name | string | The name of the user. | | attributes | enabled | boolean | Whether the critical asset is enabled. | | attributes | query | string | The query for the critical asset. It uses the same syntax as the queries to search signals in the Signals Explorer. | | attributes | rule_query | string | The rule query of the critical asset, with the same syntax as the search bar for detection rules. This determines which rules this critical asset will apply to. | | attributes | severity | enum | Severity associated with this critical asset. Either an explicit severity can be set, or the severity can be increased or decreased, or the severity can be left unchanged (no-op). Allowed enum values: `info,low,medium,high,critical,increase,decrease,no-op` | | attributes | tags | [string] | List of tags associated with the critical asset. | | attributes | update_author_id | int64 | ID of user who updated the critical asset. | | attributes | update_date | int64 | A Unix millisecond timestamp given the update date of the critical asset. | | attributes | updater | object | A user. | | updater | handle | string | The handle of the user. | | updater | name | string | The name of the user. | | attributes | version | int32 | The version of the critical asset; it starts at 1, and is incremented at each update. | | data | id | string | The ID of the critical asset. | | data | type | enum | The type of the resource. The value should always be `critical_assets`. Allowed enum values: `critical_assets` | {% /tab %} {% tab title="Example" %} ```json { "data": [ { "attributes": { "creation_author_id": 367742, "creation_date": "integer", "creator": { "handle": "john.doe@datadoghq.com", "name": "John Doe" }, "enabled": true, "query": "security:monitoring", "rule_query": "type:log_detection source:cloudtrail", "severity": "increase", "tags": [ "team:database", "source:cloudtrail" ], "update_author_id": 367743, "update_date": "integer", "updater": { "handle": "john.doe@datadoghq.com", "name": "John Doe" }, "version": 2 }, "id": "4e2435a5-6670-4b8f-baff-46083cd1c250", "type": "critical_assets" } ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport rule_id="CHANGE_ME"\# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/rules/${rule_id}" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Get critical assets affecting a specific rule returns "OK" response """ from os import environ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi # there is a valid "security_rule" in the system SECURITY_RULE_ID = environ["SECURITY_RULE_ID"] configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.get_critical_assets_affecting_rule( rule_id=SECURITY_RULE_ID, ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Get critical assets affecting a specific rule returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new # there is a valid "security_rule" in the system SECURITY_RULE_ID = ENV["SECURITY_RULE_ID"] p api_instance.get_critical_assets_affecting_rule(SECURITY_RULE_ID) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Get critical assets affecting a specific rule returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { // there is a valid "security_rule" in the system SecurityRuleID := os.Getenv("SECURITY_RULE_ID") ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.GetCriticalAssetsAffectingRule(ctx, SecurityRuleID) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetCriticalAssetsAffectingRule`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetCriticalAssetsAffectingRule`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Get critical assets affecting a specific rule returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringCriticalAssetsResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); // there is a valid "security_rule" in the system String SECURITY_RULE_ID = System.getenv("SECURITY_RULE_ID"); try { SecurityMonitoringCriticalAssetsResponse result = apiInstance.getCriticalAssetsAffectingRule(SECURITY_RULE_ID); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#getCriticalAssetsAffectingRule"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Get critical assets affecting a specific rule returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { // there is a valid "security_rule" in the system let security_rule_id = std::env::var("SECURITY_RULE_ID").unwrap(); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .get_critical_assets_affecting_rule(security_rule_id.clone()) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Get critical assets affecting a specific rule returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); // there is a valid "security_rule" in the system const SECURITY_RULE_ID = process.env.SECURITY_RULE_ID as string; const params: v2.SecurityMonitoringApiGetCriticalAssetsAffectingRuleRequest = { ruleId: SECURITY_RULE_ID, }; apiInstance .getCriticalAssetsAffectingRule(params) .then((data: v2.SecurityMonitoringCriticalAssetsResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Get content pack states{% #get-content-pack-states %} {% tab title="v2" %} **Note**: This endpoint is in preview and is subject to change. If you have any feedback, contact [Datadog support](https://docs.datadoghq.com/help/). | Datadog site | API endpoint | | ----------------- | --------------------------------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/content_packs/states | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/security_monitoring/content_packs/states | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/security_monitoring/content_packs/states | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/security_monitoring/content_packs/states | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/security_monitoring/content_packs/states | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/security_monitoring/content_packs/states | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/security_monitoring/content_packs/states | ### Overview Get the activation and configuration states for all security monitoring content packs. This endpoint returns status information about each content pack including activation state, integration status, and log collection status. ### Response {% tab title="200" %} OK {% tab title="Model" %} Response containing content pack states. | Parent field | Field | Type | Description | | ------------ | --------------------------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data [*required*] | [object] | Array of content pack states. | | data | attributes [*required*] | object | Attributes of a content pack state | | attributes | cloud_siem_index_incorrect [*required*] | boolean | Whether the cloud SIEM index configuration is incorrect (only applies to certain pricing models) | | attributes | cp_activation [*required*] | enum | The activation status of a content pack Allowed enum values: `never_activated,activated,deactivated` | | attributes | filters_configured_for_logs [*required*] | boolean | Whether filters (Security Filters or Index Query depending on the pricing model) are configured for logs | | attributes | integration_installed_status | enum | The installation status of the related integration Allowed enum values: `installed,available,partially_installed,detected,error` | | attributes | logs_last_collected [*required*] | enum | Timestamp bucket indicating when logs were last collected Allowed enum values: `not_seen,within_24_hours,within_24_to_72_hours,over_72h_to_30d,over_30d` | | attributes | logs_seen_from_any_index [*required*] | boolean | Whether logs have been seen from any index | | attributes | state [*required*] | enum | The current status of a content pack Allowed enum values: `install,activate,initializing,active,warning,broken` | | data | id [*required*] | string | The content pack identifier. | | data | type [*required*] | enum | Type for content pack state object Allowed enum values: `content_pack_state` | | | meta [*required*] | object | Metadata for content pack states | | meta | cloud_siem_index_incorrect [*required*] | boolean | Whether the cloud SIEM index configuration is incorrect at the organization level | | meta | sku [*required*] | enum | The SIEM pricing model (SKU) for the organization Allowed enum values: `per_gb_analyzed,per_event_in_siem_index_2023,add_on_2024` | {% /tab %} {% tab title="Example" %} ```json { "data": [ { "attributes": { "cloud_siem_index_incorrect": false, "cp_activation": "activated", "filters_configured_for_logs": true, "integration_installed_status": "installed", "logs_last_collected": "within_24_hours", "logs_seen_from_any_index": true, "state": "active" }, "id": "aws-cloudtrail", "type": "content_pack_state" } ], "meta": { "cloud_siem_index_incorrect": false, "sku": "add_on_2024" } } ``` {% /tab %} {% /tab %} {% tab title="403" %} Forbidden {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/content_packs/states" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Get content pack states returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi configuration = Configuration() configuration.unstable_operations["get_content_packs_states"] = True with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.get_content_packs_states() print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Get content pack states returns "OK" response require "datadog_api_client" DatadogAPIClient.configure do |config| config.unstable_operations["v2.get_content_packs_states".to_sym] = true end api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new p api_instance.get_content_packs_states() ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Get content pack states returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() configuration.SetUnstableOperationEnabled("v2.GetContentPacksStates", true) apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.GetContentPacksStates(ctx) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetContentPacksStates`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetContentPacksStates`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Get content pack states returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringContentPackStatesResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); defaultClient.setUnstableOperationEnabled("v2.getContentPacksStates", true); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { SecurityMonitoringContentPackStatesResponse result = apiInstance.getContentPacksStates(); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#getContentPacksStates"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Get content pack states returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { let mut configuration = datadog::Configuration::new(); configuration.set_unstable_operation_enabled("v2.GetContentPacksStates", true); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.get_content_packs_states().await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Get content pack states returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); configuration.unstableOperations["v2.getContentPacksStates"] = true; const apiInstance = new v2.SecurityMonitoringApi(configuration); apiInstance .getContentPacksStates() .then((data: v2.SecurityMonitoringContentPackStatesResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Activate content pack{% #activate-content-pack %} {% tab title="v2" %} **Note**: This endpoint is in preview and is subject to change. If you have any feedback, contact [Datadog support](https://docs.datadoghq.com/help/). | Datadog site | API endpoint | | ----------------- | ----------------------------------------------------------------------------------------------------- | | ap1.datadoghq.com | PUT https://api.ap1.datadoghq.com/api/v2/security_monitoring/content_packs/{content_pack_id}/activate | | ap2.datadoghq.com | PUT https://api.ap2.datadoghq.com/api/v2/security_monitoring/content_packs/{content_pack_id}/activate | | app.datadoghq.eu | PUT https://api.datadoghq.eu/api/v2/security_monitoring/content_packs/{content_pack_id}/activate | | app.ddog-gov.com | PUT https://api.ddog-gov.com/api/v2/security_monitoring/content_packs/{content_pack_id}/activate | | app.datadoghq.com | PUT https://api.datadoghq.com/api/v2/security_monitoring/content_packs/{content_pack_id}/activate | | us3.datadoghq.com | PUT https://api.us3.datadoghq.com/api/v2/security_monitoring/content_packs/{content_pack_id}/activate | | us5.datadoghq.com | PUT https://api.us5.datadoghq.com/api/v2/security_monitoring/content_packs/{content_pack_id}/activate | ### Overview Activate a security monitoring content pack. This operation configures the necessary log filters or security filters depending on the pricing model and updates the content pack activation state. ### Arguments #### Path Parameters | Name | Type | Description | | --------------------------------- | ------ | --------------------------------------- | | content_pack_id [*required*] | string | The ID of the content pack to activate. | ### Response {% tab title="202" %} Accepted {% /tab %} {% tab title="403" %} Forbidden {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport content_pack_id="aws-cloudtrail"\# Curl commandcurl -X PUT "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/content_packs/${content_pack_id}/activate" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Activate content pack returns "Accepted" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi configuration = Configuration() configuration.unstable_operations["activate_content_pack"] = True with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) api_instance.activate_content_pack( content_pack_id="aws-cloudtrail", ) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Activate content pack returns "Accepted" response require "datadog_api_client" DatadogAPIClient.configure do |config| config.unstable_operations["v2.activate_content_pack".to_sym] = true end api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new p api_instance.activate_content_pack("aws-cloudtrail") ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Activate content pack returns "Accepted" response package main import ( "context" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() configuration.SetUnstableOperationEnabled("v2.ActivateContentPack", true) apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) r, err := api.ActivateContentPack(ctx, "aws-cloudtrail") if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ActivateContentPack`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Activate content pack returns "Accepted" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); defaultClient.setUnstableOperationEnabled("v2.activateContentPack", true); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { apiInstance.activateContentPack("aws-cloudtrail"); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#activateContentPack"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Activate content pack returns "Accepted" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { let mut configuration = datadog::Configuration::new(); configuration.set_unstable_operation_enabled("v2.ActivateContentPack", true); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .activate_content_pack("aws-cloudtrail".to_string()) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Activate content pack returns "Accepted" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); configuration.unstableOperations["v2.activateContentPack"] = true; const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiActivateContentPackRequest = { contentPackId: "aws-cloudtrail", }; apiInstance .activateContentPack(params) .then((data: any) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Deactivate content pack{% #deactivate-content-pack %} {% tab title="v2" %} **Note**: This endpoint is in preview and is subject to change. If you have any feedback, contact [Datadog support](https://docs.datadoghq.com/help/). | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------------------------------------- | | ap1.datadoghq.com | PUT https://api.ap1.datadoghq.com/api/v2/security_monitoring/content_packs/{content_pack_id}/deactivate | | ap2.datadoghq.com | PUT https://api.ap2.datadoghq.com/api/v2/security_monitoring/content_packs/{content_pack_id}/deactivate | | app.datadoghq.eu | PUT https://api.datadoghq.eu/api/v2/security_monitoring/content_packs/{content_pack_id}/deactivate | | app.ddog-gov.com | PUT https://api.ddog-gov.com/api/v2/security_monitoring/content_packs/{content_pack_id}/deactivate | | app.datadoghq.com | PUT https://api.datadoghq.com/api/v2/security_monitoring/content_packs/{content_pack_id}/deactivate | | us3.datadoghq.com | PUT https://api.us3.datadoghq.com/api/v2/security_monitoring/content_packs/{content_pack_id}/deactivate | | us5.datadoghq.com | PUT https://api.us5.datadoghq.com/api/v2/security_monitoring/content_packs/{content_pack_id}/deactivate | ### Overview Deactivate a security monitoring content pack. This operation removes the content pack's configuration from log filters or security filters and updates the content pack activation state. ### Arguments #### Path Parameters | Name | Type | Description | | --------------------------------- | ------ | ----------------------------------------- | | content_pack_id [*required*] | string | The ID of the content pack to deactivate. | ### Response {% tab title="202" %} Accepted {% /tab %} {% tab title="403" %} Forbidden {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport content_pack_id="aws-cloudtrail"\# Curl commandcurl -X PUT "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/content_packs/${content_pack_id}/deactivate" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Deactivate content pack returns "Accepted" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi configuration = Configuration() configuration.unstable_operations["deactivate_content_pack"] = True with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) api_instance.deactivate_content_pack( content_pack_id="aws-cloudtrail", ) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Deactivate content pack returns "Accepted" response require "datadog_api_client" DatadogAPIClient.configure do |config| config.unstable_operations["v2.deactivate_content_pack".to_sym] = true end api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new p api_instance.deactivate_content_pack("aws-cloudtrail") ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Deactivate content pack returns "Accepted" response package main import ( "context" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() configuration.SetUnstableOperationEnabled("v2.DeactivateContentPack", true) apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) r, err := api.DeactivateContentPack(ctx, "aws-cloudtrail") if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.DeactivateContentPack`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Deactivate content pack returns "Accepted" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); defaultClient.setUnstableOperationEnabled("v2.deactivateContentPack", true); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { apiInstance.deactivateContentPack("aws-cloudtrail"); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#deactivateContentPack"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Deactivate content pack returns "Accepted" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { let mut configuration = datadog::Configuration::new(); configuration.set_unstable_operation_enabled("v2.DeactivateContentPack", true); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .deactivate_content_pack("aws-cloudtrail".to_string()) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Deactivate content pack returns "Accepted" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); configuration.unstableOperations["v2.deactivateContentPack"] = true; const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiDeactivateContentPackRequest = { contentPackId: "aws-cloudtrail", }; apiInstance .deactivateContentPack(params) .then((data: any) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## List rules{% #list-rules %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------ | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/security_monitoring/rules | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/security_monitoring/rules | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/security_monitoring/rules | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/security_monitoring/rules | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/security_monitoring/rules | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/security_monitoring/rules | ### Overview List rules. This endpoint requires the `security_monitoring_rules_read` permission. OAuth apps require the `security_monitoring_rules_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Arguments #### Query Strings | Name | Type | Description | | ------------ | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | page[size] | integer | Size for a given page. The maximum allowed value is 100. | | page[number] | integer | Specific page number to return. | | query | string | A search query to filter security rules. You can filter by attributes such as `type`, `source`, `tags`. | | sort | enum | Attribute used to sort rules. Prefix with `-` to sort in descending order.Allowed enum values: `name, creation_date, update_date, enabled, type, highest_severity, source, -name, -creation_date, -update_date` | ### Response {% tab title="200" %} OK {% tab title="Model" %} List of rules. | Parent field | Field | Type | Description | | ------------------------ | ------------------------------- | --------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data | [ ] | Array containing the list of rules. | | data | Option 1 | object | Rule. | | Option 1 | calculatedFields | [object] | Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined. | | calculatedFields | expression [*required*] | string | Expression. | | calculatedFields | name [*required*] | string | Field name. | | Option 1 | cases | [object] | Cases for generating signals. | | cases | actions | [object] | Action to perform for each rule case. | | actions | options | object | Options for the rule action | | options | duration | int64 | Duration of the action in seconds. 0 indicates no expiration. | | options | flaggedIPType | enum | Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: `SUSPICIOUS,FLAGGED` | | options | userBehaviorName | string | Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule. | | actions | type | enum | The action type. Allowed enum values: `block_ip,block_user,user_behavior,flag_ip` | | cases | condition | string | A rule case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated based on the event counts in the previously defined queries. | | cases | customStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | cases | name | string | Name of the case. | | cases | notifications | [string] | Notification targets for each rule case. | | cases | status | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 1 | complianceSignalOptions | object | How to generate compliance signals. Useful for cloud_configuration rules only. | | complianceSignalOptions | defaultActivationStatus | boolean | The default activation status. | | complianceSignalOptions | defaultGroupByFields | [string] | The default group by fields. | | complianceSignalOptions | userActivationStatus | boolean | Whether signals will be sent. | | complianceSignalOptions | userGroupByFields | [string] | Fields to use to group findings by when sending signals. | | Option 1 | createdAt | int64 | When the rule was created, timestamp in milliseconds. | | Option 1 | creationAuthorId | int64 | User ID of the user who created the rule. | | Option 1 | customMessage | string | Custom/Overridden message for generated signals (used in case of Default rule update). | | Option 1 | customName | string | Custom/Overridden name of the rule (used in case of Default rule update). | | Option 1 | defaultTags | [string] | Default Tags for default rules (included in tags) | | Option 1 | deprecationDate | int64 | When the rule will be deprecated, timestamp in milliseconds. | | Option 1 | filters | [object] | Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules. | | filters | action | enum | The type of filtering action. Allowed enum values: `require,suppress` | | filters | query | string | Query for selecting logs to apply the filtering action. | | Option 1 | groupSignalsBy | [string] | Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups. | | Option 1 | hasExtendedTitle | boolean | Whether the notifications include the triggering group-by values in their title. | | Option 1 | id | string | The ID of the rule. | | Option 1 | isDefault | boolean | Whether the rule is included by default. | | Option 1 | isDeleted | boolean | Whether the rule has been deleted. | | Option 1 | isEnabled | boolean | Whether the rule is enabled. | | Option 1 | message | string | Message for generated signals. | | Option 1 | name | string | The name of the rule. | | Option 1 | options | object | Options. | | options | anomalyDetectionOptions | object | Options on anomaly detection method. | | anomalyDetectionOptions | bucketDuration | enum | Duration in seconds of the time buckets used to aggregate events matched by the rule. Must be greater than or equal to 300. Allowed enum values: `300,600,900,1800,3600,10800` | | anomalyDetectionOptions | detectionTolerance | enum | An optional parameter that sets how permissive anomaly detection is. Higher values require higher deviations before triggering a signal. Allowed enum values: `1,2,3,4,5` | | anomalyDetectionOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | anomalyDetectionOptions | learningDuration | enum | Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. Allowed enum values: `1,6,12,24,48,168,336` | | anomalyDetectionOptions | learningPeriodBaseline | int64 | An optional override baseline to apply while the rule is in the learning period. Must be greater than or equal to 0. | | options | complianceRuleOptions | object | Options for cloud_configuration rules. Fields `resourceType` and `regoRule` are mandatory when managing custom `cloud_configuration` rules. | | complianceRuleOptions | complexRule | boolean | Whether the rule is a complex one. Must be set to true if `regoRule.resourceTypes` contains more than one item. Defaults to false. | | complianceRuleOptions | regoRule | object | Rule details. | | regoRule | policy [*required*] | string | The policy written in `rego`, see: [https://www.openpolicyagent.org/docs/latest/policy-language/](https://www.openpolicyagent.org/docs/latest/policy-language/) | | regoRule | resourceTypes [*required*] | [string] | List of resource types that will be evaluated upon. Must have at least one element. | | complianceRuleOptions | resourceType | string | Main resource type to be checked by the rule. It should be specified again in `regoRule.resourceTypes`. | | options | decreaseCriticalityBasedOnEnv | boolean | If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: `CRITICAL` in production becomes `HIGH` in non-production, `HIGH` becomes `MEDIUM` and so on. `INFO` remains `INFO`. The decrement is applied when the environment tag of the signal starts with `staging`, `test` or `dev`. | | options | detectionMethod | enum | The detection method. Allowed enum values: `threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection` | | options | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | hardcodedEvaluatorType | enum | Hardcoded evaluator type. Allowed enum values: `log4shell` | | options | impossibleTravelOptions | object | Options on impossible travel detection method. | | impossibleTravelOptions | baselineUserLocations | boolean | If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. | | options | keepAlive | enum | Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | maxSignalDuration | enum | A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | newValueOptions | object | Options on new value detection method. | | newValueOptions | forgetAfter | enum | The duration in days after which a learned value is forgotten. Allowed enum values: `1,2,7,14,21,28` | | newValueOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | newValueOptions | learningDuration | enum | The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: `0,1,7` | | newValueOptions | learningMethod | enum | The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: `duration,threshold` | | newValueOptions | learningThreshold | enum | A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: `0,1` | | options | sequenceDetectionOptions | object | Options on sequence detection method. | | sequenceDetectionOptions | stepTransitions | [object] | Transitions defining the allowed order of steps and their evaluation windows. | | stepTransitions | child | string | Name of the child step. | | stepTransitions | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | stepTransitions | parent | string | Name of the parent step. | | sequenceDetectionOptions | steps | [object] | Steps that define the conditions to be matched in sequence. | | steps | condition | string | Condition referencing rule queries (e.g., `a > 0`). | | steps | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | steps | name | string | Unique name identifying the step. | | options | thirdPartyRuleOptions | object | Options on third party detection method. | | thirdPartyRuleOptions | defaultNotifications | [string] | Notification targets for the logs that do not correspond to any of the cases. | | thirdPartyRuleOptions | defaultStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyRuleOptions | rootQueries | [object] | Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert. | | rootQueries | groupByFields | [string] | Fields to group by. | | rootQueries | query | string | Query to run on logs. | | thirdPartyRuleOptions | signalTitleTemplate | string | A template for the signal title; if omitted, the title is generated based on the case name. | | Option 1 | queries | [object] | Queries for selecting logs which are part of the rule. | | queries | aggregation | enum | The aggregation type. Allowed enum values: `count,cardinality,sum,max,new_value,geo_data,event_count,none` | | queries | customQueryExtension | string | Query extension to append to the logs query. | | queries | dataSource | enum | Source of events, either logs, audit trail, or Datadog events. `app_sec_spans` is deprecated in favor of `spans`. Allowed enum values: `logs,audit,app_sec_spans,spans,security_runtime,network,events` | | queries | distinctFields | [string] | Field for which the cardinality is measured. Sent as an array. | | queries | groupByFields | [string] | Fields to group by. | | queries | hasOptionalGroupByFields | boolean | When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with `N/A`, replacing the missing values. | | queries | index | string | **This field is currently unstable and might be removed in a minor version upgrade.** The index to run the query on, if the `dataSource` is `logs`. Only used for scheduled rules - in other words, when the `schedulingOptions` field is present in the rule payload. | | queries | indexes | [string] | List of indexes to query when the `dataSource` is `logs`. Only used for scheduled rules, such as when the `schedulingOptions` field is present in the rule payload. | | queries | metric | string | **DEPRECATED**: (Deprecated) The target field to aggregate over when using the sum or max aggregations. `metrics` field should be used instead. | | queries | metrics | [string] | Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values. | | queries | name | string | Name of the query. | | queries | query | string | Query to run on logs. | | Option 1 | referenceTables | [object] | Reference tables for the rule. | | referenceTables | checkPresence | boolean | Whether to include or exclude the matched values. | | referenceTables | columnName | string | The name of the column in the reference table. | | referenceTables | logFieldPath | string | The field in the log to match against the reference table. | | referenceTables | ruleQueryName | string | The name of the query to apply the reference table to. | | referenceTables | tableName | string | The name of the reference table. | | Option 1 | schedulingOptions | object | Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs. | | schedulingOptions | rrule | string | Schedule for the rule queries, written in RRULE syntax. See [RFC](https://icalendar.org/iCalendar-RFC-5545/3-8-5-3-recurrence-rule.html) for syntax reference. | | schedulingOptions | start | string | Start date for the schedule, in ISO 8601 format without timezone. | | schedulingOptions | timezone | string | Time zone of the start date, in the [tz database](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) format. | | Option 1 | tags | [string] | Tags for generated signals. | | Option 1 | thirdPartyCases | [object] | Cases for generating signals from third-party rules. Only available for third-party rules. | | thirdPartyCases | customStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyCases | name | string | Name of the case. | | thirdPartyCases | notifications | [string] | Notification targets for each rule case. | | thirdPartyCases | query | string | A query to map a third party event to this case. | | thirdPartyCases | status | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 1 | type | enum | The rule type. Allowed enum values: `log_detection,infrastructure_configuration,workload_security,cloud_configuration,application_security,api_security,workload_activity` | | Option 1 | updateAuthorId | int64 | User ID of the user who updated the rule. | | Option 1 | updatedAt | int64 | The date the rule was last updated, in milliseconds. | | Option 1 | version | int64 | The version of the rule. | | data | Option 2 | object | Rule. | | Option 2 | cases | [object] | Cases for generating signals. | | cases | actions | [object] | Action to perform for each rule case. | | actions | options | object | Options for the rule action | | options | duration | int64 | Duration of the action in seconds. 0 indicates no expiration. | | options | flaggedIPType | enum | Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: `SUSPICIOUS,FLAGGED` | | options | userBehaviorName | string | Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule. | | actions | type | enum | The action type. Allowed enum values: `block_ip,block_user,user_behavior,flag_ip` | | cases | condition | string | A rule case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated based on the event counts in the previously defined queries. | | cases | customStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | cases | name | string | Name of the case. | | cases | notifications | [string] | Notification targets for each rule case. | | cases | status | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 2 | createdAt | int64 | When the rule was created, timestamp in milliseconds. | | Option 2 | creationAuthorId | int64 | User ID of the user who created the rule. | | Option 2 | customMessage | string | Custom/Overridden message for generated signals (used in case of Default rule update). | | Option 2 | customName | string | Custom/Overridden name of the rule (used in case of Default rule update). | | Option 2 | deprecationDate | int64 | When the rule will be deprecated, timestamp in milliseconds. | | Option 2 | filters | [object] | Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules. | | filters | action | enum | The type of filtering action. Allowed enum values: `require,suppress` | | filters | query | string | Query for selecting logs to apply the filtering action. | | Option 2 | hasExtendedTitle | boolean | Whether the notifications include the triggering group-by values in their title. | | Option 2 | id | string | The ID of the rule. | | Option 2 | isDefault | boolean | Whether the rule is included by default. | | Option 2 | isDeleted | boolean | Whether the rule has been deleted. | | Option 2 | isEnabled | boolean | Whether the rule is enabled. | | Option 2 | message | string | Message for generated signals. | | Option 2 | name | string | The name of the rule. | | Option 2 | options | object | Options. | | options | anomalyDetectionOptions | object | Options on anomaly detection method. | | anomalyDetectionOptions | bucketDuration | enum | Duration in seconds of the time buckets used to aggregate events matched by the rule. Must be greater than or equal to 300. Allowed enum values: `300,600,900,1800,3600,10800` | | anomalyDetectionOptions | detectionTolerance | enum | An optional parameter that sets how permissive anomaly detection is. Higher values require higher deviations before triggering a signal. Allowed enum values: `1,2,3,4,5` | | anomalyDetectionOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | anomalyDetectionOptions | learningDuration | enum | Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. Allowed enum values: `1,6,12,24,48,168,336` | | anomalyDetectionOptions | learningPeriodBaseline | int64 | An optional override baseline to apply while the rule is in the learning period. Must be greater than or equal to 0. | | options | complianceRuleOptions | object | Options for cloud_configuration rules. Fields `resourceType` and `regoRule` are mandatory when managing custom `cloud_configuration` rules. | | complianceRuleOptions | complexRule | boolean | Whether the rule is a complex one. Must be set to true if `regoRule.resourceTypes` contains more than one item. Defaults to false. | | complianceRuleOptions | regoRule | object | Rule details. | | regoRule | policy [*required*] | string | The policy written in `rego`, see: [https://www.openpolicyagent.org/docs/latest/policy-language/](https://www.openpolicyagent.org/docs/latest/policy-language/) | | regoRule | resourceTypes [*required*] | [string] | List of resource types that will be evaluated upon. Must have at least one element. | | complianceRuleOptions | resourceType | string | Main resource type to be checked by the rule. It should be specified again in `regoRule.resourceTypes`. | | options | decreaseCriticalityBasedOnEnv | boolean | If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: `CRITICAL` in production becomes `HIGH` in non-production, `HIGH` becomes `MEDIUM` and so on. `INFO` remains `INFO`. The decrement is applied when the environment tag of the signal starts with `staging`, `test` or `dev`. | | options | detectionMethod | enum | The detection method. Allowed enum values: `threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection` | | options | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | hardcodedEvaluatorType | enum | Hardcoded evaluator type. Allowed enum values: `log4shell` | | options | impossibleTravelOptions | object | Options on impossible travel detection method. | | impossibleTravelOptions | baselineUserLocations | boolean | If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. | | options | keepAlive | enum | Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | maxSignalDuration | enum | A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | newValueOptions | object | Options on new value detection method. | | newValueOptions | forgetAfter | enum | The duration in days after which a learned value is forgotten. Allowed enum values: `1,2,7,14,21,28` | | newValueOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | newValueOptions | learningDuration | enum | The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: `0,1,7` | | newValueOptions | learningMethod | enum | The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: `duration,threshold` | | newValueOptions | learningThreshold | enum | A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: `0,1` | | options | sequenceDetectionOptions | object | Options on sequence detection method. | | sequenceDetectionOptions | stepTransitions | [object] | Transitions defining the allowed order of steps and their evaluation windows. | | stepTransitions | child | string | Name of the child step. | | stepTransitions | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | stepTransitions | parent | string | Name of the parent step. | | sequenceDetectionOptions | steps | [object] | Steps that define the conditions to be matched in sequence. | | steps | condition | string | Condition referencing rule queries (e.g., `a > 0`). | | steps | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | steps | name | string | Unique name identifying the step. | | options | thirdPartyRuleOptions | object | Options on third party detection method. | | thirdPartyRuleOptions | defaultNotifications | [string] | Notification targets for the logs that do not correspond to any of the cases. | | thirdPartyRuleOptions | defaultStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyRuleOptions | rootQueries | [object] | Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert. | | rootQueries | groupByFields | [string] | Fields to group by. | | rootQueries | query | string | Query to run on logs. | | thirdPartyRuleOptions | signalTitleTemplate | string | A template for the signal title; if omitted, the title is generated based on the case name. | | Option 2 | queries | [object] | Queries for selecting logs which are part of the rule. | | queries | aggregation | enum | The aggregation type. Allowed enum values: `count,cardinality,sum,max,new_value,geo_data,event_count,none` | | queries | correlatedByFields | [string] | Fields to correlate by. | | queries | correlatedQueryIndex | int32 | Index of the rule query used to retrieve the correlated field. | | queries | defaultRuleId | string | Default Rule ID to match on signals. | | queries | distinctFields | [string] | Field for which the cardinality is measured. Sent as an array. | | queries | groupByFields | [string] | Fields to group by. | | queries | metrics | [string] | Group of target fields to aggregate over. | | queries | name | string | Name of the query. | | queries | ruleId | string | Rule ID to match on signals. | | Option 2 | tags | [string] | Tags for generated signals. | | Option 2 | type | enum | The rule type. Allowed enum values: `signal_correlation` | | Option 2 | updateAuthorId | int64 | User ID of the user who updated the rule. | | Option 2 | version | int64 | The version of the rule. | | | meta | object | Object describing meta attributes of response. | | meta | page | object | Pagination object. | | page | total_count | int64 | Total count. | | page | total_filtered_count | int64 | Total count of elements matched by the filter. | {% /tab %} {% tab title="Example" %} ```json { "data": [ { "calculatedFields": [ { "expression": "@request_end_timestamp - @request_start_timestamp", "name": "response_time" } ], "cases": [ { "actions": [ { "options": { "duration": 0, "flaggedIPType": "FLAGGED", "userBehaviorName": "string" }, "type": "string" } ], "condition": "string", "customStatus": "critical", "name": "string", "notifications": [], "status": "critical" } ], "complianceSignalOptions": { "defaultActivationStatus": false, "defaultGroupByFields": [], "userActivationStatus": false, "userGroupByFields": [] }, "createdAt": "integer", "creationAuthorId": "integer", "customMessage": "string", "customName": "string", "defaultTags": [ "security:attacks" ], "deprecationDate": "integer", "filters": [ { "action": "string", "query": "string" } ], "groupSignalsBy": [ "service" ], "hasExtendedTitle": false, "id": "string", "isDefault": false, "isDeleted": false, "isEnabled": false, "message": "string", "name": "string", "options": { "anomalyDetectionOptions": { "bucketDuration": 300, "detectionTolerance": 5, "instantaneousBaseline": false, "learningDuration": "integer", "learningPeriodBaseline": "integer" }, "complianceRuleOptions": { "complexRule": false, "regoRule": { "policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n # Logic that evaluates to true if the resource should be skipped\n true\n} else = \"pass\" {\n # Logic that evaluates to true if the resource is compliant\n true\n} else = \"fail\" {\n # Logic that evaluates to true if the resource is not compliant\n true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n some resource in input.resources[input.main_resource_type]\n result := dd_output.format(resource, eval(resource))\n}", "resourceTypes": [ "gcp_iam_service_account", "gcp_iam_policy" ] }, "resourceType": "aws_acm" }, "decreaseCriticalityBasedOnEnv": false, "detectionMethod": "string", "evaluationWindow": "integer", "hardcodedEvaluatorType": "string", "impossibleTravelOptions": { "baselineUserLocations": true }, "keepAlive": "integer", "maxSignalDuration": "integer", "newValueOptions": { "forgetAfter": "integer", "instantaneousBaseline": false, "learningDuration": "integer", "learningMethod": "string", "learningThreshold": "integer" }, "sequenceDetectionOptions": { "stepTransitions": [ { "child": "string", "evaluationWindow": "integer", "parent": "string" } ], "steps": [ { "condition": "string", "evaluationWindow": "integer", "name": "string" } ] }, "thirdPartyRuleOptions": { "defaultNotifications": [], "defaultStatus": "critical", "rootQueries": [ { "groupByFields": [], "query": "source:cloudtrail" } ], "signalTitleTemplate": "string" } }, "queries": [ { "aggregation": "string", "customQueryExtension": "a > 3", "dataSource": "logs", "distinctFields": [], "groupByFields": [], "hasOptionalGroupByFields": false, "index": "string", "indexes": [], "metric": "string", "metrics": [], "name": "string", "query": "a > 3" } ], "referenceTables": [ { "checkPresence": false, "columnName": "string", "logFieldPath": "string", "ruleQueryName": "string", "tableName": "string" } ], "schedulingOptions": { "rrule": "FREQ=HOURLY;INTERVAL=1;", "start": "2025-07-14T12:00:00", "timezone": "America/New_York" }, "tags": [], "thirdPartyCases": [ { "customStatus": "critical", "name": "string", "notifications": [], "query": "string", "status": "critical" } ], "type": "string", "updateAuthorId": "integer", "updatedAt": "integer", "version": "integer" } ], "meta": { "page": { "total_count": "integer", "total_filtered_count": "integer" } } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ List rules returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.list_security_monitoring_rules() print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # List rules returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new p api_instance.list_security_monitoring_rules() ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // List rules returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.ListSecurityMonitoringRules(ctx, *datadogV2.NewListSecurityMonitoringRulesOptionalParameters()) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListSecurityMonitoringRules`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListSecurityMonitoringRules`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // List rules returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringListRulesResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { SecurityMonitoringListRulesResponse result = apiInstance.listSecurityMonitoringRules(); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#listSecurityMonitoringRules"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // List rules returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::ListSecurityMonitoringRulesOptionalParams; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .list_security_monitoring_rules(ListSecurityMonitoringRulesOptionalParams::default()) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * List rules returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); apiInstance .listSecurityMonitoringRules() .then((data: v2.SecurityMonitoringListRulesResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Create a detection rule{% #create-a-detection-rule %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------- | | ap1.datadoghq.com | POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules | | ap2.datadoghq.com | POST https://api.ap2.datadoghq.com/api/v2/security_monitoring/rules | | app.datadoghq.eu | POST https://api.datadoghq.eu/api/v2/security_monitoring/rules | | app.ddog-gov.com | POST https://api.ddog-gov.com/api/v2/security_monitoring/rules | | app.datadoghq.com | POST https://api.datadoghq.com/api/v2/security_monitoring/rules | | us3.datadoghq.com | POST https://api.us3.datadoghq.com/api/v2/security_monitoring/rules | | us5.datadoghq.com | POST https://api.us5.datadoghq.com/api/v2/security_monitoring/rules | ### Overview Create a detection rule. This endpoint requires the `security_monitoring_rules_write` permission. OAuth apps require the `security_monitoring_rules_write` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Request #### Body Data (required) {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------------------ | ----------------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Option 1 | object | Create a new rule. | | Option 1 | calculatedFields | [object] | Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined. | | calculatedFields | expression [*required*] | string | Expression. | | calculatedFields | name [*required*] | string | Field name. | | Option 1 | cases [*required*] | [object] | Cases for generating signals. | | cases | actions | [object] | Action to perform for each rule case. | | actions | options | object | Options for the rule action | | options | duration | int64 | Duration of the action in seconds. 0 indicates no expiration. | | options | flaggedIPType | enum | Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: `SUSPICIOUS,FLAGGED` | | options | userBehaviorName | string | Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule. | | actions | type | enum | The action type. Allowed enum values: `block_ip,block_user,user_behavior,flag_ip` | | cases | condition | string | A case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated based on the event counts in the previously defined queries. | | cases | name | string | Name of the case. | | cases | notifications | [string] | Notification targets. | | cases | status [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 1 | filters | [object] | Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules. | | filters | action | enum | The type of filtering action. Allowed enum values: `require,suppress` | | filters | query | string | Query for selecting logs to apply the filtering action. | | Option 1 | groupSignalsBy | [string] | Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups. | | Option 1 | hasExtendedTitle | boolean | Whether the notifications include the triggering group-by values in their title. | | Option 1 | isEnabled [*required*] | boolean | Whether the rule is enabled. | | Option 1 | message [*required*] | string | Message for generated signals. | | Option 1 | name [*required*] | string | The name of the rule. | | Option 1 | options [*required*] | object | Options. | | options | anomalyDetectionOptions | object | Options on anomaly detection method. | | anomalyDetectionOptions | bucketDuration | enum | Duration in seconds of the time buckets used to aggregate events matched by the rule. Must be greater than or equal to 300. Allowed enum values: `300,600,900,1800,3600,10800` | | anomalyDetectionOptions | detectionTolerance | enum | An optional parameter that sets how permissive anomaly detection is. Higher values require higher deviations before triggering a signal. Allowed enum values: `1,2,3,4,5` | | anomalyDetectionOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | anomalyDetectionOptions | learningDuration | enum | Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. Allowed enum values: `1,6,12,24,48,168,336` | | anomalyDetectionOptions | learningPeriodBaseline | int64 | An optional override baseline to apply while the rule is in the learning period. Must be greater than or equal to 0. | | options | complianceRuleOptions | object | Options for cloud_configuration rules. Fields `resourceType` and `regoRule` are mandatory when managing custom `cloud_configuration` rules. | | complianceRuleOptions | complexRule | boolean | Whether the rule is a complex one. Must be set to true if `regoRule.resourceTypes` contains more than one item. Defaults to false. | | complianceRuleOptions | regoRule | object | Rule details. | | regoRule | policy [*required*] | string | The policy written in `rego`, see: [https://www.openpolicyagent.org/docs/latest/policy-language/](https://www.openpolicyagent.org/docs/latest/policy-language/) | | regoRule | resourceTypes [*required*] | [string] | List of resource types that will be evaluated upon. Must have at least one element. | | complianceRuleOptions | resourceType | string | Main resource type to be checked by the rule. It should be specified again in `regoRule.resourceTypes`. | | options | decreaseCriticalityBasedOnEnv | boolean | If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: `CRITICAL` in production becomes `HIGH` in non-production, `HIGH` becomes `MEDIUM` and so on. `INFO` remains `INFO`. The decrement is applied when the environment tag of the signal starts with `staging`, `test` or `dev`. | | options | detectionMethod | enum | The detection method. Allowed enum values: `threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection` | | options | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | hardcodedEvaluatorType | enum | Hardcoded evaluator type. Allowed enum values: `log4shell` | | options | impossibleTravelOptions | object | Options on impossible travel detection method. | | impossibleTravelOptions | baselineUserLocations | boolean | If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. | | options | keepAlive | enum | Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | maxSignalDuration | enum | A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | newValueOptions | object | Options on new value detection method. | | newValueOptions | forgetAfter | enum | The duration in days after which a learned value is forgotten. Allowed enum values: `1,2,7,14,21,28` | | newValueOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | newValueOptions | learningDuration | enum | The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: `0,1,7` | | newValueOptions | learningMethod | enum | The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: `duration,threshold` | | newValueOptions | learningThreshold | enum | A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: `0,1` | | options | sequenceDetectionOptions | object | Options on sequence detection method. | | sequenceDetectionOptions | stepTransitions | [object] | Transitions defining the allowed order of steps and their evaluation windows. | | stepTransitions | child | string | Name of the child step. | | stepTransitions | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | stepTransitions | parent | string | Name of the parent step. | | sequenceDetectionOptions | steps | [object] | Steps that define the conditions to be matched in sequence. | | steps | condition | string | Condition referencing rule queries (e.g., `a > 0`). | | steps | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | steps | name | string | Unique name identifying the step. | | options | thirdPartyRuleOptions | object | Options on third party detection method. | | thirdPartyRuleOptions | defaultNotifications | [string] | Notification targets for the logs that do not correspond to any of the cases. | | thirdPartyRuleOptions | defaultStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyRuleOptions | rootQueries | [object] | Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert. | | rootQueries | groupByFields | [string] | Fields to group by. | | rootQueries | query | string | Query to run on logs. | | thirdPartyRuleOptions | signalTitleTemplate | string | A template for the signal title; if omitted, the title is generated based on the case name. | | Option 1 | queries [*required*] | [object] | Queries for selecting logs which are part of the rule. | | queries | aggregation | enum | The aggregation type. Allowed enum values: `count,cardinality,sum,max,new_value,geo_data,event_count,none` | | queries | customQueryExtension | string | Query extension to append to the logs query. | | queries | dataSource | enum | Source of events, either logs, audit trail, or Datadog events. `app_sec_spans` is deprecated in favor of `spans`. Allowed enum values: `logs,audit,app_sec_spans,spans,security_runtime,network,events` | | queries | distinctFields | [string] | Field for which the cardinality is measured. Sent as an array. | | queries | groupByFields | [string] | Fields to group by. | | queries | hasOptionalGroupByFields | boolean | When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with `N/A`, replacing the missing values. | | queries | index | string | **This field is currently unstable and might be removed in a minor version upgrade.** The index to run the query on, if the `dataSource` is `logs`. Only used for scheduled rules - in other words, when the `schedulingOptions` field is present in the rule payload. | | queries | indexes | [string] | List of indexes to query when the `dataSource` is `logs`. Only used for scheduled rules, such as when the `schedulingOptions` field is present in the rule payload. | | queries | metric | string | **DEPRECATED**: (Deprecated) The target field to aggregate over when using the sum or max aggregations. `metrics` field should be used instead. | | queries | metrics | [string] | Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values. | | queries | name | string | Name of the query. | | queries | query | string | Query to run on logs. | | Option 1 | referenceTables | [object] | Reference tables for the rule. | | referenceTables | checkPresence | boolean | Whether to include or exclude the matched values. | | referenceTables | columnName | string | The name of the column in the reference table. | | referenceTables | logFieldPath | string | The field in the log to match against the reference table. | | referenceTables | ruleQueryName | string | The name of the query to apply the reference table to. | | referenceTables | tableName | string | The name of the reference table. | | Option 1 | schedulingOptions | object | Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs. | | schedulingOptions | rrule | string | Schedule for the rule queries, written in RRULE syntax. See [RFC](https://icalendar.org/iCalendar-RFC-5545/3-8-5-3-recurrence-rule.html) for syntax reference. | | schedulingOptions | start | string | Start date for the schedule, in ISO 8601 format without timezone. | | schedulingOptions | timezone | string | Time zone of the start date, in the [tz database](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) format. | | Option 1 | tags | [string] | Tags for generated signals. | | Option 1 | thirdPartyCases | [object] | Cases for generating signals from third-party rules. Only available for third-party rules. | | thirdPartyCases | name | string | Name of the case. | | thirdPartyCases | notifications | [string] | Notification targets for each case. | | thirdPartyCases | query | string | A query to map a third party event to this case. | | thirdPartyCases | status [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 1 | type | enum | The rule type. Allowed enum values: `api_security,application_security,log_detection,workload_activity,workload_security` | | | Option 2 | object | Create a new signal correlation rule. | | Option 2 | cases [*required*] | [object] | Cases for generating signals. | | cases | actions | [object] | Action to perform for each rule case. | | actions | options | object | Options for the rule action | | options | duration | int64 | Duration of the action in seconds. 0 indicates no expiration. | | options | flaggedIPType | enum | Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: `SUSPICIOUS,FLAGGED` | | options | userBehaviorName | string | Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule. | | actions | type | enum | The action type. Allowed enum values: `block_ip,block_user,user_behavior,flag_ip` | | cases | condition | string | A case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated based on the event counts in the previously defined queries. | | cases | name | string | Name of the case. | | cases | notifications | [string] | Notification targets. | | cases | status [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 2 | filters | [object] | Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules. | | filters | action | enum | The type of filtering action. Allowed enum values: `require,suppress` | | filters | query | string | Query for selecting logs to apply the filtering action. | | Option 2 | hasExtendedTitle | boolean | Whether the notifications include the triggering group-by values in their title. | | Option 2 | isEnabled [*required*] | boolean | Whether the rule is enabled. | | Option 2 | message [*required*] | string | Message for generated signals. | | Option 2 | name [*required*] | string | The name of the rule. | | Option 2 | options [*required*] | object | Options. | | options | anomalyDetectionOptions | object | Options on anomaly detection method. | | anomalyDetectionOptions | bucketDuration | enum | Duration in seconds of the time buckets used to aggregate events matched by the rule. Must be greater than or equal to 300. Allowed enum values: `300,600,900,1800,3600,10800` | | anomalyDetectionOptions | detectionTolerance | enum | An optional parameter that sets how permissive anomaly detection is. Higher values require higher deviations before triggering a signal. Allowed enum values: `1,2,3,4,5` | | anomalyDetectionOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | anomalyDetectionOptions | learningDuration | enum | Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. Allowed enum values: `1,6,12,24,48,168,336` | | anomalyDetectionOptions | learningPeriodBaseline | int64 | An optional override baseline to apply while the rule is in the learning period. Must be greater than or equal to 0. | | options | complianceRuleOptions | object | Options for cloud_configuration rules. Fields `resourceType` and `regoRule` are mandatory when managing custom `cloud_configuration` rules. | | complianceRuleOptions | complexRule | boolean | Whether the rule is a complex one. Must be set to true if `regoRule.resourceTypes` contains more than one item. Defaults to false. | | complianceRuleOptions | regoRule | object | Rule details. | | regoRule | policy [*required*] | string | The policy written in `rego`, see: [https://www.openpolicyagent.org/docs/latest/policy-language/](https://www.openpolicyagent.org/docs/latest/policy-language/) | | regoRule | resourceTypes [*required*] | [string] | List of resource types that will be evaluated upon. Must have at least one element. | | complianceRuleOptions | resourceType | string | Main resource type to be checked by the rule. It should be specified again in `regoRule.resourceTypes`. | | options | decreaseCriticalityBasedOnEnv | boolean | If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: `CRITICAL` in production becomes `HIGH` in non-production, `HIGH` becomes `MEDIUM` and so on. `INFO` remains `INFO`. The decrement is applied when the environment tag of the signal starts with `staging`, `test` or `dev`. | | options | detectionMethod | enum | The detection method. Allowed enum values: `threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection` | | options | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | hardcodedEvaluatorType | enum | Hardcoded evaluator type. Allowed enum values: `log4shell` | | options | impossibleTravelOptions | object | Options on impossible travel detection method. | | impossibleTravelOptions | baselineUserLocations | boolean | If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. | | options | keepAlive | enum | Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | maxSignalDuration | enum | A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | newValueOptions | object | Options on new value detection method. | | newValueOptions | forgetAfter | enum | The duration in days after which a learned value is forgotten. Allowed enum values: `1,2,7,14,21,28` | | newValueOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | newValueOptions | learningDuration | enum | The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: `0,1,7` | | newValueOptions | learningMethod | enum | The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: `duration,threshold` | | newValueOptions | learningThreshold | enum | A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: `0,1` | | options | sequenceDetectionOptions | object | Options on sequence detection method. | | sequenceDetectionOptions | stepTransitions | [object] | Transitions defining the allowed order of steps and their evaluation windows. | | stepTransitions | child | string | Name of the child step. | | stepTransitions | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | stepTransitions | parent | string | Name of the parent step. | | sequenceDetectionOptions | steps | [object] | Steps that define the conditions to be matched in sequence. | | steps | condition | string | Condition referencing rule queries (e.g., `a > 0`). | | steps | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | steps | name | string | Unique name identifying the step. | | options | thirdPartyRuleOptions | object | Options on third party detection method. | | thirdPartyRuleOptions | defaultNotifications | [string] | Notification targets for the logs that do not correspond to any of the cases. | | thirdPartyRuleOptions | defaultStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyRuleOptions | rootQueries | [object] | Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert. | | rootQueries | groupByFields | [string] | Fields to group by. | | rootQueries | query | string | Query to run on logs. | | thirdPartyRuleOptions | signalTitleTemplate | string | A template for the signal title; if omitted, the title is generated based on the case name. | | Option 2 | queries [*required*] | [object] | Queries for selecting signals which are part of the rule. | | queries | aggregation | enum | The aggregation type. Allowed enum values: `count,cardinality,sum,max,new_value,geo_data,event_count,none` | | queries | correlatedByFields | [string] | Fields to group by. | | queries | correlatedQueryIndex | int32 | Index of the rule query used to retrieve the correlated field. | | queries | metrics | [string] | Group of target fields to aggregate over. | | queries | name | string | Name of the query. | | queries | ruleId [*required*] | string | Rule ID to match on signals. | | Option 2 | tags | [string] | Tags for generated signals. | | Option 2 | type | enum | The rule type. Allowed enum values: `signal_correlation` | | | Option 3 | object | Create a new cloud configuration rule. | | Option 3 | cases [*required*] | [object] | Description of generated findings and signals (severity and channels to be notified in case of a signal). Must contain exactly one item. | | cases | notifications | [string] | Notification targets for each rule case. | | cases | status [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 3 | complianceSignalOptions [*required*] | object | How to generate compliance signals. Useful for cloud_configuration rules only. | | complianceSignalOptions | defaultActivationStatus | boolean | The default activation status. | | complianceSignalOptions | defaultGroupByFields | [string] | The default group by fields. | | complianceSignalOptions | userActivationStatus | boolean | Whether signals will be sent. | | complianceSignalOptions | userGroupByFields | [string] | Fields to use to group findings by when sending signals. | | Option 3 | filters | [object] | Additional queries to filter matched events before they are processed. | | filters | action | enum | The type of filtering action. Allowed enum values: `require,suppress` | | filters | query | string | Query for selecting logs to apply the filtering action. | | Option 3 | isEnabled [*required*] | boolean | Whether the rule is enabled. | | Option 3 | message [*required*] | string | Message in markdown format for generated findings and signals. | | Option 3 | name [*required*] | string | The name of the rule. | | Option 3 | options [*required*] | object | Options on cloud configuration rules. | | options | complianceRuleOptions [*required*] | object | Options for cloud_configuration rules. Fields `resourceType` and `regoRule` are mandatory when managing custom `cloud_configuration` rules. | | complianceRuleOptions | complexRule | boolean | Whether the rule is a complex one. Must be set to true if `regoRule.resourceTypes` contains more than one item. Defaults to false. | | complianceRuleOptions | regoRule | object | Rule details. | | regoRule | policy [*required*] | string | The policy written in `rego`, see: [https://www.openpolicyagent.org/docs/latest/policy-language/](https://www.openpolicyagent.org/docs/latest/policy-language/) | | regoRule | resourceTypes [*required*] | [string] | List of resource types that will be evaluated upon. Must have at least one element. | | complianceRuleOptions | resourceType | string | Main resource type to be checked by the rule. It should be specified again in `regoRule.resourceTypes`. | | Option 3 | tags | [string] | Tags for generated findings and signals. | | Option 3 | type | enum | The rule type. Allowed enum values: `cloud_configuration` | {% /tab %} {% tab title="Example" %} ##### ```json { "type": "cloud_configuration", "name": "Example-Security-Monitoring_cloud", "isEnabled": false, "cases": [ { "status": "info", "notifications": [ "channel" ] } ], "options": { "complianceRuleOptions": { "resourceType": "gcp_compute_disk", "complexRule": false, "regoRule": { "policy": "package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = \"skip\" if {\n\tiam_service_account_key.disabled\n} else = \"pass\" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n", "resourceTypes": [ "gcp_compute_disk" ] } } }, "message": "ddd", "tags": [ "my:tag" ], "complianceSignalOptions": { "userActivationStatus": true, "userGroupByFields": [ "@account_id" ] }, "filters": [ { "action": "require", "query": "resource_id:helo*" }, { "action": "suppress", "query": "control:helo*" } ] } ``` ##### ```json { "name": "Example-Security-Monitoring", "queries": [ { "query": "@test:true", "aggregation": "count", "groupByFields": [], "distinctFields": [], "metric": "" } ], "filters": [], "cases": [ { "name": "", "status": "info", "condition": "a > 0", "notifications": [] } ], "options": { "evaluationWindow": 900, "keepAlive": 3600, "maxSignalDuration": 86400 }, "message": "Test rule", "tags": [], "isEnabled": true, "type": "log_detection", "referenceTables": [ { "tableName": "synthetics_test_reference_table_dont_delete", "columnName": "value", "logFieldPath": "testtag", "checkPresence": true, "ruleQueryName": "a" } ] } ``` ##### ```json { "name": "Example-Security-Monitoring", "type": "log_detection", "isEnabled": true, "queries": [ { "aggregation": "count", "dataSource": "logs", "distinctFields": [], "groupByFields": [ "@usr.email", "@network.client.ip" ], "hasOptionalGroupByFields": false, "name": "", "query": "service:app status:error" } ], "cases": [ { "name": "", "status": "info", "notifications": [], "condition": "a > 0.995" } ], "message": "An anomaly detection rule", "options": { "detectionMethod": "anomaly_detection", "evaluationWindow": 900, "keepAlive": 3600, "maxSignalDuration": 86400, "anomalyDetectionOptions": { "bucketDuration": 300, "learningDuration": 24, "detectionTolerance": 3, "learningPeriodBaseline": 10 } }, "tags": [], "filters": [] } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} Create a new rule. | Parent field | Field | Type | Description | | ------------------------ | ------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Option 1 | object | Rule. | | Option 1 | calculatedFields | [object] | Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined. | | calculatedFields | expression [*required*] | string | Expression. | | calculatedFields | name [*required*] | string | Field name. | | Option 1 | cases | [object] | Cases for generating signals. | | cases | actions | [object] | Action to perform for each rule case. | | actions | options | object | Options for the rule action | | options | duration | int64 | Duration of the action in seconds. 0 indicates no expiration. | | options | flaggedIPType | enum | Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: `SUSPICIOUS,FLAGGED` | | options | userBehaviorName | string | Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule. | | actions | type | enum | The action type. Allowed enum values: `block_ip,block_user,user_behavior,flag_ip` | | cases | condition | string | A rule case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated based on the event counts in the previously defined queries. | | cases | customStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | cases | name | string | Name of the case. | | cases | notifications | [string] | Notification targets for each rule case. | | cases | status | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 1 | complianceSignalOptions | object | How to generate compliance signals. Useful for cloud_configuration rules only. | | complianceSignalOptions | defaultActivationStatus | boolean | The default activation status. | | complianceSignalOptions | defaultGroupByFields | [string] | The default group by fields. | | complianceSignalOptions | userActivationStatus | boolean | Whether signals will be sent. | | complianceSignalOptions | userGroupByFields | [string] | Fields to use to group findings by when sending signals. | | Option 1 | createdAt | int64 | When the rule was created, timestamp in milliseconds. | | Option 1 | creationAuthorId | int64 | User ID of the user who created the rule. | | Option 1 | customMessage | string | Custom/Overridden message for generated signals (used in case of Default rule update). | | Option 1 | customName | string | Custom/Overridden name of the rule (used in case of Default rule update). | | Option 1 | defaultTags | [string] | Default Tags for default rules (included in tags) | | Option 1 | deprecationDate | int64 | When the rule will be deprecated, timestamp in milliseconds. | | Option 1 | filters | [object] | Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules. | | filters | action | enum | The type of filtering action. Allowed enum values: `require,suppress` | | filters | query | string | Query for selecting logs to apply the filtering action. | | Option 1 | groupSignalsBy | [string] | Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups. | | Option 1 | hasExtendedTitle | boolean | Whether the notifications include the triggering group-by values in their title. | | Option 1 | id | string | The ID of the rule. | | Option 1 | isDefault | boolean | Whether the rule is included by default. | | Option 1 | isDeleted | boolean | Whether the rule has been deleted. | | Option 1 | isEnabled | boolean | Whether the rule is enabled. | | Option 1 | message | string | Message for generated signals. | | Option 1 | name | string | The name of the rule. | | Option 1 | options | object | Options. | | options | anomalyDetectionOptions | object | Options on anomaly detection method. | | anomalyDetectionOptions | bucketDuration | enum | Duration in seconds of the time buckets used to aggregate events matched by the rule. Must be greater than or equal to 300. Allowed enum values: `300,600,900,1800,3600,10800` | | anomalyDetectionOptions | detectionTolerance | enum | An optional parameter that sets how permissive anomaly detection is. Higher values require higher deviations before triggering a signal. Allowed enum values: `1,2,3,4,5` | | anomalyDetectionOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | anomalyDetectionOptions | learningDuration | enum | Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. Allowed enum values: `1,6,12,24,48,168,336` | | anomalyDetectionOptions | learningPeriodBaseline | int64 | An optional override baseline to apply while the rule is in the learning period. Must be greater than or equal to 0. | | options | complianceRuleOptions | object | Options for cloud_configuration rules. Fields `resourceType` and `regoRule` are mandatory when managing custom `cloud_configuration` rules. | | complianceRuleOptions | complexRule | boolean | Whether the rule is a complex one. Must be set to true if `regoRule.resourceTypes` contains more than one item. Defaults to false. | | complianceRuleOptions | regoRule | object | Rule details. | | regoRule | policy [*required*] | string | The policy written in `rego`, see: [https://www.openpolicyagent.org/docs/latest/policy-language/](https://www.openpolicyagent.org/docs/latest/policy-language/) | | regoRule | resourceTypes [*required*] | [string] | List of resource types that will be evaluated upon. Must have at least one element. | | complianceRuleOptions | resourceType | string | Main resource type to be checked by the rule. It should be specified again in `regoRule.resourceTypes`. | | options | decreaseCriticalityBasedOnEnv | boolean | If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: `CRITICAL` in production becomes `HIGH` in non-production, `HIGH` becomes `MEDIUM` and so on. `INFO` remains `INFO`. The decrement is applied when the environment tag of the signal starts with `staging`, `test` or `dev`. | | options | detectionMethod | enum | The detection method. Allowed enum values: `threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection` | | options | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | hardcodedEvaluatorType | enum | Hardcoded evaluator type. Allowed enum values: `log4shell` | | options | impossibleTravelOptions | object | Options on impossible travel detection method. | | impossibleTravelOptions | baselineUserLocations | boolean | If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. | | options | keepAlive | enum | Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | maxSignalDuration | enum | A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | newValueOptions | object | Options on new value detection method. | | newValueOptions | forgetAfter | enum | The duration in days after which a learned value is forgotten. Allowed enum values: `1,2,7,14,21,28` | | newValueOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | newValueOptions | learningDuration | enum | The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: `0,1,7` | | newValueOptions | learningMethod | enum | The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: `duration,threshold` | | newValueOptions | learningThreshold | enum | A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: `0,1` | | options | sequenceDetectionOptions | object | Options on sequence detection method. | | sequenceDetectionOptions | stepTransitions | [object] | Transitions defining the allowed order of steps and their evaluation windows. | | stepTransitions | child | string | Name of the child step. | | stepTransitions | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | stepTransitions | parent | string | Name of the parent step. | | sequenceDetectionOptions | steps | [object] | Steps that define the conditions to be matched in sequence. | | steps | condition | string | Condition referencing rule queries (e.g., `a > 0`). | | steps | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | steps | name | string | Unique name identifying the step. | | options | thirdPartyRuleOptions | object | Options on third party detection method. | | thirdPartyRuleOptions | defaultNotifications | [string] | Notification targets for the logs that do not correspond to any of the cases. | | thirdPartyRuleOptions | defaultStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyRuleOptions | rootQueries | [object] | Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert. | | rootQueries | groupByFields | [string] | Fields to group by. | | rootQueries | query | string | Query to run on logs. | | thirdPartyRuleOptions | signalTitleTemplate | string | A template for the signal title; if omitted, the title is generated based on the case name. | | Option 1 | queries | [object] | Queries for selecting logs which are part of the rule. | | queries | aggregation | enum | The aggregation type. Allowed enum values: `count,cardinality,sum,max,new_value,geo_data,event_count,none` | | queries | customQueryExtension | string | Query extension to append to the logs query. | | queries | dataSource | enum | Source of events, either logs, audit trail, or Datadog events. `app_sec_spans` is deprecated in favor of `spans`. Allowed enum values: `logs,audit,app_sec_spans,spans,security_runtime,network,events` | | queries | distinctFields | [string] | Field for which the cardinality is measured. Sent as an array. | | queries | groupByFields | [string] | Fields to group by. | | queries | hasOptionalGroupByFields | boolean | When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with `N/A`, replacing the missing values. | | queries | index | string | **This field is currently unstable and might be removed in a minor version upgrade.** The index to run the query on, if the `dataSource` is `logs`. Only used for scheduled rules - in other words, when the `schedulingOptions` field is present in the rule payload. | | queries | indexes | [string] | List of indexes to query when the `dataSource` is `logs`. Only used for scheduled rules, such as when the `schedulingOptions` field is present in the rule payload. | | queries | metric | string | **DEPRECATED**: (Deprecated) The target field to aggregate over when using the sum or max aggregations. `metrics` field should be used instead. | | queries | metrics | [string] | Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values. | | queries | name | string | Name of the query. | | queries | query | string | Query to run on logs. | | Option 1 | referenceTables | [object] | Reference tables for the rule. | | referenceTables | checkPresence | boolean | Whether to include or exclude the matched values. | | referenceTables | columnName | string | The name of the column in the reference table. | | referenceTables | logFieldPath | string | The field in the log to match against the reference table. | | referenceTables | ruleQueryName | string | The name of the query to apply the reference table to. | | referenceTables | tableName | string | The name of the reference table. | | Option 1 | schedulingOptions | object | Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs. | | schedulingOptions | rrule | string | Schedule for the rule queries, written in RRULE syntax. See [RFC](https://icalendar.org/iCalendar-RFC-5545/3-8-5-3-recurrence-rule.html) for syntax reference. | | schedulingOptions | start | string | Start date for the schedule, in ISO 8601 format without timezone. | | schedulingOptions | timezone | string | Time zone of the start date, in the [tz database](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) format. | | Option 1 | tags | [string] | Tags for generated signals. | | Option 1 | thirdPartyCases | [object] | Cases for generating signals from third-party rules. Only available for third-party rules. | | thirdPartyCases | customStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyCases | name | string | Name of the case. | | thirdPartyCases | notifications | [string] | Notification targets for each rule case. | | thirdPartyCases | query | string | A query to map a third party event to this case. | | thirdPartyCases | status | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 1 | type | enum | The rule type. Allowed enum values: `log_detection,infrastructure_configuration,workload_security,cloud_configuration,application_security,api_security,workload_activity` | | Option 1 | updateAuthorId | int64 | User ID of the user who updated the rule. | | Option 1 | updatedAt | int64 | The date the rule was last updated, in milliseconds. | | Option 1 | version | int64 | The version of the rule. | | | Option 2 | object | Rule. | | Option 2 | cases | [object] | Cases for generating signals. | | cases | actions | [object] | Action to perform for each rule case. | | actions | options | object | Options for the rule action | | options | duration | int64 | Duration of the action in seconds. 0 indicates no expiration. | | options | flaggedIPType | enum | Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: `SUSPICIOUS,FLAGGED` | | options | userBehaviorName | string | Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule. | | actions | type | enum | The action type. Allowed enum values: `block_ip,block_user,user_behavior,flag_ip` | | cases | condition | string | A rule case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated based on the event counts in the previously defined queries. | | cases | customStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | cases | name | string | Name of the case. | | cases | notifications | [string] | Notification targets for each rule case. | | cases | status | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 2 | createdAt | int64 | When the rule was created, timestamp in milliseconds. | | Option 2 | creationAuthorId | int64 | User ID of the user who created the rule. | | Option 2 | customMessage | string | Custom/Overridden message for generated signals (used in case of Default rule update). | | Option 2 | customName | string | Custom/Overridden name of the rule (used in case of Default rule update). | | Option 2 | deprecationDate | int64 | When the rule will be deprecated, timestamp in milliseconds. | | Option 2 | filters | [object] | Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules. | | filters | action | enum | The type of filtering action. Allowed enum values: `require,suppress` | | filters | query | string | Query for selecting logs to apply the filtering action. | | Option 2 | hasExtendedTitle | boolean | Whether the notifications include the triggering group-by values in their title. | | Option 2 | id | string | The ID of the rule. | | Option 2 | isDefault | boolean | Whether the rule is included by default. | | Option 2 | isDeleted | boolean | Whether the rule has been deleted. | | Option 2 | isEnabled | boolean | Whether the rule is enabled. | | Option 2 | message | string | Message for generated signals. | | Option 2 | name | string | The name of the rule. | | Option 2 | options | object | Options. | | options | anomalyDetectionOptions | object | Options on anomaly detection method. | | anomalyDetectionOptions | bucketDuration | enum | Duration in seconds of the time buckets used to aggregate events matched by the rule. Must be greater than or equal to 300. Allowed enum values: `300,600,900,1800,3600,10800` | | anomalyDetectionOptions | detectionTolerance | enum | An optional parameter that sets how permissive anomaly detection is. Higher values require higher deviations before triggering a signal. Allowed enum values: `1,2,3,4,5` | | anomalyDetectionOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | anomalyDetectionOptions | learningDuration | enum | Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. Allowed enum values: `1,6,12,24,48,168,336` | | anomalyDetectionOptions | learningPeriodBaseline | int64 | An optional override baseline to apply while the rule is in the learning period. Must be greater than or equal to 0. | | options | complianceRuleOptions | object | Options for cloud_configuration rules. Fields `resourceType` and `regoRule` are mandatory when managing custom `cloud_configuration` rules. | | complianceRuleOptions | complexRule | boolean | Whether the rule is a complex one. Must be set to true if `regoRule.resourceTypes` contains more than one item. Defaults to false. | | complianceRuleOptions | regoRule | object | Rule details. | | regoRule | policy [*required*] | string | The policy written in `rego`, see: [https://www.openpolicyagent.org/docs/latest/policy-language/](https://www.openpolicyagent.org/docs/latest/policy-language/) | | regoRule | resourceTypes [*required*] | [string] | List of resource types that will be evaluated upon. Must have at least one element. | | complianceRuleOptions | resourceType | string | Main resource type to be checked by the rule. It should be specified again in `regoRule.resourceTypes`. | | options | decreaseCriticalityBasedOnEnv | boolean | If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: `CRITICAL` in production becomes `HIGH` in non-production, `HIGH` becomes `MEDIUM` and so on. `INFO` remains `INFO`. The decrement is applied when the environment tag of the signal starts with `staging`, `test` or `dev`. | | options | detectionMethod | enum | The detection method. Allowed enum values: `threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection` | | options | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | hardcodedEvaluatorType | enum | Hardcoded evaluator type. Allowed enum values: `log4shell` | | options | impossibleTravelOptions | object | Options on impossible travel detection method. | | impossibleTravelOptions | baselineUserLocations | boolean | If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. | | options | keepAlive | enum | Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | maxSignalDuration | enum | A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | newValueOptions | object | Options on new value detection method. | | newValueOptions | forgetAfter | enum | The duration in days after which a learned value is forgotten. Allowed enum values: `1,2,7,14,21,28` | | newValueOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | newValueOptions | learningDuration | enum | The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: `0,1,7` | | newValueOptions | learningMethod | enum | The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: `duration,threshold` | | newValueOptions | learningThreshold | enum | A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: `0,1` | | options | sequenceDetectionOptions | object | Options on sequence detection method. | | sequenceDetectionOptions | stepTransitions | [object] | Transitions defining the allowed order of steps and their evaluation windows. | | stepTransitions | child | string | Name of the child step. | | stepTransitions | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | stepTransitions | parent | string | Name of the parent step. | | sequenceDetectionOptions | steps | [object] | Steps that define the conditions to be matched in sequence. | | steps | condition | string | Condition referencing rule queries (e.g., `a > 0`). | | steps | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | steps | name | string | Unique name identifying the step. | | options | thirdPartyRuleOptions | object | Options on third party detection method. | | thirdPartyRuleOptions | defaultNotifications | [string] | Notification targets for the logs that do not correspond to any of the cases. | | thirdPartyRuleOptions | defaultStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyRuleOptions | rootQueries | [object] | Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert. | | rootQueries | groupByFields | [string] | Fields to group by. | | rootQueries | query | string | Query to run on logs. | | thirdPartyRuleOptions | signalTitleTemplate | string | A template for the signal title; if omitted, the title is generated based on the case name. | | Option 2 | queries | [object] | Queries for selecting logs which are part of the rule. | | queries | aggregation | enum | The aggregation type. Allowed enum values: `count,cardinality,sum,max,new_value,geo_data,event_count,none` | | queries | correlatedByFields | [string] | Fields to correlate by. | | queries | correlatedQueryIndex | int32 | Index of the rule query used to retrieve the correlated field. | | queries | defaultRuleId | string | Default Rule ID to match on signals. | | queries | distinctFields | [string] | Field for which the cardinality is measured. Sent as an array. | | queries | groupByFields | [string] | Fields to group by. | | queries | metrics | [string] | Group of target fields to aggregate over. | | queries | name | string | Name of the query. | | queries | ruleId | string | Rule ID to match on signals. | | Option 2 | tags | [string] | Tags for generated signals. | | Option 2 | type | enum | The rule type. Allowed enum values: `signal_correlation` | | Option 2 | updateAuthorId | int64 | User ID of the user who updated the rule. | | Option 2 | version | int64 | The version of the rule. | {% /tab %} {% tab title="Example" %} ```json { "calculatedFields": [ { "expression": "@request_end_timestamp - @request_start_timestamp", "name": "response_time" } ], "cases": [ { "actions": [ { "options": { "duration": 0, "flaggedIPType": "FLAGGED", "userBehaviorName": "string" }, "type": "string" } ], "condition": "string", "customStatus": "critical", "name": "string", "notifications": [], "status": "critical" } ], "complianceSignalOptions": { "defaultActivationStatus": false, "defaultGroupByFields": [], "userActivationStatus": false, "userGroupByFields": [] }, "createdAt": "integer", "creationAuthorId": "integer", "customMessage": "string", "customName": "string", "defaultTags": [ "security:attacks" ], "deprecationDate": "integer", "filters": [ { "action": "string", "query": "string" } ], "groupSignalsBy": [ "service" ], "hasExtendedTitle": false, "id": "string", "isDefault": false, "isDeleted": false, "isEnabled": false, "message": "string", "name": "string", "options": { "anomalyDetectionOptions": { "bucketDuration": 300, "detectionTolerance": 5, "instantaneousBaseline": false, "learningDuration": "integer", "learningPeriodBaseline": "integer" }, "complianceRuleOptions": { "complexRule": false, "regoRule": { "policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n # Logic that evaluates to true if the resource should be skipped\n true\n} else = \"pass\" {\n # Logic that evaluates to true if the resource is compliant\n true\n} else = \"fail\" {\n # Logic that evaluates to true if the resource is not compliant\n true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n some resource in input.resources[input.main_resource_type]\n result := dd_output.format(resource, eval(resource))\n}", "resourceTypes": [ "gcp_iam_service_account", "gcp_iam_policy" ] }, "resourceType": "aws_acm" }, "decreaseCriticalityBasedOnEnv": false, "detectionMethod": "string", "evaluationWindow": "integer", "hardcodedEvaluatorType": "string", "impossibleTravelOptions": { "baselineUserLocations": true }, "keepAlive": "integer", "maxSignalDuration": "integer", "newValueOptions": { "forgetAfter": "integer", "instantaneousBaseline": false, "learningDuration": "integer", "learningMethod": "string", "learningThreshold": "integer" }, "sequenceDetectionOptions": { "stepTransitions": [ { "child": "string", "evaluationWindow": "integer", "parent": "string" } ], "steps": [ { "condition": "string", "evaluationWindow": "integer", "name": "string" } ] }, "thirdPartyRuleOptions": { "defaultNotifications": [], "defaultStatus": "critical", "rootQueries": [ { "groupByFields": [], "query": "source:cloudtrail" } ], "signalTitleTemplate": "string" } }, "queries": [ { "aggregation": "string", "customQueryExtension": "a > 3", "dataSource": "logs", "distinctFields": [], "groupByFields": [], "hasOptionalGroupByFields": false, "index": "string", "indexes": [], "metric": "string", "metrics": [], "name": "string", "query": "a > 3" } ], "referenceTables": [ { "checkPresence": false, "columnName": "string", "logFieldPath": "string", "ruleQueryName": "string", "tableName": "string" } ], "schedulingOptions": { "rrule": "FREQ=HOURLY;INTERVAL=1;", "start": "2025-07-14T12:00:00", "timezone": "America/New_York" }, "tags": [], "thirdPartyCases": [ { "customStatus": "critical", "name": "string", "notifications": [], "query": "string", "status": "critical" } ], "type": "string", "updateAuthorId": "integer", "updatedAt": "integer", "version": "integer" } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "type": "cloud_configuration", "name": "Example-Security-Monitoring_cloud", "isEnabled": false, "cases": [ { "status": "info", "notifications": [ "channel" ] } ], "options": { "complianceRuleOptions": { "resourceType": "gcp_compute_disk", "complexRule": false, "regoRule": { "policy": "package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = \"skip\" if {\n\tiam_service_account_key.disabled\n} else = \"pass\" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n", "resourceTypes": [ "gcp_compute_disk" ] } } }, "message": "ddd", "tags": [ "my:tag" ], "complianceSignalOptions": { "userActivationStatus": true, "userGroupByFields": [ "@account_id" ] }, "filters": [ { "action": "require", "query": "resource_id:helo*" }, { "action": "suppress", "query": "control:helo*" } ] } EOF ##### \# Curl commandcurl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "name": "Example-Security-Monitoring", "queries": [ { "query": "@test:true", "aggregation": "count", "groupByFields": [], "distinctFields": [], "metric": "" } ], "filters": [], "cases": [ { "name": "", "status": "info", "condition": "a > 0", "notifications": [] } ], "options": { "evaluationWindow": 900, "keepAlive": 3600, "maxSignalDuration": 86400 }, "message": "Test rule", "tags": [], "isEnabled": true, "type": "log_detection", "referenceTables": [ { "tableName": "synthetics_test_reference_table_dont_delete", "columnName": "value", "logFieldPath": "testtag", "checkPresence": true, "ruleQueryName": "a" } ] } EOF ##### \# Curl commandcurl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "name": "Example-Security-Monitoring", "type": "log_detection", "isEnabled": true, "queries": [ { "aggregation": "count", "dataSource": "logs", "distinctFields": [], "groupByFields": [ "@usr.email", "@network.client.ip" ], "hasOptionalGroupByFields": false, "name": "", "query": "service:app status:error" } ], "cases": [ { "name": "", "status": "info", "notifications": [], "condition": "a > 0.995" } ], "message": "An anomaly detection rule", "options": { "detectionMethod": "anomaly_detection", "evaluationWindow": 900, "keepAlive": 3600, "maxSignalDuration": 86400, "anomalyDetectionOptions": { "bucketDuration": 300, "learningDuration": 24, "detectionTolerance": 3, "learningPeriodBaseline": 10 } }, "tags": [], "filters": [] } EOF ##### ```go // Create a cloud_configuration rule returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.SecurityMonitoringRuleCreatePayload{ CloudConfigurationRuleCreatePayload: &datadogV2.CloudConfigurationRuleCreatePayload{ Type: datadogV2.CLOUDCONFIGURATIONRULETYPE_CLOUD_CONFIGURATION.Ptr(), Name: "Example-Security-Monitoring_cloud", IsEnabled: false, Cases: []datadogV2.CloudConfigurationRuleCaseCreate{ { Status: datadogV2.SECURITYMONITORINGRULESEVERITY_INFO, Notifications: []string{ "channel", }, }, }, Options: datadogV2.CloudConfigurationRuleOptions{ ComplianceRuleOptions: datadogV2.CloudConfigurationComplianceRuleOptions{ ResourceType: datadog.PtrString("gcp_compute_disk"), ComplexRule: datadog.PtrBool(false), RegoRule: &datadogV2.CloudConfigurationRegoRule{ Policy: `package datadog import data.datadog.output as dd_output import future.keywords.contains import future.keywords.if import future.keywords.in milliseconds_in_a_day := ((1000 * 60) * 60) * 24 eval(iam_service_account_key) = "skip" if { iam_service_account_key.disabled } else = "pass" if { (iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90 } else = "fail" # This part remains unchanged for all rules results contains result if { some resource in input.resources[input.main_resource_type] result := dd_output.format(resource, eval(resource)) } `, ResourceTypes: []string{ "gcp_compute_disk", }, }, }, }, Message: "ddd", Tags: []string{ "my:tag", }, ComplianceSignalOptions: datadogV2.CloudConfigurationRuleComplianceSignalOptions{ UserActivationStatus: *datadog.NewNullableBool(datadog.PtrBool(true)), UserGroupByFields: *datadog.NewNullableList(&[]string{ "@account_id", }), }, Filters: []datadogV2.SecurityMonitoringFilter{ { Action: datadogV2.SECURITYMONITORINGFILTERACTION_REQUIRE.Ptr(), Query: datadog.PtrString("resource_id:helo*"), }, { Action: datadogV2.SECURITYMONITORINGFILTERACTION_SUPPRESS.Ptr(), Query: datadog.PtrString("control:helo*"), }, }, }} ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.CreateSecurityMonitoringRule(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringRule`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityMonitoringRule`:\n%s\n", responseContent) } ``` ##### ```go // Create a detection rule returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.SecurityMonitoringRuleCreatePayload{ SecurityMonitoringStandardRuleCreatePayload: &datadogV2.SecurityMonitoringStandardRuleCreatePayload{ Name: "Example-Security-Monitoring", Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{ { Query: datadog.PtrString("@test:true"), Aggregation: datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(), GroupByFields: []string{}, DistinctFields: []string{}, Metric: datadog.PtrString(""), }, }, Filters: []datadogV2.SecurityMonitoringFilter{}, Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{ { Name: datadog.PtrString(""), Status: datadogV2.SECURITYMONITORINGRULESEVERITY_INFO, Condition: datadog.PtrString("a > 0"), Notifications: []string{}, }, }, Options: datadogV2.SecurityMonitoringRuleOptions{ EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(), KeepAlive: datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ONE_HOUR.Ptr(), MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ONE_DAY.Ptr(), }, Message: "Test rule", Tags: []string{}, IsEnabled: true, Type: datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(), ReferenceTables: []datadogV2.SecurityMonitoringReferenceTable{ { TableName: datadog.PtrString("synthetics_test_reference_table_dont_delete"), ColumnName: datadog.PtrString("value"), LogFieldPath: datadog.PtrString("testtag"), CheckPresence: datadog.PtrBool(true), RuleQueryName: datadog.PtrString("a"), }, }, }} ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.CreateSecurityMonitoringRule(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringRule`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityMonitoringRule`:\n%s\n", responseContent) } ``` ##### ```go // Create a detection rule with detection method 'anomaly_detection' returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.SecurityMonitoringRuleCreatePayload{ SecurityMonitoringStandardRuleCreatePayload: &datadogV2.SecurityMonitoringStandardRuleCreatePayload{ Name: "Example-Security-Monitoring", Type: datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(), IsEnabled: true, Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{ { Aggregation: datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(), DataSource: datadogV2.SECURITYMONITORINGSTANDARDDATASOURCE_LOGS.Ptr(), DistinctFields: []string{}, GroupByFields: []string{ "@usr.email", "@network.client.ip", }, HasOptionalGroupByFields: datadog.PtrBool(false), Name: datadog.PtrString(""), Query: datadog.PtrString("service:app status:error"), }, }, Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{ { Name: datadog.PtrString(""), Status: datadogV2.SECURITYMONITORINGRULESEVERITY_INFO, Notifications: []string{}, Condition: datadog.PtrString("a > 0.995"), }, }, Message: "An anomaly detection rule", Options: datadogV2.SecurityMonitoringRuleOptions{ DetectionMethod: datadogV2.SECURITYMONITORINGRULEDETECTIONMETHOD_ANOMALY_DETECTION.Ptr(), EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(), KeepAlive: datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ONE_HOUR.Ptr(), MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ONE_DAY.Ptr(), AnomalyDetectionOptions: &datadogV2.SecurityMonitoringRuleAnomalyDetectionOptions{ BucketDuration: datadogV2.SECURITYMONITORINGRULEANOMALYDETECTIONOPTIONSBUCKETDURATION_FIVE_MINUTES.Ptr(), LearningDuration: datadogV2.SECURITYMONITORINGRULEANOMALYDETECTIONOPTIONSLEARNINGDURATION_ONE_DAY.Ptr(), DetectionTolerance: datadogV2.SECURITYMONITORINGRULEANOMALYDETECTIONOPTIONSDETECTIONTOLERANCE_THREE.Ptr(), LearningPeriodBaseline: datadog.PtrInt64(10), }, }, Tags: []string{}, Filters: []datadogV2.SecurityMonitoringFilter{}, }} ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.CreateSecurityMonitoringRule(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringRule`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityMonitoringRule`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Create a cloud_configuration rule returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.CloudConfigurationComplianceRuleOptions; import com.datadog.api.client.v2.model.CloudConfigurationRegoRule; import com.datadog.api.client.v2.model.CloudConfigurationRuleCaseCreate; import com.datadog.api.client.v2.model.CloudConfigurationRuleComplianceSignalOptions; import com.datadog.api.client.v2.model.CloudConfigurationRuleCreatePayload; import com.datadog.api.client.v2.model.CloudConfigurationRuleOptions; import com.datadog.api.client.v2.model.CloudConfigurationRuleType; import com.datadog.api.client.v2.model.SecurityMonitoringFilter; import com.datadog.api.client.v2.model.SecurityMonitoringFilterAction; import com.datadog.api.client.v2.model.SecurityMonitoringRuleCreatePayload; import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse; import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity; import java.util.Arrays; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); SecurityMonitoringRuleCreatePayload body = new SecurityMonitoringRuleCreatePayload( new CloudConfigurationRuleCreatePayload() .type(CloudConfigurationRuleType.CLOUD_CONFIGURATION) .name("Example-Security-Monitoring_cloud") .isEnabled(false) .cases( Collections.singletonList( new CloudConfigurationRuleCaseCreate() .status(SecurityMonitoringRuleSeverity.INFO) .notifications(Collections.singletonList("channel")))) .options( new CloudConfigurationRuleOptions() .complianceRuleOptions( new CloudConfigurationComplianceRuleOptions() .resourceType("gcp_compute_disk") .complexRule(false) .regoRule( new CloudConfigurationRegoRule() .policy( """ package datadog import data.datadog.output as dd_output import future.keywords.contains import future.keywords.if import future.keywords.in milliseconds_in_a_day := ((1000 * 60) * 60) * 24 eval(iam_service_account_key) = "skip" if { iam_service_account_key.disabled } else = "pass" if { (iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90 } else = "fail" # This part remains unchanged for all rules results contains result if { some resource in input.resources[input.main_resource_type] result := dd_output.format(resource, eval(resource)) } """) .resourceTypes( Collections.singletonList("gcp_compute_disk"))))) .message("ddd") .tags(Collections.singletonList("my:tag")) .complianceSignalOptions( new CloudConfigurationRuleComplianceSignalOptions() .userActivationStatus(true) .userGroupByFields(Collections.singletonList("@account_id"))) .filters( Arrays.asList( new SecurityMonitoringFilter() .action(SecurityMonitoringFilterAction.REQUIRE) .query("resource_id:helo*"), new SecurityMonitoringFilter() .action(SecurityMonitoringFilterAction.SUPPRESS) .query("control:helo*")))); try { SecurityMonitoringRuleResponse result = apiInstance.createSecurityMonitoringRule(body); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#createSecurityMonitoringRule"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` ##### ```java // Create a detection rule returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringReferenceTable; import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate; import com.datadog.api.client.v2.model.SecurityMonitoringRuleCreatePayload; import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow; import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive; import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration; import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions; import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation; import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse; import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity; import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate; import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleCreatePayload; import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); SecurityMonitoringRuleCreatePayload body = new SecurityMonitoringRuleCreatePayload( new SecurityMonitoringStandardRuleCreatePayload() .name("Example-Security-Monitoring") .queries( Collections.singletonList( new SecurityMonitoringStandardRuleQuery() .query("@test:true") .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT) .metric(""))) .cases( Collections.singletonList( new SecurityMonitoringRuleCaseCreate() .name("") .status(SecurityMonitoringRuleSeverity.INFO) .condition("a > 0"))) .options( new SecurityMonitoringRuleOptions() .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES) .keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR) .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.ONE_DAY)) .message("Test rule") .isEnabled(true) .type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION) .referenceTables( Collections.singletonList( new SecurityMonitoringReferenceTable() .tableName("synthetics_test_reference_table_dont_delete") .columnName("value") .logFieldPath("testtag") .checkPresence(true) .ruleQueryName("a")))); try { SecurityMonitoringRuleResponse result = apiInstance.createSecurityMonitoringRule(body); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#createSecurityMonitoringRule"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` ##### ```java // Create a detection rule with detection method 'anomaly_detection' returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringRuleAnomalyDetectionOptions; import com.datadog.api.client.v2.model.SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration; import com.datadog.api.client.v2.model.SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance; import com.datadog.api.client.v2.model.SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration; import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate; import com.datadog.api.client.v2.model.SecurityMonitoringRuleCreatePayload; import com.datadog.api.client.v2.model.SecurityMonitoringRuleDetectionMethod; import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow; import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive; import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration; import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions; import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation; import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse; import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity; import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate; import com.datadog.api.client.v2.model.SecurityMonitoringStandardDataSource; import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleCreatePayload; import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery; import java.util.Arrays; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); SecurityMonitoringRuleCreatePayload body = new SecurityMonitoringRuleCreatePayload( new SecurityMonitoringStandardRuleCreatePayload() .name("Example-Security-Monitoring") .type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION) .isEnabled(true) .queries( Collections.singletonList( new SecurityMonitoringStandardRuleQuery() .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT) .dataSource(SecurityMonitoringStandardDataSource.LOGS) .groupByFields(Arrays.asList("@usr.email", "@network.client.ip")) .hasOptionalGroupByFields(false) .name("") .query("service:app status:error"))) .cases( Collections.singletonList( new SecurityMonitoringRuleCaseCreate() .name("") .status(SecurityMonitoringRuleSeverity.INFO) .condition("a > 0.995"))) .message("An anomaly detection rule") .options( new SecurityMonitoringRuleOptions() .detectionMethod(SecurityMonitoringRuleDetectionMethod.ANOMALY_DETECTION) .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES) .keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR) .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.ONE_DAY) .anomalyDetectionOptions( new SecurityMonitoringRuleAnomalyDetectionOptions() .bucketDuration( SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration .FIVE_MINUTES) .learningDuration( SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration .ONE_DAY) .detectionTolerance( SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance .THREE) .learningPeriodBaseline(10L)))); try { SecurityMonitoringRuleResponse result = apiInstance.createSecurityMonitoringRule(body); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#createSecurityMonitoringRule"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Create a cloud_configuration rule returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.cloud_configuration_compliance_rule_options import ( CloudConfigurationComplianceRuleOptions, ) from datadog_api_client.v2.model.cloud_configuration_rego_rule import CloudConfigurationRegoRule from datadog_api_client.v2.model.cloud_configuration_rule_case_create import CloudConfigurationRuleCaseCreate from datadog_api_client.v2.model.cloud_configuration_rule_compliance_signal_options import ( CloudConfigurationRuleComplianceSignalOptions, ) from datadog_api_client.v2.model.cloud_configuration_rule_create_payload import CloudConfigurationRuleCreatePayload from datadog_api_client.v2.model.cloud_configuration_rule_options import CloudConfigurationRuleOptions from datadog_api_client.v2.model.cloud_configuration_rule_type import CloudConfigurationRuleType from datadog_api_client.v2.model.security_monitoring_filter import SecurityMonitoringFilter from datadog_api_client.v2.model.security_monitoring_filter_action import SecurityMonitoringFilterAction from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity body = CloudConfigurationRuleCreatePayload( type=CloudConfigurationRuleType.CLOUD_CONFIGURATION, name="Example-Security-Monitoring_cloud", is_enabled=False, cases=[ CloudConfigurationRuleCaseCreate( status=SecurityMonitoringRuleSeverity.INFO, notifications=[ "channel", ], ), ], options=CloudConfigurationRuleOptions( compliance_rule_options=CloudConfigurationComplianceRuleOptions( resource_type="gcp_compute_disk", complex_rule=False, rego_rule=CloudConfigurationRegoRule( policy='package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = "skip" if {\n\tiam_service_account_key.disabled\n} else = "pass" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = "fail"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n', resource_types=[ "gcp_compute_disk", ], ), ), ), message="ddd", tags=[ "my:tag", ], compliance_signal_options=CloudConfigurationRuleComplianceSignalOptions( user_activation_status=True, user_group_by_fields=[ "@account_id", ], ), filters=[ SecurityMonitoringFilter( action=SecurityMonitoringFilterAction.REQUIRE, query="resource_id:helo*", ), SecurityMonitoringFilter( action=SecurityMonitoringFilterAction.SUPPRESS, query="control:helo*", ), ], ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.create_security_monitoring_rule(body=body) print(response) ``` ##### ```python """ Create a detection rule returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.security_monitoring_reference_table import SecurityMonitoringReferenceTable from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import ( SecurityMonitoringRuleEvaluationWindow, ) from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import ( SecurityMonitoringRuleMaxSignalDuration, ) from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import ( SecurityMonitoringRuleQueryAggregation, ) from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate from datadog_api_client.v2.model.security_monitoring_standard_rule_create_payload import ( SecurityMonitoringStandardRuleCreatePayload, ) from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery body = SecurityMonitoringStandardRuleCreatePayload( name="Example-Security-Monitoring", queries=[ SecurityMonitoringStandardRuleQuery( query="@test:true", aggregation=SecurityMonitoringRuleQueryAggregation.COUNT, group_by_fields=[], distinct_fields=[], metric="", ), ], filters=[], cases=[ SecurityMonitoringRuleCaseCreate( name="", status=SecurityMonitoringRuleSeverity.INFO, condition="a > 0", notifications=[], ), ], options=SecurityMonitoringRuleOptions( evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES, keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR, max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY, ), message="Test rule", tags=[], is_enabled=True, type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION, reference_tables=[ SecurityMonitoringReferenceTable( table_name="synthetics_test_reference_table_dont_delete", column_name="value", log_field_path="testtag", check_presence=True, rule_query_name="a", ), ], ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.create_security_monitoring_rule(body=body) print(response) ``` ##### ```python """ Create a detection rule with detection method 'anomaly_detection' returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options import ( SecurityMonitoringRuleAnomalyDetectionOptions, ) from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options_bucket_duration import ( SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration, ) from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options_detection_tolerance import ( SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance, ) from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options_learning_duration import ( SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration, ) from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import ( SecurityMonitoringRuleEvaluationWindow, ) from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import ( SecurityMonitoringRuleMaxSignalDuration, ) from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import ( SecurityMonitoringRuleQueryAggregation, ) from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate from datadog_api_client.v2.model.security_monitoring_standard_data_source import SecurityMonitoringStandardDataSource from datadog_api_client.v2.model.security_monitoring_standard_rule_create_payload import ( SecurityMonitoringStandardRuleCreatePayload, ) from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery body = SecurityMonitoringStandardRuleCreatePayload( name="Example-Security-Monitoring", type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION, is_enabled=True, queries=[ SecurityMonitoringStandardRuleQuery( aggregation=SecurityMonitoringRuleQueryAggregation.COUNT, data_source=SecurityMonitoringStandardDataSource.LOGS, distinct_fields=[], group_by_fields=[ "@usr.email", "@network.client.ip", ], has_optional_group_by_fields=False, name="", query="service:app status:error", ), ], cases=[ SecurityMonitoringRuleCaseCreate( name="", status=SecurityMonitoringRuleSeverity.INFO, notifications=[], condition="a > 0.995", ), ], message="An anomaly detection rule", options=SecurityMonitoringRuleOptions( detection_method=SecurityMonitoringRuleDetectionMethod.ANOMALY_DETECTION, evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES, keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR, max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY, anomaly_detection_options=SecurityMonitoringRuleAnomalyDetectionOptions( bucket_duration=SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration.FIVE_MINUTES, learning_duration=SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration.ONE_DAY, detection_tolerance=SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance.THREE, learning_period_baseline=10, ), ), tags=[], filters=[], ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.create_security_monitoring_rule(body=body) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Create a cloud_configuration rule returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::CloudConfigurationRuleCreatePayload.new({ type: DatadogAPIClient::V2::CloudConfigurationRuleType::CLOUD_CONFIGURATION, name: "Example-Security-Monitoring_cloud", is_enabled: false, cases: [ DatadogAPIClient::V2::CloudConfigurationRuleCaseCreate.new({ status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO, notifications: [ "channel", ], }), ], options: DatadogAPIClient::V2::CloudConfigurationRuleOptions.new({ compliance_rule_options: DatadogAPIClient::V2::CloudConfigurationComplianceRuleOptions.new({ resource_type: "gcp_compute_disk", complex_rule: false, rego_rule: DatadogAPIClient::V2::CloudConfigurationRegoRule.new({ policy: 'package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = "skip" if {\n\tiam_service_account_key.disabled\n} else = "pass" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = "fail"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n', resource_types: [ "gcp_compute_disk", ], }), }), }), message: "ddd", tags: [ "my:tag", ], compliance_signal_options: DatadogAPIClient::V2::CloudConfigurationRuleComplianceSignalOptions.new({ user_activation_status: true, user_group_by_fields: [ "@account_id", ], }), filters: [ DatadogAPIClient::V2::SecurityMonitoringFilter.new({ action: DatadogAPIClient::V2::SecurityMonitoringFilterAction::REQUIRE, query: "resource_id:helo*", }), DatadogAPIClient::V2::SecurityMonitoringFilter.new({ action: DatadogAPIClient::V2::SecurityMonitoringFilterAction::SUPPRESS, query: "control:helo*", }), ], }) p api_instance.create_security_monitoring_rule(body) ``` ##### ```ruby # Create a detection rule returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::SecurityMonitoringStandardRuleCreatePayload.new({ name: "Example-Security-Monitoring", queries: [ DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({ query: "@test:true", aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT, group_by_fields: [], distinct_fields: [], metric: "", }), ], filters: [], cases: [ DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({ name: "", status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO, condition: "a > 0", notifications: [], }), ], options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({ evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES, keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ONE_HOUR, max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ONE_DAY, }), message: "Test rule", tags: [], is_enabled: true, type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION, reference_tables: [ DatadogAPIClient::V2::SecurityMonitoringReferenceTable.new({ table_name: "synthetics_test_reference_table_dont_delete", column_name: "value", log_field_path: "testtag", check_presence: true, rule_query_name: "a", }), ], }) p api_instance.create_security_monitoring_rule(body) ``` ##### ```ruby # Create a detection rule with detection method 'anomaly_detection' returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::SecurityMonitoringStandardRuleCreatePayload.new({ name: "Example-Security-Monitoring", type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION, is_enabled: true, queries: [ DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({ aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT, data_source: DatadogAPIClient::V2::SecurityMonitoringStandardDataSource::LOGS, distinct_fields: [], group_by_fields: [ "@usr.email", "@network.client.ip", ], has_optional_group_by_fields: false, name: "", query: "service:app status:error", }), ], cases: [ DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({ name: "", status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO, notifications: [], condition: "a > 0.995", }), ], message: "An anomaly detection rule", options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({ detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::ANOMALY_DETECTION, evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES, keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ONE_HOUR, max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ONE_DAY, anomaly_detection_options: DatadogAPIClient::V2::SecurityMonitoringRuleAnomalyDetectionOptions.new({ bucket_duration: DatadogAPIClient::V2::SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration::FIVE_MINUTES, learning_duration: DatadogAPIClient::V2::SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration::ONE_DAY, detection_tolerance: DatadogAPIClient::V2::SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance::THREE, learning_period_baseline: 10, }), }), tags: [], filters: [], }) p api_instance.create_security_monitoring_rule(body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Create a cloud_configuration rule returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::CloudConfigurationComplianceRuleOptions; use datadog_api_client::datadogV2::model::CloudConfigurationRegoRule; use datadog_api_client::datadogV2::model::CloudConfigurationRuleCaseCreate; use datadog_api_client::datadogV2::model::CloudConfigurationRuleComplianceSignalOptions; use datadog_api_client::datadogV2::model::CloudConfigurationRuleCreatePayload; use datadog_api_client::datadogV2::model::CloudConfigurationRuleOptions; use datadog_api_client::datadogV2::model::CloudConfigurationRuleType; use datadog_api_client::datadogV2::model::SecurityMonitoringFilter; use datadog_api_client::datadogV2::model::SecurityMonitoringFilterAction; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCreatePayload; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity; #[tokio::main] async fn main() { let body = SecurityMonitoringRuleCreatePayload::CloudConfigurationRuleCreatePayload( Box::new( CloudConfigurationRuleCreatePayload::new( vec![ CloudConfigurationRuleCaseCreate::new( SecurityMonitoringRuleSeverity::INFO, ).notifications(vec!["channel".to_string()]) ], CloudConfigurationRuleComplianceSignalOptions::new() .user_activation_status(Some(true)) .user_group_by_fields(Some(vec!["@account_id".to_string()])), false, "ddd".to_string(), "Example-Security-Monitoring_cloud".to_string(), CloudConfigurationRuleOptions::new( CloudConfigurationComplianceRuleOptions::new() .complex_rule(false) .rego_rule( CloudConfigurationRegoRule::new( r#"package datadog import data.datadog.output as dd_output import future.keywords.contains import future.keywords.if import future.keywords.in milliseconds_in_a_day := ((1000 * 60) * 60) * 24 eval(iam_service_account_key) = "skip" if { iam_service_account_key.disabled } else = "pass" if { (iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90 } else = "fail" # This part remains unchanged for all rules results contains result if { some resource in input.resources[input.main_resource_type] result := dd_output.format(resource, eval(resource)) } "#.to_string(), vec!["gcp_compute_disk".to_string()], ), ) .resource_type("gcp_compute_disk".to_string()), ), ) .filters( vec![ SecurityMonitoringFilter::new() .action(SecurityMonitoringFilterAction::REQUIRE) .query("resource_id:helo*".to_string()), SecurityMonitoringFilter::new() .action(SecurityMonitoringFilterAction::SUPPRESS) .query("control:helo*".to_string()) ], ) .tags(vec!["my:tag".to_string()]) .type_(CloudConfigurationRuleType::CLOUD_CONFIGURATION), ), ); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.create_security_monitoring_rule(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` ##### ```rust // Create a detection rule returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::SecurityMonitoringReferenceTable; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCreatePayload; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate; use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleCreatePayload; use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery; #[tokio::main] async fn main() { let body = SecurityMonitoringRuleCreatePayload::SecurityMonitoringStandardRuleCreatePayload(Box::new( SecurityMonitoringStandardRuleCreatePayload::new( vec![ SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO) .condition("a > 0".to_string()) .name("".to_string()) .notifications(vec![]), ], true, "Test rule".to_string(), "Example-Security-Monitoring".to_string(), SecurityMonitoringRuleOptions::new() .evaluation_window(SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES) .keep_alive(SecurityMonitoringRuleKeepAlive::ONE_HOUR) .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::ONE_DAY), vec![SecurityMonitoringStandardRuleQuery::new() .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT) .distinct_fields(vec![]) .group_by_fields(vec![]) .metric("".to_string()) .query("@test:true".to_string())], ) .filters(vec![]) .reference_tables(vec![SecurityMonitoringReferenceTable::new() .check_presence(true) .column_name("value".to_string()) .log_field_path("testtag".to_string()) .rule_query_name("a".to_string()) .table_name("synthetics_test_reference_table_dont_delete".to_string())]) .tags(vec![]) .type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION), )); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.create_security_monitoring_rule(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` ##### ```rust // Create a detection rule with detection method 'anomaly_detection' returns "OK" // response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleAnomalyDetectionOptions; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCreatePayload; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleDetectionMethod; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate; use datadog_api_client::datadogV2::model::SecurityMonitoringStandardDataSource; use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleCreatePayload; use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery; #[tokio::main] async fn main() { let body = SecurityMonitoringRuleCreatePayload::SecurityMonitoringStandardRuleCreatePayload( Box::new( SecurityMonitoringStandardRuleCreatePayload::new( vec![ SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO) .condition("a > 0.995".to_string()) .name("".to_string()) .notifications(vec![]) ], true, "An anomaly detection rule".to_string(), "Example-Security-Monitoring".to_string(), SecurityMonitoringRuleOptions::new() .anomaly_detection_options( SecurityMonitoringRuleAnomalyDetectionOptions::new() .bucket_duration( SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration::FIVE_MINUTES, ) .detection_tolerance( SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance::THREE, ) .learning_duration( SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration::ONE_DAY, ) .learning_period_baseline(10), ) .detection_method(SecurityMonitoringRuleDetectionMethod::ANOMALY_DETECTION) .evaluation_window(SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES) .keep_alive(SecurityMonitoringRuleKeepAlive::ONE_HOUR) .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::ONE_DAY), vec![ SecurityMonitoringStandardRuleQuery::new() .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT) .data_source(SecurityMonitoringStandardDataSource::LOGS) .distinct_fields(vec![]) .group_by_fields(vec!["@usr.email".to_string(), "@network.client.ip".to_string()]) .has_optional_group_by_fields(false) .name("".to_string()) .query("service:app status:error".to_string()) ], ) .filters(vec![]) .tags(vec![]) .type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION), ), ); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.create_security_monitoring_rule(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Create a cloud_configuration rule returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiCreateSecurityMonitoringRuleRequest = { body: { type: "cloud_configuration", name: "Example-Security-Monitoring_cloud", isEnabled: false, cases: [ { status: "info", notifications: ["channel"], }, ], options: { complianceRuleOptions: { resourceType: "gcp_compute_disk", complexRule: false, regoRule: { policy: `package datadog import data.datadog.output as dd_output import future.keywords.contains import future.keywords.if import future.keywords.in milliseconds_in_a_day := ((1000 * 60) * 60) * 24 eval(iam_service_account_key) = "skip" if { iam_service_account_key.disabled } else = "pass" if { (iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90 } else = "fail" # This part remains unchanged for all rules results contains result if { some resource in input.resources[input.main_resource_type] result := dd_output.format(resource, eval(resource)) } `, resourceTypes: ["gcp_compute_disk"], }, }, }, message: "ddd", tags: ["my:tag"], complianceSignalOptions: { userActivationStatus: true, userGroupByFields: ["@account_id"], }, filters: [ { action: "require", query: "resource_id:helo*", }, { action: "suppress", query: "control:helo*", }, ], }, }; apiInstance .createSecurityMonitoringRule(params) .then((data: v2.SecurityMonitoringRuleResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` ##### ```typescript /** * Create a detection rule returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiCreateSecurityMonitoringRuleRequest = { body: { name: "Example-Security-Monitoring", queries: [ { query: "@test:true", aggregation: "count", groupByFields: [], distinctFields: [], metric: "", }, ], filters: [], cases: [ { name: "", status: "info", condition: "a > 0", notifications: [], }, ], options: { evaluationWindow: 900, keepAlive: 3600, maxSignalDuration: 86400, }, message: "Test rule", tags: [], isEnabled: true, type: "log_detection", referenceTables: [ { tableName: "synthetics_test_reference_table_dont_delete", columnName: "value", logFieldPath: "testtag", checkPresence: true, ruleQueryName: "a", }, ], }, }; apiInstance .createSecurityMonitoringRule(params) .then((data: v2.SecurityMonitoringRuleResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` ##### ```typescript /** * Create a detection rule with detection method 'anomaly_detection' returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiCreateSecurityMonitoringRuleRequest = { body: { name: "Example-Security-Monitoring", type: "log_detection", isEnabled: true, queries: [ { aggregation: "count", dataSource: "logs", distinctFields: [], groupByFields: ["@usr.email", "@network.client.ip"], hasOptionalGroupByFields: false, name: "", query: "service:app status:error", }, ], cases: [ { name: "", status: "info", notifications: [], condition: "a > 0.995", }, ], message: "An anomaly detection rule", options: { detectionMethod: "anomaly_detection", evaluationWindow: 900, keepAlive: 3600, maxSignalDuration: 86400, anomalyDetectionOptions: { bucketDuration: 300, learningDuration: 24, detectionTolerance: 3, learningPeriodBaseline: 10, }, }, tags: [], filters: [], }, }; apiInstance .createSecurityMonitoringRule(params) .then((data: v2.SecurityMonitoringRuleResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Get a rule's details{% #get-a-rules-details %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ---------------------------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/{rule_id} | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/security_monitoring/rules/{rule_id} | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id} | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/security_monitoring/rules/{rule_id} | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id} | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/security_monitoring/rules/{rule_id} | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/{rule_id} | ### Overview Get a rule's details. This endpoint requires the `security_monitoring_rules_read` permission. OAuth apps require the `security_monitoring_rules_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Arguments #### Path Parameters | Name | Type | Description | | ------------------------- | ------ | ------------------- | | rule_id [*required*] | string | The ID of the rule. | ### Response {% tab title="200" %} OK {% tab title="Model" %} Create a new rule. | Parent field | Field | Type | Description | | ------------------------ | ------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Option 1 | object | Rule. | | Option 1 | calculatedFields | [object] | Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined. | | calculatedFields | expression [*required*] | string | Expression. | | calculatedFields | name [*required*] | string | Field name. | | Option 1 | cases | [object] | Cases for generating signals. | | cases | actions | [object] | Action to perform for each rule case. | | actions | options | object | Options for the rule action | | options | duration | int64 | Duration of the action in seconds. 0 indicates no expiration. | | options | flaggedIPType | enum | Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: `SUSPICIOUS,FLAGGED` | | options | userBehaviorName | string | Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule. | | actions | type | enum | The action type. Allowed enum values: `block_ip,block_user,user_behavior,flag_ip` | | cases | condition | string | A rule case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated based on the event counts in the previously defined queries. | | cases | customStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | cases | name | string | Name of the case. | | cases | notifications | [string] | Notification targets for each rule case. | | cases | status | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 1 | complianceSignalOptions | object | How to generate compliance signals. Useful for cloud_configuration rules only. | | complianceSignalOptions | defaultActivationStatus | boolean | The default activation status. | | complianceSignalOptions | defaultGroupByFields | [string] | The default group by fields. | | complianceSignalOptions | userActivationStatus | boolean | Whether signals will be sent. | | complianceSignalOptions | userGroupByFields | [string] | Fields to use to group findings by when sending signals. | | Option 1 | createdAt | int64 | When the rule was created, timestamp in milliseconds. | | Option 1 | creationAuthorId | int64 | User ID of the user who created the rule. | | Option 1 | customMessage | string | Custom/Overridden message for generated signals (used in case of Default rule update). | | Option 1 | customName | string | Custom/Overridden name of the rule (used in case of Default rule update). | | Option 1 | defaultTags | [string] | Default Tags for default rules (included in tags) | | Option 1 | deprecationDate | int64 | When the rule will be deprecated, timestamp in milliseconds. | | Option 1 | filters | [object] | Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules. | | filters | action | enum | The type of filtering action. Allowed enum values: `require,suppress` | | filters | query | string | Query for selecting logs to apply the filtering action. | | Option 1 | groupSignalsBy | [string] | Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups. | | Option 1 | hasExtendedTitle | boolean | Whether the notifications include the triggering group-by values in their title. | | Option 1 | id | string | The ID of the rule. | | Option 1 | isDefault | boolean | Whether the rule is included by default. | | Option 1 | isDeleted | boolean | Whether the rule has been deleted. | | Option 1 | isEnabled | boolean | Whether the rule is enabled. | | Option 1 | message | string | Message for generated signals. | | Option 1 | name | string | The name of the rule. | | Option 1 | options | object | Options. | | options | anomalyDetectionOptions | object | Options on anomaly detection method. | | anomalyDetectionOptions | bucketDuration | enum | Duration in seconds of the time buckets used to aggregate events matched by the rule. Must be greater than or equal to 300. Allowed enum values: `300,600,900,1800,3600,10800` | | anomalyDetectionOptions | detectionTolerance | enum | An optional parameter that sets how permissive anomaly detection is. Higher values require higher deviations before triggering a signal. Allowed enum values: `1,2,3,4,5` | | anomalyDetectionOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | anomalyDetectionOptions | learningDuration | enum | Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. Allowed enum values: `1,6,12,24,48,168,336` | | anomalyDetectionOptions | learningPeriodBaseline | int64 | An optional override baseline to apply while the rule is in the learning period. Must be greater than or equal to 0. | | options | complianceRuleOptions | object | Options for cloud_configuration rules. Fields `resourceType` and `regoRule` are mandatory when managing custom `cloud_configuration` rules. | | complianceRuleOptions | complexRule | boolean | Whether the rule is a complex one. Must be set to true if `regoRule.resourceTypes` contains more than one item. Defaults to false. | | complianceRuleOptions | regoRule | object | Rule details. | | regoRule | policy [*required*] | string | The policy written in `rego`, see: [https://www.openpolicyagent.org/docs/latest/policy-language/](https://www.openpolicyagent.org/docs/latest/policy-language/) | | regoRule | resourceTypes [*required*] | [string] | List of resource types that will be evaluated upon. Must have at least one element. | | complianceRuleOptions | resourceType | string | Main resource type to be checked by the rule. It should be specified again in `regoRule.resourceTypes`. | | options | decreaseCriticalityBasedOnEnv | boolean | If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: `CRITICAL` in production becomes `HIGH` in non-production, `HIGH` becomes `MEDIUM` and so on. `INFO` remains `INFO`. The decrement is applied when the environment tag of the signal starts with `staging`, `test` or `dev`. | | options | detectionMethod | enum | The detection method. Allowed enum values: `threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection` | | options | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | hardcodedEvaluatorType | enum | Hardcoded evaluator type. Allowed enum values: `log4shell` | | options | impossibleTravelOptions | object | Options on impossible travel detection method. | | impossibleTravelOptions | baselineUserLocations | boolean | If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. | | options | keepAlive | enum | Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | maxSignalDuration | enum | A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | newValueOptions | object | Options on new value detection method. | | newValueOptions | forgetAfter | enum | The duration in days after which a learned value is forgotten. Allowed enum values: `1,2,7,14,21,28` | | newValueOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | newValueOptions | learningDuration | enum | The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: `0,1,7` | | newValueOptions | learningMethod | enum | The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: `duration,threshold` | | newValueOptions | learningThreshold | enum | A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: `0,1` | | options | sequenceDetectionOptions | object | Options on sequence detection method. | | sequenceDetectionOptions | stepTransitions | [object] | Transitions defining the allowed order of steps and their evaluation windows. | | stepTransitions | child | string | Name of the child step. | | stepTransitions | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | stepTransitions | parent | string | Name of the parent step. | | sequenceDetectionOptions | steps | [object] | Steps that define the conditions to be matched in sequence. | | steps | condition | string | Condition referencing rule queries (e.g., `a > 0`). | | steps | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | steps | name | string | Unique name identifying the step. | | options | thirdPartyRuleOptions | object | Options on third party detection method. | | thirdPartyRuleOptions | defaultNotifications | [string] | Notification targets for the logs that do not correspond to any of the cases. | | thirdPartyRuleOptions | defaultStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyRuleOptions | rootQueries | [object] | Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert. | | rootQueries | groupByFields | [string] | Fields to group by. | | rootQueries | query | string | Query to run on logs. | | thirdPartyRuleOptions | signalTitleTemplate | string | A template for the signal title; if omitted, the title is generated based on the case name. | | Option 1 | queries | [object] | Queries for selecting logs which are part of the rule. | | queries | aggregation | enum | The aggregation type. Allowed enum values: `count,cardinality,sum,max,new_value,geo_data,event_count,none` | | queries | customQueryExtension | string | Query extension to append to the logs query. | | queries | dataSource | enum | Source of events, either logs, audit trail, or Datadog events. `app_sec_spans` is deprecated in favor of `spans`. Allowed enum values: `logs,audit,app_sec_spans,spans,security_runtime,network,events` | | queries | distinctFields | [string] | Field for which the cardinality is measured. Sent as an array. | | queries | groupByFields | [string] | Fields to group by. | | queries | hasOptionalGroupByFields | boolean | When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with `N/A`, replacing the missing values. | | queries | index | string | **This field is currently unstable and might be removed in a minor version upgrade.** The index to run the query on, if the `dataSource` is `logs`. Only used for scheduled rules - in other words, when the `schedulingOptions` field is present in the rule payload. | | queries | indexes | [string] | List of indexes to query when the `dataSource` is `logs`. Only used for scheduled rules, such as when the `schedulingOptions` field is present in the rule payload. | | queries | metric | string | **DEPRECATED**: (Deprecated) The target field to aggregate over when using the sum or max aggregations. `metrics` field should be used instead. | | queries | metrics | [string] | Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values. | | queries | name | string | Name of the query. | | queries | query | string | Query to run on logs. | | Option 1 | referenceTables | [object] | Reference tables for the rule. | | referenceTables | checkPresence | boolean | Whether to include or exclude the matched values. | | referenceTables | columnName | string | The name of the column in the reference table. | | referenceTables | logFieldPath | string | The field in the log to match against the reference table. | | referenceTables | ruleQueryName | string | The name of the query to apply the reference table to. | | referenceTables | tableName | string | The name of the reference table. | | Option 1 | schedulingOptions | object | Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs. | | schedulingOptions | rrule | string | Schedule for the rule queries, written in RRULE syntax. See [RFC](https://icalendar.org/iCalendar-RFC-5545/3-8-5-3-recurrence-rule.html) for syntax reference. | | schedulingOptions | start | string | Start date for the schedule, in ISO 8601 format without timezone. | | schedulingOptions | timezone | string | Time zone of the start date, in the [tz database](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) format. | | Option 1 | tags | [string] | Tags for generated signals. | | Option 1 | thirdPartyCases | [object] | Cases for generating signals from third-party rules. Only available for third-party rules. | | thirdPartyCases | customStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyCases | name | string | Name of the case. | | thirdPartyCases | notifications | [string] | Notification targets for each rule case. | | thirdPartyCases | query | string | A query to map a third party event to this case. | | thirdPartyCases | status | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 1 | type | enum | The rule type. Allowed enum values: `log_detection,infrastructure_configuration,workload_security,cloud_configuration,application_security,api_security,workload_activity` | | Option 1 | updateAuthorId | int64 | User ID of the user who updated the rule. | | Option 1 | updatedAt | int64 | The date the rule was last updated, in milliseconds. | | Option 1 | version | int64 | The version of the rule. | | | Option 2 | object | Rule. | | Option 2 | cases | [object] | Cases for generating signals. | | cases | actions | [object] | Action to perform for each rule case. | | actions | options | object | Options for the rule action | | options | duration | int64 | Duration of the action in seconds. 0 indicates no expiration. | | options | flaggedIPType | enum | Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: `SUSPICIOUS,FLAGGED` | | options | userBehaviorName | string | Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule. | | actions | type | enum | The action type. Allowed enum values: `block_ip,block_user,user_behavior,flag_ip` | | cases | condition | string | A rule case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated based on the event counts in the previously defined queries. | | cases | customStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | cases | name | string | Name of the case. | | cases | notifications | [string] | Notification targets for each rule case. | | cases | status | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 2 | createdAt | int64 | When the rule was created, timestamp in milliseconds. | | Option 2 | creationAuthorId | int64 | User ID of the user who created the rule. | | Option 2 | customMessage | string | Custom/Overridden message for generated signals (used in case of Default rule update). | | Option 2 | customName | string | Custom/Overridden name of the rule (used in case of Default rule update). | | Option 2 | deprecationDate | int64 | When the rule will be deprecated, timestamp in milliseconds. | | Option 2 | filters | [object] | Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules. | | filters | action | enum | The type of filtering action. Allowed enum values: `require,suppress` | | filters | query | string | Query for selecting logs to apply the filtering action. | | Option 2 | hasExtendedTitle | boolean | Whether the notifications include the triggering group-by values in their title. | | Option 2 | id | string | The ID of the rule. | | Option 2 | isDefault | boolean | Whether the rule is included by default. | | Option 2 | isDeleted | boolean | Whether the rule has been deleted. | | Option 2 | isEnabled | boolean | Whether the rule is enabled. | | Option 2 | message | string | Message for generated signals. | | Option 2 | name | string | The name of the rule. | | Option 2 | options | object | Options. | | options | anomalyDetectionOptions | object | Options on anomaly detection method. | | anomalyDetectionOptions | bucketDuration | enum | Duration in seconds of the time buckets used to aggregate events matched by the rule. Must be greater than or equal to 300. Allowed enum values: `300,600,900,1800,3600,10800` | | anomalyDetectionOptions | detectionTolerance | enum | An optional parameter that sets how permissive anomaly detection is. Higher values require higher deviations before triggering a signal. Allowed enum values: `1,2,3,4,5` | | anomalyDetectionOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | anomalyDetectionOptions | learningDuration | enum | Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. Allowed enum values: `1,6,12,24,48,168,336` | | anomalyDetectionOptions | learningPeriodBaseline | int64 | An optional override baseline to apply while the rule is in the learning period. Must be greater than or equal to 0. | | options | complianceRuleOptions | object | Options for cloud_configuration rules. Fields `resourceType` and `regoRule` are mandatory when managing custom `cloud_configuration` rules. | | complianceRuleOptions | complexRule | boolean | Whether the rule is a complex one. Must be set to true if `regoRule.resourceTypes` contains more than one item. Defaults to false. | | complianceRuleOptions | regoRule | object | Rule details. | | regoRule | policy [*required*] | string | The policy written in `rego`, see: [https://www.openpolicyagent.org/docs/latest/policy-language/](https://www.openpolicyagent.org/docs/latest/policy-language/) | | regoRule | resourceTypes [*required*] | [string] | List of resource types that will be evaluated upon. Must have at least one element. | | complianceRuleOptions | resourceType | string | Main resource type to be checked by the rule. It should be specified again in `regoRule.resourceTypes`. | | options | decreaseCriticalityBasedOnEnv | boolean | If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: `CRITICAL` in production becomes `HIGH` in non-production, `HIGH` becomes `MEDIUM` and so on. `INFO` remains `INFO`. The decrement is applied when the environment tag of the signal starts with `staging`, `test` or `dev`. | | options | detectionMethod | enum | The detection method. Allowed enum values: `threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection` | | options | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | hardcodedEvaluatorType | enum | Hardcoded evaluator type. Allowed enum values: `log4shell` | | options | impossibleTravelOptions | object | Options on impossible travel detection method. | | impossibleTravelOptions | baselineUserLocations | boolean | If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. | | options | keepAlive | enum | Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | maxSignalDuration | enum | A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | newValueOptions | object | Options on new value detection method. | | newValueOptions | forgetAfter | enum | The duration in days after which a learned value is forgotten. Allowed enum values: `1,2,7,14,21,28` | | newValueOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | newValueOptions | learningDuration | enum | The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: `0,1,7` | | newValueOptions | learningMethod | enum | The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: `duration,threshold` | | newValueOptions | learningThreshold | enum | A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: `0,1` | | options | sequenceDetectionOptions | object | Options on sequence detection method. | | sequenceDetectionOptions | stepTransitions | [object] | Transitions defining the allowed order of steps and their evaluation windows. | | stepTransitions | child | string | Name of the child step. | | stepTransitions | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | stepTransitions | parent | string | Name of the parent step. | | sequenceDetectionOptions | steps | [object] | Steps that define the conditions to be matched in sequence. | | steps | condition | string | Condition referencing rule queries (e.g., `a > 0`). | | steps | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | steps | name | string | Unique name identifying the step. | | options | thirdPartyRuleOptions | object | Options on third party detection method. | | thirdPartyRuleOptions | defaultNotifications | [string] | Notification targets for the logs that do not correspond to any of the cases. | | thirdPartyRuleOptions | defaultStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyRuleOptions | rootQueries | [object] | Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert. | | rootQueries | groupByFields | [string] | Fields to group by. | | rootQueries | query | string | Query to run on logs. | | thirdPartyRuleOptions | signalTitleTemplate | string | A template for the signal title; if omitted, the title is generated based on the case name. | | Option 2 | queries | [object] | Queries for selecting logs which are part of the rule. | | queries | aggregation | enum | The aggregation type. Allowed enum values: `count,cardinality,sum,max,new_value,geo_data,event_count,none` | | queries | correlatedByFields | [string] | Fields to correlate by. | | queries | correlatedQueryIndex | int32 | Index of the rule query used to retrieve the correlated field. | | queries | defaultRuleId | string | Default Rule ID to match on signals. | | queries | distinctFields | [string] | Field for which the cardinality is measured. Sent as an array. | | queries | groupByFields | [string] | Fields to group by. | | queries | metrics | [string] | Group of target fields to aggregate over. | | queries | name | string | Name of the query. | | queries | ruleId | string | Rule ID to match on signals. | | Option 2 | tags | [string] | Tags for generated signals. | | Option 2 | type | enum | The rule type. Allowed enum values: `signal_correlation` | | Option 2 | updateAuthorId | int64 | User ID of the user who updated the rule. | | Option 2 | version | int64 | The version of the rule. | {% /tab %} {% tab title="Example" %} ```json { "calculatedFields": [ { "expression": "@request_end_timestamp - @request_start_timestamp", "name": "response_time" } ], "cases": [ { "actions": [ { "options": { "duration": 0, "flaggedIPType": "FLAGGED", "userBehaviorName": "string" }, "type": "string" } ], "condition": "string", "customStatus": "critical", "name": "string", "notifications": [], "status": "critical" } ], "complianceSignalOptions": { "defaultActivationStatus": false, "defaultGroupByFields": [], "userActivationStatus": false, "userGroupByFields": [] }, "createdAt": "integer", "creationAuthorId": "integer", "customMessage": "string", "customName": "string", "defaultTags": [ "security:attacks" ], "deprecationDate": "integer", "filters": [ { "action": "string", "query": "string" } ], "groupSignalsBy": [ "service" ], "hasExtendedTitle": false, "id": "string", "isDefault": false, "isDeleted": false, "isEnabled": false, "message": "string", "name": "string", "options": { "anomalyDetectionOptions": { "bucketDuration": 300, "detectionTolerance": 5, "instantaneousBaseline": false, "learningDuration": "integer", "learningPeriodBaseline": "integer" }, "complianceRuleOptions": { "complexRule": false, "regoRule": { "policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n # Logic that evaluates to true if the resource should be skipped\n true\n} else = \"pass\" {\n # Logic that evaluates to true if the resource is compliant\n true\n} else = \"fail\" {\n # Logic that evaluates to true if the resource is not compliant\n true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n some resource in input.resources[input.main_resource_type]\n result := dd_output.format(resource, eval(resource))\n}", "resourceTypes": [ "gcp_iam_service_account", "gcp_iam_policy" ] }, "resourceType": "aws_acm" }, "decreaseCriticalityBasedOnEnv": false, "detectionMethod": "string", "evaluationWindow": "integer", "hardcodedEvaluatorType": "string", "impossibleTravelOptions": { "baselineUserLocations": true }, "keepAlive": "integer", "maxSignalDuration": "integer", "newValueOptions": { "forgetAfter": "integer", "instantaneousBaseline": false, "learningDuration": "integer", "learningMethod": "string", "learningThreshold": "integer" }, "sequenceDetectionOptions": { "stepTransitions": [ { "child": "string", "evaluationWindow": "integer", "parent": "string" } ], "steps": [ { "condition": "string", "evaluationWindow": "integer", "name": "string" } ] }, "thirdPartyRuleOptions": { "defaultNotifications": [], "defaultStatus": "critical", "rootQueries": [ { "groupByFields": [], "query": "source:cloudtrail" } ], "signalTitleTemplate": "string" } }, "queries": [ { "aggregation": "string", "customQueryExtension": "a > 3", "dataSource": "logs", "distinctFields": [], "groupByFields": [], "hasOptionalGroupByFields": false, "index": "string", "indexes": [], "metric": "string", "metrics": [], "name": "string", "query": "a > 3" } ], "referenceTables": [ { "checkPresence": false, "columnName": "string", "logFieldPath": "string", "ruleQueryName": "string", "tableName": "string" } ], "schedulingOptions": { "rrule": "FREQ=HOURLY;INTERVAL=1;", "start": "2025-07-14T12:00:00", "timezone": "America/New_York" }, "tags": [], "thirdPartyCases": [ { "customStatus": "critical", "name": "string", "notifications": [], "query": "string", "status": "critical" } ], "type": "string", "updateAuthorId": "integer", "updatedAt": "integer", "version": "integer" } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport rule_id="CHANGE_ME"\# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Get a rule's details returns "OK" response """ from os import environ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi # there is a valid "security_rule" in the system SECURITY_RULE_ID = environ["SECURITY_RULE_ID"] configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.get_security_monitoring_rule( rule_id=SECURITY_RULE_ID, ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Get a rule's details returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new # there is a valid "security_rule" in the system SECURITY_RULE_ID = ENV["SECURITY_RULE_ID"] p api_instance.get_security_monitoring_rule(SECURITY_RULE_ID) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Get a rule's details returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { // there is a valid "security_rule" in the system SecurityRuleID := os.Getenv("SECURITY_RULE_ID") ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.GetSecurityMonitoringRule(ctx, SecurityRuleID) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSecurityMonitoringRule`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSecurityMonitoringRule`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Get a rule's details returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); // there is a valid "security_rule" in the system String SECURITY_RULE_ID = System.getenv("SECURITY_RULE_ID"); try { SecurityMonitoringRuleResponse result = apiInstance.getSecurityMonitoringRule(SECURITY_RULE_ID); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#getSecurityMonitoringRule"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Get a rule's details returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { // there is a valid "security_rule" in the system let security_rule_id = std::env::var("SECURITY_RULE_ID").unwrap(); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .get_security_monitoring_rule(security_rule_id.clone()) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Get a rule's details returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); // there is a valid "security_rule" in the system const SECURITY_RULE_ID = process.env.SECURITY_RULE_ID as string; const params: v2.SecurityMonitoringApiGetSecurityMonitoringRuleRequest = { ruleId: SECURITY_RULE_ID, }; apiInstance .getSecurityMonitoringRule(params) .then((data: v2.SecurityMonitoringRuleResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Update an existing rule{% #update-an-existing-rule %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ---------------------------------------------------------------------------- | | ap1.datadoghq.com | PUT https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/{rule_id} | | ap2.datadoghq.com | PUT https://api.ap2.datadoghq.com/api/v2/security_monitoring/rules/{rule_id} | | app.datadoghq.eu | PUT https://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id} | | app.ddog-gov.com | PUT https://api.ddog-gov.com/api/v2/security_monitoring/rules/{rule_id} | | app.datadoghq.com | PUT https://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id} | | us3.datadoghq.com | PUT https://api.us3.datadoghq.com/api/v2/security_monitoring/rules/{rule_id} | | us5.datadoghq.com | PUT https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/{rule_id} | ### Overview Update an existing rule. When updating `cases`, `queries` or `options`, the whole field must be included. For example, when modifying a query all queries must be included. Default rules can only be updated to be enabled, to change notifications, or to update the tags (default tags cannot be removed). This endpoint requires the `security_monitoring_rules_write` permission. OAuth apps require the `security_monitoring_rules_write` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Arguments #### Path Parameters | Name | Type | Description | | ------------------------- | ------ | ------------------- | | rule_id [*required*] | string | The ID of the rule. | ### Request #### Body Data (required) {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------------------ | ------------------------------- | --------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | calculatedFields | [object] | Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined. | | calculatedFields | expression [*required*] | string | Expression. | | calculatedFields | name [*required*] | string | Field name. | | | cases | [object] | Cases for generating signals. | | cases | actions | [object] | Action to perform for each rule case. | | actions | options | object | Options for the rule action | | options | duration | int64 | Duration of the action in seconds. 0 indicates no expiration. | | options | flaggedIPType | enum | Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: `SUSPICIOUS,FLAGGED` | | options | userBehaviorName | string | Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule. | | actions | type | enum | The action type. Allowed enum values: `block_ip,block_user,user_behavior,flag_ip` | | cases | condition | string | A rule case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated based on the event counts in the previously defined queries. | | cases | customStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | cases | name | string | Name of the case. | | cases | notifications | [string] | Notification targets for each rule case. | | cases | status | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | | complianceSignalOptions | object | How to generate compliance signals. Useful for cloud_configuration rules only. | | complianceSignalOptions | defaultActivationStatus | boolean | The default activation status. | | complianceSignalOptions | defaultGroupByFields | [string] | The default group by fields. | | complianceSignalOptions | userActivationStatus | boolean | Whether signals will be sent. | | complianceSignalOptions | userGroupByFields | [string] | Fields to use to group findings by when sending signals. | | | customMessage | string | Custom/Overridden Message for generated signals (used in case of Default rule update). | | | customName | string | Custom/Overridden name (used in case of Default rule update). | | | filters | [object] | Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules. | | filters | action | enum | The type of filtering action. Allowed enum values: `require,suppress` | | filters | query | string | Query for selecting logs to apply the filtering action. | | | groupSignalsBy | [string] | Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups. | | | hasExtendedTitle | boolean | Whether the notifications include the triggering group-by values in their title. | | | isEnabled | boolean | Whether the rule is enabled. | | | message | string | Message for generated signals. | | | name | string | Name of the rule. | | | options | object | Options. | | options | anomalyDetectionOptions | object | Options on anomaly detection method. | | anomalyDetectionOptions | bucketDuration | enum | Duration in seconds of the time buckets used to aggregate events matched by the rule. Must be greater than or equal to 300. Allowed enum values: `300,600,900,1800,3600,10800` | | anomalyDetectionOptions | detectionTolerance | enum | An optional parameter that sets how permissive anomaly detection is. Higher values require higher deviations before triggering a signal. Allowed enum values: `1,2,3,4,5` | | anomalyDetectionOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | anomalyDetectionOptions | learningDuration | enum | Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. Allowed enum values: `1,6,12,24,48,168,336` | | anomalyDetectionOptions | learningPeriodBaseline | int64 | An optional override baseline to apply while the rule is in the learning period. Must be greater than or equal to 0. | | options | complianceRuleOptions | object | Options for cloud_configuration rules. Fields `resourceType` and `regoRule` are mandatory when managing custom `cloud_configuration` rules. | | complianceRuleOptions | complexRule | boolean | Whether the rule is a complex one. Must be set to true if `regoRule.resourceTypes` contains more than one item. Defaults to false. | | complianceRuleOptions | regoRule | object | Rule details. | | regoRule | policy [*required*] | string | The policy written in `rego`, see: [https://www.openpolicyagent.org/docs/latest/policy-language/](https://www.openpolicyagent.org/docs/latest/policy-language/) | | regoRule | resourceTypes [*required*] | [string] | List of resource types that will be evaluated upon. Must have at least one element. | | complianceRuleOptions | resourceType | string | Main resource type to be checked by the rule. It should be specified again in `regoRule.resourceTypes`. | | options | decreaseCriticalityBasedOnEnv | boolean | If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: `CRITICAL` in production becomes `HIGH` in non-production, `HIGH` becomes `MEDIUM` and so on. `INFO` remains `INFO`. The decrement is applied when the environment tag of the signal starts with `staging`, `test` or `dev`. | | options | detectionMethod | enum | The detection method. Allowed enum values: `threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection` | | options | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | hardcodedEvaluatorType | enum | Hardcoded evaluator type. Allowed enum values: `log4shell` | | options | impossibleTravelOptions | object | Options on impossible travel detection method. | | impossibleTravelOptions | baselineUserLocations | boolean | If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. | | options | keepAlive | enum | Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | maxSignalDuration | enum | A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | newValueOptions | object | Options on new value detection method. | | newValueOptions | forgetAfter | enum | The duration in days after which a learned value is forgotten. Allowed enum values: `1,2,7,14,21,28` | | newValueOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | newValueOptions | learningDuration | enum | The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: `0,1,7` | | newValueOptions | learningMethod | enum | The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: `duration,threshold` | | newValueOptions | learningThreshold | enum | A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: `0,1` | | options | sequenceDetectionOptions | object | Options on sequence detection method. | | sequenceDetectionOptions | stepTransitions | [object] | Transitions defining the allowed order of steps and their evaluation windows. | | stepTransitions | child | string | Name of the child step. | | stepTransitions | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | stepTransitions | parent | string | Name of the parent step. | | sequenceDetectionOptions | steps | [object] | Steps that define the conditions to be matched in sequence. | | steps | condition | string | Condition referencing rule queries (e.g., `a > 0`). | | steps | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | steps | name | string | Unique name identifying the step. | | options | thirdPartyRuleOptions | object | Options on third party detection method. | | thirdPartyRuleOptions | defaultNotifications | [string] | Notification targets for the logs that do not correspond to any of the cases. | | thirdPartyRuleOptions | defaultStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyRuleOptions | rootQueries | [object] | Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert. | | rootQueries | groupByFields | [string] | Fields to group by. | | rootQueries | query | string | Query to run on logs. | | thirdPartyRuleOptions | signalTitleTemplate | string | A template for the signal title; if omitted, the title is generated based on the case name. | | | queries | [ ] | Queries for selecting logs which are part of the rule. | | queries | Option 1 | object | Query for matching rule. | | Option 1 | aggregation | enum | The aggregation type. Allowed enum values: `count,cardinality,sum,max,new_value,geo_data,event_count,none` | | Option 1 | customQueryExtension | string | Query extension to append to the logs query. | | Option 1 | dataSource | enum | Source of events, either logs, audit trail, or Datadog events. `app_sec_spans` is deprecated in favor of `spans`. Allowed enum values: `logs,audit,app_sec_spans,spans,security_runtime,network,events` | | Option 1 | distinctFields | [string] | Field for which the cardinality is measured. Sent as an array. | | Option 1 | groupByFields | [string] | Fields to group by. | | Option 1 | hasOptionalGroupByFields | boolean | When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with `N/A`, replacing the missing values. | | Option 1 | index | string | **This field is currently unstable and might be removed in a minor version upgrade.** The index to run the query on, if the `dataSource` is `logs`. Only used for scheduled rules - in other words, when the `schedulingOptions` field is present in the rule payload. | | Option 1 | indexes | [string] | List of indexes to query when the `dataSource` is `logs`. Only used for scheduled rules, such as when the `schedulingOptions` field is present in the rule payload. | | Option 1 | metric | string | **DEPRECATED**: (Deprecated) The target field to aggregate over when using the sum or max aggregations. `metrics` field should be used instead. | | Option 1 | metrics | [string] | Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values. | | Option 1 | name | string | Name of the query. | | Option 1 | query | string | Query to run on logs. | | queries | Option 2 | object | Query for matching rule on signals. | | Option 2 | aggregation | enum | The aggregation type. Allowed enum values: `count,cardinality,sum,max,new_value,geo_data,event_count,none` | | Option 2 | correlatedByFields | [string] | Fields to group by. | | Option 2 | correlatedQueryIndex | int32 | Index of the rule query used to retrieve the correlated field. | | Option 2 | metrics | [string] | Group of target fields to aggregate over. | | Option 2 | name | string | Name of the query. | | Option 2 | ruleId [*required*] | string | Rule ID to match on signals. | | | referenceTables | [object] | Reference tables for the rule. | | referenceTables | checkPresence | boolean | Whether to include or exclude the matched values. | | referenceTables | columnName | string | The name of the column in the reference table. | | referenceTables | logFieldPath | string | The field in the log to match against the reference table. | | referenceTables | ruleQueryName | string | The name of the query to apply the reference table to. | | referenceTables | tableName | string | The name of the reference table. | | | schedulingOptions | object | Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs. | | schedulingOptions | rrule | string | Schedule for the rule queries, written in RRULE syntax. See [RFC](https://icalendar.org/iCalendar-RFC-5545/3-8-5-3-recurrence-rule.html) for syntax reference. | | schedulingOptions | start | string | Start date for the schedule, in ISO 8601 format without timezone. | | schedulingOptions | timezone | string | Time zone of the start date, in the [tz database](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) format. | | | tags | [string] | Tags for generated signals. | | | thirdPartyCases | [object] | Cases for generating signals from third-party rules. Only available for third-party rules. | | thirdPartyCases | customStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyCases | name | string | Name of the case. | | thirdPartyCases | notifications | [string] | Notification targets for each rule case. | | thirdPartyCases | query | string | A query to map a third party event to this case. | | thirdPartyCases | status | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | | version | int32 | The version of the rule being updated. | {% /tab %} {% tab title="Example" %} ##### ```json { "name": "Example-Security-Monitoring_cloud_updated", "isEnabled": false, "cases": [ { "status": "info", "notifications": [] } ], "options": { "complianceRuleOptions": { "resourceType": "gcp_compute_disk", "regoRule": { "policy": "package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = \"skip\" if {\n\tiam_service_account_key.disabled\n} else = \"pass\" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n", "resourceTypes": [ "gcp_compute_disk" ] } } }, "message": "ddd", "tags": [], "complianceSignalOptions": { "userActivationStatus": false, "userGroupByFields": [] } } ``` ##### ```json { "name": "Example-Security-Monitoring-Updated", "queries": [ { "query": "@test:true", "aggregation": "count", "groupByFields": [], "distinctFields": [], "metrics": [] } ], "filters": [], "cases": [ { "name": "", "status": "info", "condition": "a > 0", "notifications": [] } ], "options": { "evaluationWindow": 900, "keepAlive": 3600, "maxSignalDuration": 86400 }, "message": "Test rule", "tags": [], "isEnabled": true } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} Create a new rule. | Parent field | Field | Type | Description | | ------------------------ | ------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Option 1 | object | Rule. | | Option 1 | calculatedFields | [object] | Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined. | | calculatedFields | expression [*required*] | string | Expression. | | calculatedFields | name [*required*] | string | Field name. | | Option 1 | cases | [object] | Cases for generating signals. | | cases | actions | [object] | Action to perform for each rule case. | | actions | options | object | Options for the rule action | | options | duration | int64 | Duration of the action in seconds. 0 indicates no expiration. | | options | flaggedIPType | enum | Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: `SUSPICIOUS,FLAGGED` | | options | userBehaviorName | string | Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule. | | actions | type | enum | The action type. Allowed enum values: `block_ip,block_user,user_behavior,flag_ip` | | cases | condition | string | A rule case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated based on the event counts in the previously defined queries. | | cases | customStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | cases | name | string | Name of the case. | | cases | notifications | [string] | Notification targets for each rule case. | | cases | status | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 1 | complianceSignalOptions | object | How to generate compliance signals. Useful for cloud_configuration rules only. | | complianceSignalOptions | defaultActivationStatus | boolean | The default activation status. | | complianceSignalOptions | defaultGroupByFields | [string] | The default group by fields. | | complianceSignalOptions | userActivationStatus | boolean | Whether signals will be sent. | | complianceSignalOptions | userGroupByFields | [string] | Fields to use to group findings by when sending signals. | | Option 1 | createdAt | int64 | When the rule was created, timestamp in milliseconds. | | Option 1 | creationAuthorId | int64 | User ID of the user who created the rule. | | Option 1 | customMessage | string | Custom/Overridden message for generated signals (used in case of Default rule update). | | Option 1 | customName | string | Custom/Overridden name of the rule (used in case of Default rule update). | | Option 1 | defaultTags | [string] | Default Tags for default rules (included in tags) | | Option 1 | deprecationDate | int64 | When the rule will be deprecated, timestamp in milliseconds. | | Option 1 | filters | [object] | Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules. | | filters | action | enum | The type of filtering action. Allowed enum values: `require,suppress` | | filters | query | string | Query for selecting logs to apply the filtering action. | | Option 1 | groupSignalsBy | [string] | Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups. | | Option 1 | hasExtendedTitle | boolean | Whether the notifications include the triggering group-by values in their title. | | Option 1 | id | string | The ID of the rule. | | Option 1 | isDefault | boolean | Whether the rule is included by default. | | Option 1 | isDeleted | boolean | Whether the rule has been deleted. | | Option 1 | isEnabled | boolean | Whether the rule is enabled. | | Option 1 | message | string | Message for generated signals. | | Option 1 | name | string | The name of the rule. | | Option 1 | options | object | Options. | | options | anomalyDetectionOptions | object | Options on anomaly detection method. | | anomalyDetectionOptions | bucketDuration | enum | Duration in seconds of the time buckets used to aggregate events matched by the rule. Must be greater than or equal to 300. Allowed enum values: `300,600,900,1800,3600,10800` | | anomalyDetectionOptions | detectionTolerance | enum | An optional parameter that sets how permissive anomaly detection is. Higher values require higher deviations before triggering a signal. Allowed enum values: `1,2,3,4,5` | | anomalyDetectionOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | anomalyDetectionOptions | learningDuration | enum | Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. Allowed enum values: `1,6,12,24,48,168,336` | | anomalyDetectionOptions | learningPeriodBaseline | int64 | An optional override baseline to apply while the rule is in the learning period. Must be greater than or equal to 0. | | options | complianceRuleOptions | object | Options for cloud_configuration rules. Fields `resourceType` and `regoRule` are mandatory when managing custom `cloud_configuration` rules. | | complianceRuleOptions | complexRule | boolean | Whether the rule is a complex one. Must be set to true if `regoRule.resourceTypes` contains more than one item. Defaults to false. | | complianceRuleOptions | regoRule | object | Rule details. | | regoRule | policy [*required*] | string | The policy written in `rego`, see: [https://www.openpolicyagent.org/docs/latest/policy-language/](https://www.openpolicyagent.org/docs/latest/policy-language/) | | regoRule | resourceTypes [*required*] | [string] | List of resource types that will be evaluated upon. Must have at least one element. | | complianceRuleOptions | resourceType | string | Main resource type to be checked by the rule. It should be specified again in `regoRule.resourceTypes`. | | options | decreaseCriticalityBasedOnEnv | boolean | If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: `CRITICAL` in production becomes `HIGH` in non-production, `HIGH` becomes `MEDIUM` and so on. `INFO` remains `INFO`. The decrement is applied when the environment tag of the signal starts with `staging`, `test` or `dev`. | | options | detectionMethod | enum | The detection method. Allowed enum values: `threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection` | | options | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | hardcodedEvaluatorType | enum | Hardcoded evaluator type. Allowed enum values: `log4shell` | | options | impossibleTravelOptions | object | Options on impossible travel detection method. | | impossibleTravelOptions | baselineUserLocations | boolean | If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. | | options | keepAlive | enum | Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | maxSignalDuration | enum | A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | newValueOptions | object | Options on new value detection method. | | newValueOptions | forgetAfter | enum | The duration in days after which a learned value is forgotten. Allowed enum values: `1,2,7,14,21,28` | | newValueOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | newValueOptions | learningDuration | enum | The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: `0,1,7` | | newValueOptions | learningMethod | enum | The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: `duration,threshold` | | newValueOptions | learningThreshold | enum | A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: `0,1` | | options | sequenceDetectionOptions | object | Options on sequence detection method. | | sequenceDetectionOptions | stepTransitions | [object] | Transitions defining the allowed order of steps and their evaluation windows. | | stepTransitions | child | string | Name of the child step. | | stepTransitions | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | stepTransitions | parent | string | Name of the parent step. | | sequenceDetectionOptions | steps | [object] | Steps that define the conditions to be matched in sequence. | | steps | condition | string | Condition referencing rule queries (e.g., `a > 0`). | | steps | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | steps | name | string | Unique name identifying the step. | | options | thirdPartyRuleOptions | object | Options on third party detection method. | | thirdPartyRuleOptions | defaultNotifications | [string] | Notification targets for the logs that do not correspond to any of the cases. | | thirdPartyRuleOptions | defaultStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyRuleOptions | rootQueries | [object] | Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert. | | rootQueries | groupByFields | [string] | Fields to group by. | | rootQueries | query | string | Query to run on logs. | | thirdPartyRuleOptions | signalTitleTemplate | string | A template for the signal title; if omitted, the title is generated based on the case name. | | Option 1 | queries | [object] | Queries for selecting logs which are part of the rule. | | queries | aggregation | enum | The aggregation type. Allowed enum values: `count,cardinality,sum,max,new_value,geo_data,event_count,none` | | queries | customQueryExtension | string | Query extension to append to the logs query. | | queries | dataSource | enum | Source of events, either logs, audit trail, or Datadog events. `app_sec_spans` is deprecated in favor of `spans`. Allowed enum values: `logs,audit,app_sec_spans,spans,security_runtime,network,events` | | queries | distinctFields | [string] | Field for which the cardinality is measured. Sent as an array. | | queries | groupByFields | [string] | Fields to group by. | | queries | hasOptionalGroupByFields | boolean | When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with `N/A`, replacing the missing values. | | queries | index | string | **This field is currently unstable and might be removed in a minor version upgrade.** The index to run the query on, if the `dataSource` is `logs`. Only used for scheduled rules - in other words, when the `schedulingOptions` field is present in the rule payload. | | queries | indexes | [string] | List of indexes to query when the `dataSource` is `logs`. Only used for scheduled rules, such as when the `schedulingOptions` field is present in the rule payload. | | queries | metric | string | **DEPRECATED**: (Deprecated) The target field to aggregate over when using the sum or max aggregations. `metrics` field should be used instead. | | queries | metrics | [string] | Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values. | | queries | name | string | Name of the query. | | queries | query | string | Query to run on logs. | | Option 1 | referenceTables | [object] | Reference tables for the rule. | | referenceTables | checkPresence | boolean | Whether to include or exclude the matched values. | | referenceTables | columnName | string | The name of the column in the reference table. | | referenceTables | logFieldPath | string | The field in the log to match against the reference table. | | referenceTables | ruleQueryName | string | The name of the query to apply the reference table to. | | referenceTables | tableName | string | The name of the reference table. | | Option 1 | schedulingOptions | object | Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs. | | schedulingOptions | rrule | string | Schedule for the rule queries, written in RRULE syntax. See [RFC](https://icalendar.org/iCalendar-RFC-5545/3-8-5-3-recurrence-rule.html) for syntax reference. | | schedulingOptions | start | string | Start date for the schedule, in ISO 8601 format without timezone. | | schedulingOptions | timezone | string | Time zone of the start date, in the [tz database](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) format. | | Option 1 | tags | [string] | Tags for generated signals. | | Option 1 | thirdPartyCases | [object] | Cases for generating signals from third-party rules. Only available for third-party rules. | | thirdPartyCases | customStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyCases | name | string | Name of the case. | | thirdPartyCases | notifications | [string] | Notification targets for each rule case. | | thirdPartyCases | query | string | A query to map a third party event to this case. | | thirdPartyCases | status | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 1 | type | enum | The rule type. Allowed enum values: `log_detection,infrastructure_configuration,workload_security,cloud_configuration,application_security,api_security,workload_activity` | | Option 1 | updateAuthorId | int64 | User ID of the user who updated the rule. | | Option 1 | updatedAt | int64 | The date the rule was last updated, in milliseconds. | | Option 1 | version | int64 | The version of the rule. | | | Option 2 | object | Rule. | | Option 2 | cases | [object] | Cases for generating signals. | | cases | actions | [object] | Action to perform for each rule case. | | actions | options | object | Options for the rule action | | options | duration | int64 | Duration of the action in seconds. 0 indicates no expiration. | | options | flaggedIPType | enum | Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: `SUSPICIOUS,FLAGGED` | | options | userBehaviorName | string | Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule. | | actions | type | enum | The action type. Allowed enum values: `block_ip,block_user,user_behavior,flag_ip` | | cases | condition | string | A rule case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated based on the event counts in the previously defined queries. | | cases | customStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | cases | name | string | Name of the case. | | cases | notifications | [string] | Notification targets for each rule case. | | cases | status | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 2 | createdAt | int64 | When the rule was created, timestamp in milliseconds. | | Option 2 | creationAuthorId | int64 | User ID of the user who created the rule. | | Option 2 | customMessage | string | Custom/Overridden message for generated signals (used in case of Default rule update). | | Option 2 | customName | string | Custom/Overridden name of the rule (used in case of Default rule update). | | Option 2 | deprecationDate | int64 | When the rule will be deprecated, timestamp in milliseconds. | | Option 2 | filters | [object] | Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules. | | filters | action | enum | The type of filtering action. Allowed enum values: `require,suppress` | | filters | query | string | Query for selecting logs to apply the filtering action. | | Option 2 | hasExtendedTitle | boolean | Whether the notifications include the triggering group-by values in their title. | | Option 2 | id | string | The ID of the rule. | | Option 2 | isDefault | boolean | Whether the rule is included by default. | | Option 2 | isDeleted | boolean | Whether the rule has been deleted. | | Option 2 | isEnabled | boolean | Whether the rule is enabled. | | Option 2 | message | string | Message for generated signals. | | Option 2 | name | string | The name of the rule. | | Option 2 | options | object | Options. | | options | anomalyDetectionOptions | object | Options on anomaly detection method. | | anomalyDetectionOptions | bucketDuration | enum | Duration in seconds of the time buckets used to aggregate events matched by the rule. Must be greater than or equal to 300. Allowed enum values: `300,600,900,1800,3600,10800` | | anomalyDetectionOptions | detectionTolerance | enum | An optional parameter that sets how permissive anomaly detection is. Higher values require higher deviations before triggering a signal. Allowed enum values: `1,2,3,4,5` | | anomalyDetectionOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | anomalyDetectionOptions | learningDuration | enum | Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. Allowed enum values: `1,6,12,24,48,168,336` | | anomalyDetectionOptions | learningPeriodBaseline | int64 | An optional override baseline to apply while the rule is in the learning period. Must be greater than or equal to 0. | | options | complianceRuleOptions | object | Options for cloud_configuration rules. Fields `resourceType` and `regoRule` are mandatory when managing custom `cloud_configuration` rules. | | complianceRuleOptions | complexRule | boolean | Whether the rule is a complex one. Must be set to true if `regoRule.resourceTypes` contains more than one item. Defaults to false. | | complianceRuleOptions | regoRule | object | Rule details. | | regoRule | policy [*required*] | string | The policy written in `rego`, see: [https://www.openpolicyagent.org/docs/latest/policy-language/](https://www.openpolicyagent.org/docs/latest/policy-language/) | | regoRule | resourceTypes [*required*] | [string] | List of resource types that will be evaluated upon. Must have at least one element. | | complianceRuleOptions | resourceType | string | Main resource type to be checked by the rule. It should be specified again in `regoRule.resourceTypes`. | | options | decreaseCriticalityBasedOnEnv | boolean | If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: `CRITICAL` in production becomes `HIGH` in non-production, `HIGH` becomes `MEDIUM` and so on. `INFO` remains `INFO`. The decrement is applied when the environment tag of the signal starts with `staging`, `test` or `dev`. | | options | detectionMethod | enum | The detection method. Allowed enum values: `threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection` | | options | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | hardcodedEvaluatorType | enum | Hardcoded evaluator type. Allowed enum values: `log4shell` | | options | impossibleTravelOptions | object | Options on impossible travel detection method. | | impossibleTravelOptions | baselineUserLocations | boolean | If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. | | options | keepAlive | enum | Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | maxSignalDuration | enum | A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | newValueOptions | object | Options on new value detection method. | | newValueOptions | forgetAfter | enum | The duration in days after which a learned value is forgotten. Allowed enum values: `1,2,7,14,21,28` | | newValueOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | newValueOptions | learningDuration | enum | The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: `0,1,7` | | newValueOptions | learningMethod | enum | The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: `duration,threshold` | | newValueOptions | learningThreshold | enum | A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: `0,1` | | options | sequenceDetectionOptions | object | Options on sequence detection method. | | sequenceDetectionOptions | stepTransitions | [object] | Transitions defining the allowed order of steps and their evaluation windows. | | stepTransitions | child | string | Name of the child step. | | stepTransitions | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | stepTransitions | parent | string | Name of the parent step. | | sequenceDetectionOptions | steps | [object] | Steps that define the conditions to be matched in sequence. | | steps | condition | string | Condition referencing rule queries (e.g., `a > 0`). | | steps | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | steps | name | string | Unique name identifying the step. | | options | thirdPartyRuleOptions | object | Options on third party detection method. | | thirdPartyRuleOptions | defaultNotifications | [string] | Notification targets for the logs that do not correspond to any of the cases. | | thirdPartyRuleOptions | defaultStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyRuleOptions | rootQueries | [object] | Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert. | | rootQueries | groupByFields | [string] | Fields to group by. | | rootQueries | query | string | Query to run on logs. | | thirdPartyRuleOptions | signalTitleTemplate | string | A template for the signal title; if omitted, the title is generated based on the case name. | | Option 2 | queries | [object] | Queries for selecting logs which are part of the rule. | | queries | aggregation | enum | The aggregation type. Allowed enum values: `count,cardinality,sum,max,new_value,geo_data,event_count,none` | | queries | correlatedByFields | [string] | Fields to correlate by. | | queries | correlatedQueryIndex | int32 | Index of the rule query used to retrieve the correlated field. | | queries | defaultRuleId | string | Default Rule ID to match on signals. | | queries | distinctFields | [string] | Field for which the cardinality is measured. Sent as an array. | | queries | groupByFields | [string] | Fields to group by. | | queries | metrics | [string] | Group of target fields to aggregate over. | | queries | name | string | Name of the query. | | queries | ruleId | string | Rule ID to match on signals. | | Option 2 | tags | [string] | Tags for generated signals. | | Option 2 | type | enum | The rule type. Allowed enum values: `signal_correlation` | | Option 2 | updateAuthorId | int64 | User ID of the user who updated the rule. | | Option 2 | version | int64 | The version of the rule. | {% /tab %} {% tab title="Example" %} ```json { "calculatedFields": [ { "expression": "@request_end_timestamp - @request_start_timestamp", "name": "response_time" } ], "cases": [ { "actions": [ { "options": { "duration": 0, "flaggedIPType": "FLAGGED", "userBehaviorName": "string" }, "type": "string" } ], "condition": "string", "customStatus": "critical", "name": "string", "notifications": [], "status": "critical" } ], "complianceSignalOptions": { "defaultActivationStatus": false, "defaultGroupByFields": [], "userActivationStatus": false, "userGroupByFields": [] }, "createdAt": "integer", "creationAuthorId": "integer", "customMessage": "string", "customName": "string", "defaultTags": [ "security:attacks" ], "deprecationDate": "integer", "filters": [ { "action": "string", "query": "string" } ], "groupSignalsBy": [ "service" ], "hasExtendedTitle": false, "id": "string", "isDefault": false, "isDeleted": false, "isEnabled": false, "message": "string", "name": "string", "options": { "anomalyDetectionOptions": { "bucketDuration": 300, "detectionTolerance": 5, "instantaneousBaseline": false, "learningDuration": "integer", "learningPeriodBaseline": "integer" }, "complianceRuleOptions": { "complexRule": false, "regoRule": { "policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n # Logic that evaluates to true if the resource should be skipped\n true\n} else = \"pass\" {\n # Logic that evaluates to true if the resource is compliant\n true\n} else = \"fail\" {\n # Logic that evaluates to true if the resource is not compliant\n true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n some resource in input.resources[input.main_resource_type]\n result := dd_output.format(resource, eval(resource))\n}", "resourceTypes": [ "gcp_iam_service_account", "gcp_iam_policy" ] }, "resourceType": "aws_acm" }, "decreaseCriticalityBasedOnEnv": false, "detectionMethod": "string", "evaluationWindow": "integer", "hardcodedEvaluatorType": "string", "impossibleTravelOptions": { "baselineUserLocations": true }, "keepAlive": "integer", "maxSignalDuration": "integer", "newValueOptions": { "forgetAfter": "integer", "instantaneousBaseline": false, "learningDuration": "integer", "learningMethod": "string", "learningThreshold": "integer" }, "sequenceDetectionOptions": { "stepTransitions": [ { "child": "string", "evaluationWindow": "integer", "parent": "string" } ], "steps": [ { "condition": "string", "evaluationWindow": "integer", "name": "string" } ] }, "thirdPartyRuleOptions": { "defaultNotifications": [], "defaultStatus": "critical", "rootQueries": [ { "groupByFields": [], "query": "source:cloudtrail" } ], "signalTitleTemplate": "string" } }, "queries": [ { "aggregation": "string", "customQueryExtension": "a > 3", "dataSource": "logs", "distinctFields": [], "groupByFields": [], "hasOptionalGroupByFields": false, "index": "string", "indexes": [], "metric": "string", "metrics": [], "name": "string", "query": "a > 3" } ], "referenceTables": [ { "checkPresence": false, "columnName": "string", "logFieldPath": "string", "ruleQueryName": "string", "tableName": "string" } ], "schedulingOptions": { "rrule": "FREQ=HOURLY;INTERVAL=1;", "start": "2025-07-14T12:00:00", "timezone": "America/New_York" }, "tags": [], "thirdPartyCases": [ { "customStatus": "critical", "name": "string", "notifications": [], "query": "string", "status": "critical" } ], "type": "string", "updateAuthorId": "integer", "updatedAt": "integer", "version": "integer" } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="401" %} Concurrent Modification {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport rule_id="CHANGE_ME"\# Curl commandcurl -X PUT "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "name": "Example-Security-Monitoring_cloud_updated", "isEnabled": false, "cases": [ { "status": "info", "notifications": [] } ], "options": { "complianceRuleOptions": { "resourceType": "gcp_compute_disk", "regoRule": { "policy": "package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = \"skip\" if {\n\tiam_service_account_key.disabled\n} else = \"pass\" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n", "resourceTypes": [ "gcp_compute_disk" ] } } }, "message": "ddd", "tags": [], "complianceSignalOptions": { "userActivationStatus": false, "userGroupByFields": [] } } EOF ##### \# Path parametersexport rule_id="CHANGE_ME"\# Curl commandcurl -X PUT "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "name": "Example-Security-Monitoring-Updated", "queries": [ { "query": "@test:true", "aggregation": "count", "groupByFields": [], "distinctFields": [], "metrics": [] } ], "filters": [], "cases": [ { "name": "", "status": "info", "condition": "a > 0", "notifications": [] } ], "options": { "evaluationWindow": 900, "keepAlive": 3600, "maxSignalDuration": 86400 }, "message": "Test rule", "tags": [], "isEnabled": true } EOF ##### ```go // Update a cloud configuration rule's details returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { // there is a valid "cloud_configuration_rule" in the system CloudConfigurationRuleID := os.Getenv("CLOUD_CONFIGURATION_RULE_ID") body := datadogV2.SecurityMonitoringRuleUpdatePayload{ Name: datadog.PtrString("Example-Security-Monitoring_cloud_updated"), IsEnabled: datadog.PtrBool(false), Cases: []datadogV2.SecurityMonitoringRuleCase{ { Status: datadogV2.SECURITYMONITORINGRULESEVERITY_INFO.Ptr(), Notifications: []string{}, }, }, Options: &datadogV2.SecurityMonitoringRuleOptions{ ComplianceRuleOptions: &datadogV2.CloudConfigurationComplianceRuleOptions{ ResourceType: datadog.PtrString("gcp_compute_disk"), RegoRule: &datadogV2.CloudConfigurationRegoRule{ Policy: `package datadog import data.datadog.output as dd_output import future.keywords.contains import future.keywords.if import future.keywords.in milliseconds_in_a_day := ((1000 * 60) * 60) * 24 eval(iam_service_account_key) = "skip" if { iam_service_account_key.disabled } else = "pass" if { (iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90 } else = "fail" # This part remains unchanged for all rules results contains result if { some resource in input.resources[input.main_resource_type] result := dd_output.format(resource, eval(resource)) } `, ResourceTypes: []string{ "gcp_compute_disk", }, }, }, }, Message: datadog.PtrString("ddd"), Tags: []string{}, ComplianceSignalOptions: &datadogV2.CloudConfigurationRuleComplianceSignalOptions{ UserActivationStatus: *datadog.NewNullableBool(datadog.PtrBool(false)), UserGroupByFields: *datadog.NewNullableList(&[]string{}), }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.UpdateSecurityMonitoringRule(ctx, CloudConfigurationRuleID, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.UpdateSecurityMonitoringRule`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.UpdateSecurityMonitoringRule`:\n%s\n", responseContent) } ``` ##### ```go // Update an existing rule returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { // there is a valid "security_rule" in the system SecurityRuleID := os.Getenv("SECURITY_RULE_ID") body := datadogV2.SecurityMonitoringRuleUpdatePayload{ Name: datadog.PtrString("Example-Security-Monitoring-Updated"), Queries: []datadogV2.SecurityMonitoringRuleQuery{ datadogV2.SecurityMonitoringRuleQuery{ SecurityMonitoringStandardRuleQuery: &datadogV2.SecurityMonitoringStandardRuleQuery{ Query: datadog.PtrString("@test:true"), Aggregation: datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(), GroupByFields: []string{}, DistinctFields: []string{}, Metrics: []string{}, }}, }, Filters: []datadogV2.SecurityMonitoringFilter{}, Cases: []datadogV2.SecurityMonitoringRuleCase{ { Name: datadog.PtrString(""), Status: datadogV2.SECURITYMONITORINGRULESEVERITY_INFO.Ptr(), Condition: datadog.PtrString("a > 0"), Notifications: []string{}, }, }, Options: &datadogV2.SecurityMonitoringRuleOptions{ EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(), KeepAlive: datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ONE_HOUR.Ptr(), MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ONE_DAY.Ptr(), }, Message: datadog.PtrString("Test rule"), Tags: []string{}, IsEnabled: datadog.PtrBool(true), } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.UpdateSecurityMonitoringRule(ctx, SecurityRuleID, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.UpdateSecurityMonitoringRule`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.UpdateSecurityMonitoringRule`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Update a cloud configuration rule's details returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.CloudConfigurationComplianceRuleOptions; import com.datadog.api.client.v2.model.CloudConfigurationRegoRule; import com.datadog.api.client.v2.model.CloudConfigurationRuleComplianceSignalOptions; import com.datadog.api.client.v2.model.SecurityMonitoringRuleCase; import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions; import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse; import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity; import com.datadog.api.client.v2.model.SecurityMonitoringRuleUpdatePayload; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); // there is a valid "cloud_configuration_rule" in the system String CLOUD_CONFIGURATION_RULE_ID = System.getenv("CLOUD_CONFIGURATION_RULE_ID"); SecurityMonitoringRuleUpdatePayload body = new SecurityMonitoringRuleUpdatePayload() .name("Example-Security-Monitoring_cloud_updated") .isEnabled(false) .cases( Collections.singletonList( new SecurityMonitoringRuleCase().status(SecurityMonitoringRuleSeverity.INFO))) .options( new SecurityMonitoringRuleOptions() .complianceRuleOptions( new CloudConfigurationComplianceRuleOptions() .resourceType("gcp_compute_disk") .regoRule( new CloudConfigurationRegoRule() .policy( """ package datadog import data.datadog.output as dd_output import future.keywords.contains import future.keywords.if import future.keywords.in milliseconds_in_a_day := ((1000 * 60) * 60) * 24 eval(iam_service_account_key) = "skip" if { iam_service_account_key.disabled } else = "pass" if { (iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90 } else = "fail" # This part remains unchanged for all rules results contains result if { some resource in input.resources[input.main_resource_type] result := dd_output.format(resource, eval(resource)) } """) .resourceTypes(Collections.singletonList("gcp_compute_disk"))))) .message("ddd") .complianceSignalOptions( new CloudConfigurationRuleComplianceSignalOptions().userActivationStatus(false)); try { SecurityMonitoringRuleResponse result = apiInstance.updateSecurityMonitoringRule(CLOUD_CONFIGURATION_RULE_ID, body); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#updateSecurityMonitoringRule"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` ##### ```java // Update an existing rule returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringRuleCase; import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow; import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive; import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration; import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions; import com.datadog.api.client.v2.model.SecurityMonitoringRuleQuery; import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation; import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse; import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity; import com.datadog.api.client.v2.model.SecurityMonitoringRuleUpdatePayload; import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); // there is a valid "security_rule" in the system String SECURITY_RULE_ID = System.getenv("SECURITY_RULE_ID"); SecurityMonitoringRuleUpdatePayload body = new SecurityMonitoringRuleUpdatePayload() .name("Example-Security-Monitoring-Updated") .queries( Collections.singletonList( new SecurityMonitoringRuleQuery( new SecurityMonitoringStandardRuleQuery() .query("@test:true") .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)))) .cases( Collections.singletonList( new SecurityMonitoringRuleCase() .name("") .status(SecurityMonitoringRuleSeverity.INFO) .condition("a > 0"))) .options( new SecurityMonitoringRuleOptions() .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES) .keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR) .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.ONE_DAY)) .message("Test rule") .isEnabled(true); try { SecurityMonitoringRuleResponse result = apiInstance.updateSecurityMonitoringRule(SECURITY_RULE_ID, body); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#updateSecurityMonitoringRule"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Update a cloud configuration rule's details returns "OK" response """ from os import environ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.cloud_configuration_compliance_rule_options import ( CloudConfigurationComplianceRuleOptions, ) from datadog_api_client.v2.model.cloud_configuration_rego_rule import CloudConfigurationRegoRule from datadog_api_client.v2.model.cloud_configuration_rule_compliance_signal_options import ( CloudConfigurationRuleComplianceSignalOptions, ) from datadog_api_client.v2.model.security_monitoring_rule_case import SecurityMonitoringRuleCase from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity from datadog_api_client.v2.model.security_monitoring_rule_update_payload import SecurityMonitoringRuleUpdatePayload # there is a valid "cloud_configuration_rule" in the system CLOUD_CONFIGURATION_RULE_ID = environ["CLOUD_CONFIGURATION_RULE_ID"] body = SecurityMonitoringRuleUpdatePayload( name="Example-Security-Monitoring_cloud_updated", is_enabled=False, cases=[ SecurityMonitoringRuleCase( status=SecurityMonitoringRuleSeverity.INFO, notifications=[], ), ], options=SecurityMonitoringRuleOptions( compliance_rule_options=CloudConfigurationComplianceRuleOptions( resource_type="gcp_compute_disk", rego_rule=CloudConfigurationRegoRule( policy='package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = "skip" if {\n\tiam_service_account_key.disabled\n} else = "pass" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = "fail"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n', resource_types=[ "gcp_compute_disk", ], ), ), ), message="ddd", tags=[], compliance_signal_options=CloudConfigurationRuleComplianceSignalOptions( user_activation_status=False, user_group_by_fields=[], ), ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.update_security_monitoring_rule(rule_id=CLOUD_CONFIGURATION_RULE_ID, body=body) print(response) ``` ##### ```python """ Update an existing rule returns "OK" response """ from os import environ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.security_monitoring_rule_case import SecurityMonitoringRuleCase from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import ( SecurityMonitoringRuleEvaluationWindow, ) from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import ( SecurityMonitoringRuleMaxSignalDuration, ) from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import ( SecurityMonitoringRuleQueryAggregation, ) from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity from datadog_api_client.v2.model.security_monitoring_rule_update_payload import SecurityMonitoringRuleUpdatePayload from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery # there is a valid "security_rule" in the system SECURITY_RULE_ID = environ["SECURITY_RULE_ID"] body = SecurityMonitoringRuleUpdatePayload( name="Example-Security-Monitoring-Updated", queries=[ SecurityMonitoringStandardRuleQuery( query="@test:true", aggregation=SecurityMonitoringRuleQueryAggregation.COUNT, group_by_fields=[], distinct_fields=[], metrics=[], ), ], filters=[], cases=[ SecurityMonitoringRuleCase( name="", status=SecurityMonitoringRuleSeverity.INFO, condition="a > 0", notifications=[], ), ], options=SecurityMonitoringRuleOptions( evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES, keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR, max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY, ), message="Test rule", tags=[], is_enabled=True, ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.update_security_monitoring_rule(rule_id=SECURITY_RULE_ID, body=body) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Update a cloud configuration rule's details returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new # there is a valid "cloud_configuration_rule" in the system CLOUD_CONFIGURATION_RULE_ID = ENV["CLOUD_CONFIGURATION_RULE_ID"] body = DatadogAPIClient::V2::SecurityMonitoringRuleUpdatePayload.new({ name: "Example-Security-Monitoring_cloud_updated", is_enabled: false, cases: [ DatadogAPIClient::V2::SecurityMonitoringRuleCase.new({ status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO, notifications: [], }), ], options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({ compliance_rule_options: DatadogAPIClient::V2::CloudConfigurationComplianceRuleOptions.new({ resource_type: "gcp_compute_disk", rego_rule: DatadogAPIClient::V2::CloudConfigurationRegoRule.new({ policy: 'package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = "skip" if {\n\tiam_service_account_key.disabled\n} else = "pass" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = "fail"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n', resource_types: [ "gcp_compute_disk", ], }), }), }), message: "ddd", tags: [], compliance_signal_options: DatadogAPIClient::V2::CloudConfigurationRuleComplianceSignalOptions.new({ user_activation_status: false, user_group_by_fields: [], }), }) p api_instance.update_security_monitoring_rule(CLOUD_CONFIGURATION_RULE_ID, body) ``` ##### ```ruby # Update an existing rule returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new # there is a valid "security_rule" in the system SECURITY_RULE_ID = ENV["SECURITY_RULE_ID"] body = DatadogAPIClient::V2::SecurityMonitoringRuleUpdatePayload.new({ name: "Example-Security-Monitoring-Updated", queries: [ DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({ query: "@test:true", aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT, group_by_fields: [], distinct_fields: [], metrics: [], }), ], filters: [], cases: [ DatadogAPIClient::V2::SecurityMonitoringRuleCase.new({ name: "", status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO, condition: "a > 0", notifications: [], }), ], options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({ evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES, keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ONE_HOUR, max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ONE_DAY, }), message: "Test rule", tags: [], is_enabled: true, }) p api_instance.update_security_monitoring_rule(SECURITY_RULE_ID, body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Update a cloud configuration rule's details returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::CloudConfigurationComplianceRuleOptions; use datadog_api_client::datadogV2::model::CloudConfigurationRegoRule; use datadog_api_client::datadogV2::model::CloudConfigurationRuleComplianceSignalOptions; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCase; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleUpdatePayload; #[tokio::main] async fn main() { // there is a valid "cloud_configuration_rule" in the system let cloud_configuration_rule_id = std::env::var("CLOUD_CONFIGURATION_RULE_ID").unwrap(); let body = SecurityMonitoringRuleUpdatePayload::new() .cases( vec![ SecurityMonitoringRuleCase::new() .notifications(vec![]) .status(SecurityMonitoringRuleSeverity::INFO) ], ) .compliance_signal_options( CloudConfigurationRuleComplianceSignalOptions::new() .user_activation_status(Some(false)) .user_group_by_fields(Some(vec![])), ) .is_enabled(false) .message("ddd".to_string()) .name("Example-Security-Monitoring_cloud_updated".to_string()) .options( SecurityMonitoringRuleOptions ::new().compliance_rule_options( CloudConfigurationComplianceRuleOptions::new() .rego_rule( CloudConfigurationRegoRule::new( r#"package datadog import data.datadog.output as dd_output import future.keywords.contains import future.keywords.if import future.keywords.in milliseconds_in_a_day := ((1000 * 60) * 60) * 24 eval(iam_service_account_key) = "skip" if { iam_service_account_key.disabled } else = "pass" if { (iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90 } else = "fail" # This part remains unchanged for all rules results contains result if { some resource in input.resources[input.main_resource_type] result := dd_output.format(resource, eval(resource)) } "#.to_string(), vec!["gcp_compute_disk".to_string()], ), ) .resource_type("gcp_compute_disk".to_string()), ), ) .tags(vec![]); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .update_security_monitoring_rule(cloud_configuration_rule_id.clone(), body) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` ##### ```rust // Update an existing rule returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCase; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQuery; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleUpdatePayload; use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery; #[tokio::main] async fn main() { // there is a valid "security_rule" in the system let security_rule_id = std::env::var("SECURITY_RULE_ID").unwrap(); let body = SecurityMonitoringRuleUpdatePayload::new() .cases(vec![SecurityMonitoringRuleCase::new() .condition("a > 0".to_string()) .name("".to_string()) .notifications(vec![]) .status(SecurityMonitoringRuleSeverity::INFO)]) .filters(vec![]) .is_enabled(true) .message("Test rule".to_string()) .name("Example-Security-Monitoring-Updated".to_string()) .options( SecurityMonitoringRuleOptions::new() .evaluation_window(SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES) .keep_alive(SecurityMonitoringRuleKeepAlive::ONE_HOUR) .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::ONE_DAY), ) .queries(vec![ SecurityMonitoringRuleQuery::SecurityMonitoringStandardRuleQuery(Box::new( SecurityMonitoringStandardRuleQuery::new() .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT) .distinct_fields(vec![]) .group_by_fields(vec![]) .metrics(vec![]) .query("@test:true".to_string()), )), ]) .tags(vec![]); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .update_security_monitoring_rule(security_rule_id.clone(), body) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Update a cloud configuration rule's details returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); // there is a valid "cloud_configuration_rule" in the system const CLOUD_CONFIGURATION_RULE_ID = process.env .CLOUD_CONFIGURATION_RULE_ID as string; const params: v2.SecurityMonitoringApiUpdateSecurityMonitoringRuleRequest = { body: { name: "Example-Security-Monitoring_cloud_updated", isEnabled: false, cases: [ { status: "info", notifications: [], }, ], options: { complianceRuleOptions: { resourceType: "gcp_compute_disk", regoRule: { policy: `package datadog import data.datadog.output as dd_output import future.keywords.contains import future.keywords.if import future.keywords.in milliseconds_in_a_day := ((1000 * 60) * 60) * 24 eval(iam_service_account_key) = "skip" if { iam_service_account_key.disabled } else = "pass" if { (iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90 } else = "fail" # This part remains unchanged for all rules results contains result if { some resource in input.resources[input.main_resource_type] result := dd_output.format(resource, eval(resource)) } `, resourceTypes: ["gcp_compute_disk"], }, }, }, message: "ddd", tags: [], complianceSignalOptions: { userActivationStatus: false, userGroupByFields: [], }, }, ruleId: CLOUD_CONFIGURATION_RULE_ID, }; apiInstance .updateSecurityMonitoringRule(params) .then((data: v2.SecurityMonitoringRuleResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` ##### ```typescript /** * Update an existing rule returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); // there is a valid "security_rule" in the system const SECURITY_RULE_ID = process.env.SECURITY_RULE_ID as string; const params: v2.SecurityMonitoringApiUpdateSecurityMonitoringRuleRequest = { body: { name: "Example-Security-Monitoring-Updated", queries: [ { query: "@test:true", aggregation: "count", groupByFields: [], distinctFields: [], metrics: [], }, ], filters: [], cases: [ { name: "", status: "info", condition: "a > 0", notifications: [], }, ], options: { evaluationWindow: 900, keepAlive: 3600, maxSignalDuration: 86400, }, message: "Test rule", tags: [], isEnabled: true, }, ruleId: SECURITY_RULE_ID, }; apiInstance .updateSecurityMonitoringRule(params) .then((data: v2.SecurityMonitoringRuleResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Delete an existing rule{% #delete-an-existing-rule %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------------- | | ap1.datadoghq.com | DELETE https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/{rule_id} | | ap2.datadoghq.com | DELETE https://api.ap2.datadoghq.com/api/v2/security_monitoring/rules/{rule_id} | | app.datadoghq.eu | DELETE https://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id} | | app.ddog-gov.com | DELETE https://api.ddog-gov.com/api/v2/security_monitoring/rules/{rule_id} | | app.datadoghq.com | DELETE https://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id} | | us3.datadoghq.com | DELETE https://api.us3.datadoghq.com/api/v2/security_monitoring/rules/{rule_id} | | us5.datadoghq.com | DELETE https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/{rule_id} | ### Overview Delete an existing rule. Default rules cannot be deleted. This endpoint requires the `security_monitoring_rules_write` permission. OAuth apps require the `security_monitoring_rules_write` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Arguments #### Path Parameters | Name | Type | Description | | ------------------------- | ------ | ------------------- | | rule_id [*required*] | string | The ID of the rule. | ### Response {% tab title="204" %} OK {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport rule_id="CHANGE_ME"\# Curl commandcurl -X DELETE "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Delete an existing rule returns "OK" response """ from os import environ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi # there is a valid "security_rule" in the system SECURITY_RULE_ID = environ["SECURITY_RULE_ID"] configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) api_instance.delete_security_monitoring_rule( rule_id=SECURITY_RULE_ID, ) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Delete an existing rule returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new # there is a valid "security_rule" in the system SECURITY_RULE_ID = ENV["SECURITY_RULE_ID"] api_instance.delete_security_monitoring_rule(SECURITY_RULE_ID) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Delete an existing rule returns "OK" response package main import ( "context" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { // there is a valid "security_rule" in the system SecurityRuleID := os.Getenv("SECURITY_RULE_ID") ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) r, err := api.DeleteSecurityMonitoringRule(ctx, SecurityRuleID) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.DeleteSecurityMonitoringRule`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Delete an existing rule returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); // there is a valid "security_rule" in the system String SECURITY_RULE_ID = System.getenv("SECURITY_RULE_ID"); try { apiInstance.deleteSecurityMonitoringRule(SECURITY_RULE_ID); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#deleteSecurityMonitoringRule"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Delete an existing rule returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { // there is a valid "security_rule" in the system let security_rule_id = std::env::var("SECURITY_RULE_ID").unwrap(); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .delete_security_monitoring_rule(security_rule_id.clone()) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Delete an existing rule returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); // there is a valid "security_rule" in the system const SECURITY_RULE_ID = process.env.SECURITY_RULE_ID as string; const params: v2.SecurityMonitoringApiDeleteSecurityMonitoringRuleRequest = { ruleId: SECURITY_RULE_ID, }; apiInstance .deleteSecurityMonitoringRule(params) .then((data: any) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Test an existing rule{% #test-an-existing-rule %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ---------------------------------------------------------------------------------- | | ap1.datadoghq.com | POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/test | | ap2.datadoghq.com | POST https://api.ap2.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/test | | app.datadoghq.eu | POST https://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}/test | | app.ddog-gov.com | POST https://api.ddog-gov.com/api/v2/security_monitoring/rules/{rule_id}/test | | app.datadoghq.com | POST https://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/test | | us3.datadoghq.com | POST https://api.us3.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/test | | us5.datadoghq.com | POST https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/test | ### Overview Test an existing rule. This endpoint requires the `security_monitoring_rules_write` permission. OAuth apps require the `security_monitoring_rules_write` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Arguments #### Path Parameters | Name | Type | Description | | ------------------------- | ------ | ------------------- | | rule_id [*required*] | string | The ID of the rule. | ### Request #### Body Data (required) {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------------------ | ------------------------------- | ------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | rule | | Test a rule. | | rule | Option 1 | object | The payload of a rule to test | | Option 1 | calculatedFields | [object] | Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined. | | calculatedFields | expression [*required*] | string | Expression. | | calculatedFields | name [*required*] | string | Field name. | | Option 1 | cases [*required*] | [object] | Cases for generating signals. | | cases | actions | [object] | Action to perform for each rule case. | | actions | options | object | Options for the rule action | | options | duration | int64 | Duration of the action in seconds. 0 indicates no expiration. | | options | flaggedIPType | enum | Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: `SUSPICIOUS,FLAGGED` | | options | userBehaviorName | string | Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule. | | actions | type | enum | The action type. Allowed enum values: `block_ip,block_user,user_behavior,flag_ip` | | cases | condition | string | A case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated based on the event counts in the previously defined queries. | | cases | name | string | Name of the case. | | cases | notifications | [string] | Notification targets. | | cases | status [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 1 | filters | [object] | Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules. | | filters | action | enum | The type of filtering action. Allowed enum values: `require,suppress` | | filters | query | string | Query for selecting logs to apply the filtering action. | | Option 1 | groupSignalsBy | [string] | Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups. | | Option 1 | hasExtendedTitle | boolean | Whether the notifications include the triggering group-by values in their title. | | Option 1 | isEnabled [*required*] | boolean | Whether the rule is enabled. | | Option 1 | message [*required*] | string | Message for generated signals. | | Option 1 | name [*required*] | string | The name of the rule. | | Option 1 | options [*required*] | object | Options. | | options | anomalyDetectionOptions | object | Options on anomaly detection method. | | anomalyDetectionOptions | bucketDuration | enum | Duration in seconds of the time buckets used to aggregate events matched by the rule. Must be greater than or equal to 300. Allowed enum values: `300,600,900,1800,3600,10800` | | anomalyDetectionOptions | detectionTolerance | enum | An optional parameter that sets how permissive anomaly detection is. Higher values require higher deviations before triggering a signal. Allowed enum values: `1,2,3,4,5` | | anomalyDetectionOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | anomalyDetectionOptions | learningDuration | enum | Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. Allowed enum values: `1,6,12,24,48,168,336` | | anomalyDetectionOptions | learningPeriodBaseline | int64 | An optional override baseline to apply while the rule is in the learning period. Must be greater than or equal to 0. | | options | complianceRuleOptions | object | Options for cloud_configuration rules. Fields `resourceType` and `regoRule` are mandatory when managing custom `cloud_configuration` rules. | | complianceRuleOptions | complexRule | boolean | Whether the rule is a complex one. Must be set to true if `regoRule.resourceTypes` contains more than one item. Defaults to false. | | complianceRuleOptions | regoRule | object | Rule details. | | regoRule | policy [*required*] | string | The policy written in `rego`, see: [https://www.openpolicyagent.org/docs/latest/policy-language/](https://www.openpolicyagent.org/docs/latest/policy-language/) | | regoRule | resourceTypes [*required*] | [string] | List of resource types that will be evaluated upon. Must have at least one element. | | complianceRuleOptions | resourceType | string | Main resource type to be checked by the rule. It should be specified again in `regoRule.resourceTypes`. | | options | decreaseCriticalityBasedOnEnv | boolean | If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: `CRITICAL` in production becomes `HIGH` in non-production, `HIGH` becomes `MEDIUM` and so on. `INFO` remains `INFO`. The decrement is applied when the environment tag of the signal starts with `staging`, `test` or `dev`. | | options | detectionMethod | enum | The detection method. Allowed enum values: `threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection` | | options | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | hardcodedEvaluatorType | enum | Hardcoded evaluator type. Allowed enum values: `log4shell` | | options | impossibleTravelOptions | object | Options on impossible travel detection method. | | impossibleTravelOptions | baselineUserLocations | boolean | If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. | | options | keepAlive | enum | Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | maxSignalDuration | enum | A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | newValueOptions | object | Options on new value detection method. | | newValueOptions | forgetAfter | enum | The duration in days after which a learned value is forgotten. Allowed enum values: `1,2,7,14,21,28` | | newValueOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | newValueOptions | learningDuration | enum | The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: `0,1,7` | | newValueOptions | learningMethod | enum | The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: `duration,threshold` | | newValueOptions | learningThreshold | enum | A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: `0,1` | | options | sequenceDetectionOptions | object | Options on sequence detection method. | | sequenceDetectionOptions | stepTransitions | [object] | Transitions defining the allowed order of steps and their evaluation windows. | | stepTransitions | child | string | Name of the child step. | | stepTransitions | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | stepTransitions | parent | string | Name of the parent step. | | sequenceDetectionOptions | steps | [object] | Steps that define the conditions to be matched in sequence. | | steps | condition | string | Condition referencing rule queries (e.g., `a > 0`). | | steps | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | steps | name | string | Unique name identifying the step. | | options | thirdPartyRuleOptions | object | Options on third party detection method. | | thirdPartyRuleOptions | defaultNotifications | [string] | Notification targets for the logs that do not correspond to any of the cases. | | thirdPartyRuleOptions | defaultStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyRuleOptions | rootQueries | [object] | Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert. | | rootQueries | groupByFields | [string] | Fields to group by. | | rootQueries | query | string | Query to run on logs. | | thirdPartyRuleOptions | signalTitleTemplate | string | A template for the signal title; if omitted, the title is generated based on the case name. | | Option 1 | queries [*required*] | [object] | Queries for selecting logs which are part of the rule. | | queries | aggregation | enum | The aggregation type. Allowed enum values: `count,cardinality,sum,max,new_value,geo_data,event_count,none` | | queries | customQueryExtension | string | Query extension to append to the logs query. | | queries | dataSource | enum | Source of events, either logs, audit trail, or Datadog events. `app_sec_spans` is deprecated in favor of `spans`. Allowed enum values: `logs,audit,app_sec_spans,spans,security_runtime,network,events` | | queries | distinctFields | [string] | Field for which the cardinality is measured. Sent as an array. | | queries | groupByFields | [string] | Fields to group by. | | queries | hasOptionalGroupByFields | boolean | When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with `N/A`, replacing the missing values. | | queries | index | string | **This field is currently unstable and might be removed in a minor version upgrade.** The index to run the query on, if the `dataSource` is `logs`. Only used for scheduled rules - in other words, when the `schedulingOptions` field is present in the rule payload. | | queries | indexes | [string] | List of indexes to query when the `dataSource` is `logs`. Only used for scheduled rules, such as when the `schedulingOptions` field is present in the rule payload. | | queries | metric | string | **DEPRECATED**: (Deprecated) The target field to aggregate over when using the sum or max aggregations. `metrics` field should be used instead. | | queries | metrics | [string] | Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values. | | queries | name | string | Name of the query. | | queries | query | string | Query to run on logs. | | Option 1 | referenceTables | [object] | Reference tables for the rule. | | referenceTables | checkPresence | boolean | Whether to include or exclude the matched values. | | referenceTables | columnName | string | The name of the column in the reference table. | | referenceTables | logFieldPath | string | The field in the log to match against the reference table. | | referenceTables | ruleQueryName | string | The name of the query to apply the reference table to. | | referenceTables | tableName | string | The name of the reference table. | | Option 1 | schedulingOptions | object | Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs. | | schedulingOptions | rrule | string | Schedule for the rule queries, written in RRULE syntax. See [RFC](https://icalendar.org/iCalendar-RFC-5545/3-8-5-3-recurrence-rule.html) for syntax reference. | | schedulingOptions | start | string | Start date for the schedule, in ISO 8601 format without timezone. | | schedulingOptions | timezone | string | Time zone of the start date, in the [tz database](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) format. | | Option 1 | tags | [string] | Tags for generated signals. | | Option 1 | thirdPartyCases | [object] | Cases for generating signals from third-party rules. Only available for third-party rules. | | thirdPartyCases | name | string | Name of the case. | | thirdPartyCases | notifications | [string] | Notification targets for each case. | | thirdPartyCases | query | string | A query to map a third party event to this case. | | thirdPartyCases | status [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 1 | type | enum | The rule type. Allowed enum values: `log_detection` | | | ruleQueryPayloads | [object] | Data payloads used to test rules query with the expected result. | | ruleQueryPayloads | expectedResult | boolean | Expected result of the test. | | ruleQueryPayloads | index | int64 | Index of the query under test. | | ruleQueryPayloads | payload | object | Payload used to test the rule query. | | payload | ddsource | string | Source of the payload. | | payload | ddtags | string | Tags associated with your data. | | payload | hostname | string | The name of the originating host of the log. | | payload | message | string | The message of the payload. | | payload | service | string | The name of the application or service generating the data. | {% /tab %} {% tab title="Example" %} ```json { "rule": { "calculatedFields": [ { "expression": "@request_end_timestamp - @request_start_timestamp", "name": "response_time" } ], "cases": [ { "actions": [ { "options": { "duration": 0, "flaggedIPType": "FLAGGED", "userBehaviorName": "string" }, "type": "string" } ], "condition": "string", "name": "string", "notifications": [], "status": "critical" } ], "filters": [ { "action": "string", "query": "string" } ], "groupSignalsBy": [ "service" ], "hasExtendedTitle": true, "isEnabled": true, "message": "", "name": "My security monitoring rule.", "options": { "anomalyDetectionOptions": { "bucketDuration": 300, "detectionTolerance": 5, "instantaneousBaseline": false, "learningDuration": "integer", "learningPeriodBaseline": "integer" }, "complianceRuleOptions": { "complexRule": false, "regoRule": { "policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n # Logic that evaluates to true if the resource should be skipped\n true\n} else = \"pass\" {\n # Logic that evaluates to true if the resource is compliant\n true\n} else = \"fail\" {\n # Logic that evaluates to true if the resource is not compliant\n true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n some resource in input.resources[input.main_resource_type]\n result := dd_output.format(resource, eval(resource))\n}", "resourceTypes": [ "gcp_iam_service_account", "gcp_iam_policy" ] }, "resourceType": "aws_acm" }, "decreaseCriticalityBasedOnEnv": false, "detectionMethod": "string", "evaluationWindow": "integer", "hardcodedEvaluatorType": "string", "impossibleTravelOptions": { "baselineUserLocations": true }, "keepAlive": "integer", "maxSignalDuration": "integer", "newValueOptions": { "forgetAfter": "integer", "instantaneousBaseline": false, "learningDuration": "integer", "learningMethod": "string", "learningThreshold": "integer" }, "sequenceDetectionOptions": { "stepTransitions": [ { "child": "string", "evaluationWindow": "integer", "parent": "string" } ], "steps": [ { "condition": "string", "evaluationWindow": "integer", "name": "string" } ] }, "thirdPartyRuleOptions": { "defaultNotifications": [], "defaultStatus": "critical", "rootQueries": [ { "groupByFields": [], "query": "source:cloudtrail" } ], "signalTitleTemplate": "string" } }, "queries": [ { "aggregation": "string", "customQueryExtension": "a > 3", "dataSource": "logs", "distinctFields": [], "groupByFields": [], "hasOptionalGroupByFields": false, "index": "string", "indexes": [], "metric": "string", "metrics": [], "name": "string", "query": "a > 3" } ], "referenceTables": [ { "checkPresence": false, "columnName": "string", "logFieldPath": "string", "ruleQueryName": "string", "tableName": "string" } ], "schedulingOptions": { "rrule": "FREQ=HOURLY;INTERVAL=1;", "start": "2025-07-14T12:00:00", "timezone": "America/New_York" }, "tags": [ "env:prod", "team:security" ], "thirdPartyCases": [ { "name": "string", "notifications": [], "query": "string", "status": "critical" } ], "type": "string" }, "ruleQueryPayloads": [ { "expectedResult": true, "index": 0, "payload": { "ddsource": "nginx", "ddtags": "env:staging,version:5.1", "hostname": "i-012345678", "message": "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World", "service": "payment" } } ] } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} Result of the test of the rule queries. | Field | Type | Description | | ------- | --------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | results | [boolean] | Assert results are returned in the same order as the rule query payloads. For each payload, it returns True if the result matched the expected result, False otherwise. | {% /tab %} {% tab title="Example" %} ```json { "results": [] } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="401" %} Concurrent Modification {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport rule_id="CHANGE_ME"\# Curl commandcurl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}/test" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "rule": { "calculatedFields": [ { "expression": "@request_end_timestamp - @request_start_timestamp", "name": "response_time" } ], "cases": [ { "status": "critical" } ], "options": { "complianceRuleOptions": { "regoRule": { "policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n # Logic that evaluates to true if the resource should be skipped\n true\n} else = \"pass\" {\n # Logic that evaluates to true if the resource is compliant\n true\n} else = \"fail\" {\n # Logic that evaluates to true if the resource is not compliant\n true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n some resource in input.resources[input.main_resource_type]\n result := dd_output.format(resource, eval(resource))\n}", "resourceTypes": [ "gcp_iam_service_account", "gcp_iam_policy" ] } } }, "thirdPartyCases": [ { "status": "critical" } ] } } EOF ##### ```python """ Test an existing rule returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.security_monitoring_rule_query_payload import SecurityMonitoringRuleQueryPayload from datadog_api_client.v2.model.security_monitoring_rule_query_payload_data import ( SecurityMonitoringRuleQueryPayloadData, ) from datadog_api_client.v2.model.security_monitoring_rule_test_request import SecurityMonitoringRuleTestRequest body = SecurityMonitoringRuleTestRequest( rule_query_payloads=[ SecurityMonitoringRuleQueryPayload( expected_result=True, index=0, payload=SecurityMonitoringRuleQueryPayloadData( ddsource="nginx", ddtags="env:staging,version:5.1", hostname="i-012345678", message="2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World", service="payment", ), ), ], ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.test_existing_security_monitoring_rule(rule_id="rule_id", body=body) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Test an existing rule returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::SecurityMonitoringRuleTestRequest.new({ rule_query_payloads: [ DatadogAPIClient::V2::SecurityMonitoringRuleQueryPayload.new({ expected_result: true, index: 0, payload: DatadogAPIClient::V2::SecurityMonitoringRuleQueryPayloadData.new({ ddsource: "nginx", ddtags: "env:staging,version:5.1", hostname: "i-012345678", message: "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World", service: "payment", }), }), ], }) p api_instance.test_existing_security_monitoring_rule("rule_id", body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Test an existing rule returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.SecurityMonitoringRuleTestRequest{ RuleQueryPayloads: []datadogV2.SecurityMonitoringRuleQueryPayload{ { ExpectedResult: datadog.PtrBool(true), Index: datadog.PtrInt64(0), Payload: &datadogV2.SecurityMonitoringRuleQueryPayloadData{ Ddsource: datadog.PtrString("nginx"), Ddtags: datadog.PtrString("env:staging,version:5.1"), Hostname: datadog.PtrString("i-012345678"), Message: datadog.PtrString("2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World"), Service: datadog.PtrString("payment"), }, }, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.TestExistingSecurityMonitoringRule(ctx, "rule_id", body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.TestExistingSecurityMonitoringRule`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.TestExistingSecurityMonitoringRule`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Test an existing rule returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryPayload; import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryPayloadData; import com.datadog.api.client.v2.model.SecurityMonitoringRuleTestRequest; import com.datadog.api.client.v2.model.SecurityMonitoringRuleTestResponse; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); SecurityMonitoringRuleTestRequest body = new SecurityMonitoringRuleTestRequest() .ruleQueryPayloads( Collections.singletonList( new SecurityMonitoringRuleQueryPayload() .expectedResult(true) .index(0L) .payload( new SecurityMonitoringRuleQueryPayloadData() .ddsource("nginx") .ddtags("env:staging,version:5.1") .hostname("i-012345678") .message( "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello" + " World") .service("payment")))); try { SecurityMonitoringRuleTestResponse result = apiInstance.testExistingSecurityMonitoringRule("rule_id", body); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#testExistingSecurityMonitoringRule"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Test an existing rule returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryPayload; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryPayloadData; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTestRequest; #[tokio::main] async fn main() { let body = SecurityMonitoringRuleTestRequest::new().rule_query_payloads(vec![ SecurityMonitoringRuleQueryPayload::new() .expected_result(true) .index(0) .payload( SecurityMonitoringRuleQueryPayloadData::new() .ddsource("nginx".to_string()) .ddtags("env:staging,version:5.1".to_string()) .hostname("i-012345678".to_string()) .message( "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World" .to_string(), ) .service("payment".to_string()), ), ]); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .test_existing_security_monitoring_rule("rule_id".to_string(), body) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Test an existing rule returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiTestExistingSecurityMonitoringRuleRequest = { body: { ruleQueryPayloads: [ { expectedResult: true, index: 0, payload: { ddsource: "nginx", ddtags: "env:staging,version:5.1", hostname: "i-012345678", message: "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World", service: "payment", }, }, ], }, ruleId: "rule_id", }; apiInstance .testExistingSecurityMonitoringRule(params) .then((data: v2.SecurityMonitoringRuleTestResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Test a rule{% #test-a-rule %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------ | | ap1.datadoghq.com | POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/test | | ap2.datadoghq.com | POST https://api.ap2.datadoghq.com/api/v2/security_monitoring/rules/test | | app.datadoghq.eu | POST https://api.datadoghq.eu/api/v2/security_monitoring/rules/test | | app.ddog-gov.com | POST https://api.ddog-gov.com/api/v2/security_monitoring/rules/test | | app.datadoghq.com | POST https://api.datadoghq.com/api/v2/security_monitoring/rules/test | | us3.datadoghq.com | POST https://api.us3.datadoghq.com/api/v2/security_monitoring/rules/test | | us5.datadoghq.com | POST https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/test | ### Overview Test a rule. This endpoint requires the `security_monitoring_rules_write` permission. OAuth apps require the `security_monitoring_rules_write` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Request #### Body Data (required) {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------------------ | ------------------------------- | ------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | rule | | Test a rule. | | rule | Option 1 | object | The payload of a rule to test | | Option 1 | calculatedFields | [object] | Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined. | | calculatedFields | expression [*required*] | string | Expression. | | calculatedFields | name [*required*] | string | Field name. | | Option 1 | cases [*required*] | [object] | Cases for generating signals. | | cases | actions | [object] | Action to perform for each rule case. | | actions | options | object | Options for the rule action | | options | duration | int64 | Duration of the action in seconds. 0 indicates no expiration. | | options | flaggedIPType | enum | Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: `SUSPICIOUS,FLAGGED` | | options | userBehaviorName | string | Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule. | | actions | type | enum | The action type. Allowed enum values: `block_ip,block_user,user_behavior,flag_ip` | | cases | condition | string | A case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated based on the event counts in the previously defined queries. | | cases | name | string | Name of the case. | | cases | notifications | [string] | Notification targets. | | cases | status [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 1 | filters | [object] | Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules. | | filters | action | enum | The type of filtering action. Allowed enum values: `require,suppress` | | filters | query | string | Query for selecting logs to apply the filtering action. | | Option 1 | groupSignalsBy | [string] | Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups. | | Option 1 | hasExtendedTitle | boolean | Whether the notifications include the triggering group-by values in their title. | | Option 1 | isEnabled [*required*] | boolean | Whether the rule is enabled. | | Option 1 | message [*required*] | string | Message for generated signals. | | Option 1 | name [*required*] | string | The name of the rule. | | Option 1 | options [*required*] | object | Options. | | options | anomalyDetectionOptions | object | Options on anomaly detection method. | | anomalyDetectionOptions | bucketDuration | enum | Duration in seconds of the time buckets used to aggregate events matched by the rule. Must be greater than or equal to 300. Allowed enum values: `300,600,900,1800,3600,10800` | | anomalyDetectionOptions | detectionTolerance | enum | An optional parameter that sets how permissive anomaly detection is. Higher values require higher deviations before triggering a signal. Allowed enum values: `1,2,3,4,5` | | anomalyDetectionOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | anomalyDetectionOptions | learningDuration | enum | Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. Allowed enum values: `1,6,12,24,48,168,336` | | anomalyDetectionOptions | learningPeriodBaseline | int64 | An optional override baseline to apply while the rule is in the learning period. Must be greater than or equal to 0. | | options | complianceRuleOptions | object | Options for cloud_configuration rules. Fields `resourceType` and `regoRule` are mandatory when managing custom `cloud_configuration` rules. | | complianceRuleOptions | complexRule | boolean | Whether the rule is a complex one. Must be set to true if `regoRule.resourceTypes` contains more than one item. Defaults to false. | | complianceRuleOptions | regoRule | object | Rule details. | | regoRule | policy [*required*] | string | The policy written in `rego`, see: [https://www.openpolicyagent.org/docs/latest/policy-language/](https://www.openpolicyagent.org/docs/latest/policy-language/) | | regoRule | resourceTypes [*required*] | [string] | List of resource types that will be evaluated upon. Must have at least one element. | | complianceRuleOptions | resourceType | string | Main resource type to be checked by the rule. It should be specified again in `regoRule.resourceTypes`. | | options | decreaseCriticalityBasedOnEnv | boolean | If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: `CRITICAL` in production becomes `HIGH` in non-production, `HIGH` becomes `MEDIUM` and so on. `INFO` remains `INFO`. The decrement is applied when the environment tag of the signal starts with `staging`, `test` or `dev`. | | options | detectionMethod | enum | The detection method. Allowed enum values: `threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection` | | options | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | hardcodedEvaluatorType | enum | Hardcoded evaluator type. Allowed enum values: `log4shell` | | options | impossibleTravelOptions | object | Options on impossible travel detection method. | | impossibleTravelOptions | baselineUserLocations | boolean | If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. | | options | keepAlive | enum | Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | maxSignalDuration | enum | A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | newValueOptions | object | Options on new value detection method. | | newValueOptions | forgetAfter | enum | The duration in days after which a learned value is forgotten. Allowed enum values: `1,2,7,14,21,28` | | newValueOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | newValueOptions | learningDuration | enum | The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: `0,1,7` | | newValueOptions | learningMethod | enum | The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: `duration,threshold` | | newValueOptions | learningThreshold | enum | A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: `0,1` | | options | sequenceDetectionOptions | object | Options on sequence detection method. | | sequenceDetectionOptions | stepTransitions | [object] | Transitions defining the allowed order of steps and their evaluation windows. | | stepTransitions | child | string | Name of the child step. | | stepTransitions | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | stepTransitions | parent | string | Name of the parent step. | | sequenceDetectionOptions | steps | [object] | Steps that define the conditions to be matched in sequence. | | steps | condition | string | Condition referencing rule queries (e.g., `a > 0`). | | steps | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | steps | name | string | Unique name identifying the step. | | options | thirdPartyRuleOptions | object | Options on third party detection method. | | thirdPartyRuleOptions | defaultNotifications | [string] | Notification targets for the logs that do not correspond to any of the cases. | | thirdPartyRuleOptions | defaultStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyRuleOptions | rootQueries | [object] | Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert. | | rootQueries | groupByFields | [string] | Fields to group by. | | rootQueries | query | string | Query to run on logs. | | thirdPartyRuleOptions | signalTitleTemplate | string | A template for the signal title; if omitted, the title is generated based on the case name. | | Option 1 | queries [*required*] | [object] | Queries for selecting logs which are part of the rule. | | queries | aggregation | enum | The aggregation type. Allowed enum values: `count,cardinality,sum,max,new_value,geo_data,event_count,none` | | queries | customQueryExtension | string | Query extension to append to the logs query. | | queries | dataSource | enum | Source of events, either logs, audit trail, or Datadog events. `app_sec_spans` is deprecated in favor of `spans`. Allowed enum values: `logs,audit,app_sec_spans,spans,security_runtime,network,events` | | queries | distinctFields | [string] | Field for which the cardinality is measured. Sent as an array. | | queries | groupByFields | [string] | Fields to group by. | | queries | hasOptionalGroupByFields | boolean | When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with `N/A`, replacing the missing values. | | queries | index | string | **This field is currently unstable and might be removed in a minor version upgrade.** The index to run the query on, if the `dataSource` is `logs`. Only used for scheduled rules - in other words, when the `schedulingOptions` field is present in the rule payload. | | queries | indexes | [string] | List of indexes to query when the `dataSource` is `logs`. Only used for scheduled rules, such as when the `schedulingOptions` field is present in the rule payload. | | queries | metric | string | **DEPRECATED**: (Deprecated) The target field to aggregate over when using the sum or max aggregations. `metrics` field should be used instead. | | queries | metrics | [string] | Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values. | | queries | name | string | Name of the query. | | queries | query | string | Query to run on logs. | | Option 1 | referenceTables | [object] | Reference tables for the rule. | | referenceTables | checkPresence | boolean | Whether to include or exclude the matched values. | | referenceTables | columnName | string | The name of the column in the reference table. | | referenceTables | logFieldPath | string | The field in the log to match against the reference table. | | referenceTables | ruleQueryName | string | The name of the query to apply the reference table to. | | referenceTables | tableName | string | The name of the reference table. | | Option 1 | schedulingOptions | object | Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs. | | schedulingOptions | rrule | string | Schedule for the rule queries, written in RRULE syntax. See [RFC](https://icalendar.org/iCalendar-RFC-5545/3-8-5-3-recurrence-rule.html) for syntax reference. | | schedulingOptions | start | string | Start date for the schedule, in ISO 8601 format without timezone. | | schedulingOptions | timezone | string | Time zone of the start date, in the [tz database](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) format. | | Option 1 | tags | [string] | Tags for generated signals. | | Option 1 | thirdPartyCases | [object] | Cases for generating signals from third-party rules. Only available for third-party rules. | | thirdPartyCases | name | string | Name of the case. | | thirdPartyCases | notifications | [string] | Notification targets for each case. | | thirdPartyCases | query | string | A query to map a third party event to this case. | | thirdPartyCases | status [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 1 | type | enum | The rule type. Allowed enum values: `log_detection` | | | ruleQueryPayloads | [object] | Data payloads used to test rules query with the expected result. | | ruleQueryPayloads | expectedResult | boolean | Expected result of the test. | | ruleQueryPayloads | index | int64 | Index of the query under test. | | ruleQueryPayloads | payload | object | Payload used to test the rule query. | | payload | ddsource | string | Source of the payload. | | payload | ddtags | string | Tags associated with your data. | | payload | hostname | string | The name of the originating host of the log. | | payload | message | string | The message of the payload. | | payload | service | string | The name of the application or service generating the data. | {% /tab %} {% tab title="Example" %} ```json { "rule": { "cases": [ { "name": "", "status": "info", "notifications": [], "condition": "a > 0" } ], "hasExtendedTitle": true, "isEnabled": true, "message": "My security monitoring rule message.", "name": "My security monitoring rule.", "options": { "decreaseCriticalityBasedOnEnv": false, "detectionMethod": "threshold", "evaluationWindow": 0, "keepAlive": 0, "maxSignalDuration": 0 }, "queries": [ { "query": "source:source_here", "groupByFields": [ "@userIdentity.assumed_role" ], "distinctFields": [], "aggregation": "count", "name": "" } ], "tags": [ "env:prod", "team:security" ], "type": "log_detection" }, "ruleQueryPayloads": [ { "expectedResult": true, "index": 0, "payload": { "ddsource": "source_here", "ddtags": "env:staging,version:5.1", "hostname": "i-012345678", "message": "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World", "service": "payment", "userIdentity": { "assumed_role": "fake assumed_role" } } } ] } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} Result of the test of the rule queries. | Field | Type | Description | | ------- | --------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | results | [boolean] | Assert results are returned in the same order as the rule query payloads. For each payload, it returns True if the result matched the expected result, False otherwise. | {% /tab %} {% tab title="Example" %} ```json { "results": [] } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="401" %} Concurrent Modification {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/test" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "rule": { "cases": [ { "name": "", "status": "info", "notifications": [], "condition": "a > 0" } ], "hasExtendedTitle": true, "isEnabled": true, "message": "My security monitoring rule message.", "name": "My security monitoring rule.", "options": { "decreaseCriticalityBasedOnEnv": false, "detectionMethod": "threshold", "evaluationWindow": 0, "keepAlive": 0, "maxSignalDuration": 0 }, "queries": [ { "query": "source:source_here", "groupByFields": [ "@userIdentity.assumed_role" ], "distinctFields": [], "aggregation": "count", "name": "" } ], "tags": [ "env:prod", "team:security" ], "type": "log_detection" }, "ruleQueryPayloads": [ { "expectedResult": true, "index": 0, "payload": { "ddsource": "source_here", "ddtags": "env:staging,version:5.1", "hostname": "i-012345678", "message": "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World", "service": "payment", "userIdentity": { "assumed_role": "fake assumed_role" } } } ] } EOF ##### ```go // Test a rule returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.SecurityMonitoringRuleTestRequest{ Rule: &datadogV2.SecurityMonitoringRuleTestPayload{ SecurityMonitoringStandardRuleTestPayload: &datadogV2.SecurityMonitoringStandardRuleTestPayload{ Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{ { Name: datadog.PtrString(""), Status: datadogV2.SECURITYMONITORINGRULESEVERITY_INFO, Notifications: []string{}, Condition: datadog.PtrString("a > 0"), }, }, HasExtendedTitle: datadog.PtrBool(true), IsEnabled: true, Message: "My security monitoring rule message.", Name: "My security monitoring rule.", Options: datadogV2.SecurityMonitoringRuleOptions{ DecreaseCriticalityBasedOnEnv: datadog.PtrBool(false), DetectionMethod: datadogV2.SECURITYMONITORINGRULEDETECTIONMETHOD_THRESHOLD.Ptr(), EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_ZERO_MINUTES.Ptr(), KeepAlive: datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ZERO_MINUTES.Ptr(), MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ZERO_MINUTES.Ptr(), }, Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{ { Query: datadog.PtrString("source:source_here"), GroupByFields: []string{ "@userIdentity.assumed_role", }, DistinctFields: []string{}, Aggregation: datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(), Name: datadog.PtrString(""), }, }, Tags: []string{ "env:prod", "team:security", }, Type: datadogV2.SECURITYMONITORINGRULETYPETEST_LOG_DETECTION.Ptr(), }}, RuleQueryPayloads: []datadogV2.SecurityMonitoringRuleQueryPayload{ { ExpectedResult: datadog.PtrBool(true), Index: datadog.PtrInt64(0), Payload: &datadogV2.SecurityMonitoringRuleQueryPayloadData{ Ddsource: datadog.PtrString("source_here"), Ddtags: datadog.PtrString("env:staging,version:5.1"), Hostname: datadog.PtrString("i-012345678"), Message: datadog.PtrString("2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World"), Service: datadog.PtrString("payment"), }, }, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.TestSecurityMonitoringRule(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.TestSecurityMonitoringRule`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.TestSecurityMonitoringRule`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Test a rule returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate; import com.datadog.api.client.v2.model.SecurityMonitoringRuleDetectionMethod; import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow; import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive; import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration; import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions; import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation; import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryPayload; import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryPayloadData; import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity; import com.datadog.api.client.v2.model.SecurityMonitoringRuleTestPayload; import com.datadog.api.client.v2.model.SecurityMonitoringRuleTestRequest; import com.datadog.api.client.v2.model.SecurityMonitoringRuleTestResponse; import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeTest; import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery; import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleTestPayload; import java.util.Arrays; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); SecurityMonitoringRuleTestRequest body = new SecurityMonitoringRuleTestRequest() .rule( new SecurityMonitoringRuleTestPayload( new SecurityMonitoringStandardRuleTestPayload() .cases( Collections.singletonList( new SecurityMonitoringRuleCaseCreate() .name("") .status(SecurityMonitoringRuleSeverity.INFO) .condition("a > 0"))) .hasExtendedTitle(true) .isEnabled(true) .message("My security monitoring rule message.") .name("My security monitoring rule.") .options( new SecurityMonitoringRuleOptions() .decreaseCriticalityBasedOnEnv(false) .detectionMethod(SecurityMonitoringRuleDetectionMethod.THRESHOLD) .evaluationWindow( SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES) .keepAlive(SecurityMonitoringRuleKeepAlive.ZERO_MINUTES) .maxSignalDuration( SecurityMonitoringRuleMaxSignalDuration.ZERO_MINUTES)) .queries( Collections.singletonList( new SecurityMonitoringStandardRuleQuery() .query("source:source_here") .groupByFields( Collections.singletonList("@userIdentity.assumed_role")) .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT) .name(""))) .tags(Arrays.asList("env:prod", "team:security")) .type(SecurityMonitoringRuleTypeTest.LOG_DETECTION))) .ruleQueryPayloads( Collections.singletonList( new SecurityMonitoringRuleQueryPayload() .expectedResult(true) .index(0L) .payload( new SecurityMonitoringRuleQueryPayloadData() .ddsource("source_here") .ddtags("env:staging,version:5.1") .hostname("i-012345678") .message( "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello" + " World") .service("payment")))); try { SecurityMonitoringRuleTestResponse result = apiInstance.testSecurityMonitoringRule(body); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#testSecurityMonitoringRule"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Test a rule returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import ( SecurityMonitoringRuleEvaluationWindow, ) from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import ( SecurityMonitoringRuleMaxSignalDuration, ) from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import ( SecurityMonitoringRuleQueryAggregation, ) from datadog_api_client.v2.model.security_monitoring_rule_query_payload import SecurityMonitoringRuleQueryPayload from datadog_api_client.v2.model.security_monitoring_rule_query_payload_data import ( SecurityMonitoringRuleQueryPayloadData, ) from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity from datadog_api_client.v2.model.security_monitoring_rule_test_request import SecurityMonitoringRuleTestRequest from datadog_api_client.v2.model.security_monitoring_rule_type_test import SecurityMonitoringRuleTypeTest from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery from datadog_api_client.v2.model.security_monitoring_standard_rule_test_payload import ( SecurityMonitoringStandardRuleTestPayload, ) body = SecurityMonitoringRuleTestRequest( rule=SecurityMonitoringStandardRuleTestPayload( cases=[ SecurityMonitoringRuleCaseCreate( name="", status=SecurityMonitoringRuleSeverity.INFO, notifications=[], condition="a > 0", ), ], has_extended_title=True, is_enabled=True, message="My security monitoring rule message.", name="My security monitoring rule.", options=SecurityMonitoringRuleOptions( decrease_criticality_based_on_env=False, detection_method=SecurityMonitoringRuleDetectionMethod.THRESHOLD, evaluation_window=SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES, keep_alive=SecurityMonitoringRuleKeepAlive.ZERO_MINUTES, max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ZERO_MINUTES, ), queries=[ SecurityMonitoringStandardRuleQuery( query="source:source_here", group_by_fields=[ "@userIdentity.assumed_role", ], distinct_fields=[], aggregation=SecurityMonitoringRuleQueryAggregation.COUNT, name="", ), ], tags=[ "env:prod", "team:security", ], type=SecurityMonitoringRuleTypeTest.LOG_DETECTION, ), rule_query_payloads=[ SecurityMonitoringRuleQueryPayload( expected_result=True, index=0, payload=SecurityMonitoringRuleQueryPayloadData( ddsource="source_here", ddtags="env:staging,version:5.1", hostname="i-012345678", message="2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World", service="payment", user_identity=dict([("assumed_role", "fake assumed_role")]), ), ), ], ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.test_security_monitoring_rule(body=body) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Test a rule returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::SecurityMonitoringRuleTestRequest.new({ rule: DatadogAPIClient::V2::SecurityMonitoringStandardRuleTestPayload.new({ cases: [ DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({ name: "", status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO, notifications: [], condition: "a > 0", }), ], has_extended_title: true, is_enabled: true, message: "My security monitoring rule message.", name: "My security monitoring rule.", options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({ decrease_criticality_based_on_env: false, detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::THRESHOLD, evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES, keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ZERO_MINUTES, max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ZERO_MINUTES, }), queries: [ DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({ query: "source:source_here", group_by_fields: [ "@userIdentity.assumed_role", ], distinct_fields: [], aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT, name: "", }), ], tags: [ "env:prod", "team:security", ], type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeTest::LOG_DETECTION, }), rule_query_payloads: [ DatadogAPIClient::V2::SecurityMonitoringRuleQueryPayload.new({ expected_result: true, index: 0, payload: DatadogAPIClient::V2::SecurityMonitoringRuleQueryPayloadData.new({ ddsource: "source_here", ddtags: "env:staging,version:5.1", hostname: "i-012345678", message: "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World", service: "payment", }), }), ], }) p api_instance.test_security_monitoring_rule(body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Test a rule returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleDetectionMethod; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryPayload; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryPayloadData; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTestPayload; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTestRequest; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeTest; use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery; use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleTestPayload; #[tokio::main] async fn main() { let body = SecurityMonitoringRuleTestRequest::new() .rule( SecurityMonitoringRuleTestPayload::SecurityMonitoringStandardRuleTestPayload(Box::new( SecurityMonitoringStandardRuleTestPayload::new( vec![SecurityMonitoringRuleCaseCreate::new( SecurityMonitoringRuleSeverity::INFO, ) .condition("a > 0".to_string()) .name("".to_string()) .notifications(vec![])], true, "My security monitoring rule message.".to_string(), "My security monitoring rule.".to_string(), SecurityMonitoringRuleOptions::new() .decrease_criticality_based_on_env(false) .detection_method(SecurityMonitoringRuleDetectionMethod::THRESHOLD) .evaluation_window(SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES) .keep_alive(SecurityMonitoringRuleKeepAlive::ZERO_MINUTES) .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::ZERO_MINUTES), vec![SecurityMonitoringStandardRuleQuery::new() .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT) .distinct_fields(vec![]) .group_by_fields(vec!["@userIdentity.assumed_role".to_string()]) .name("".to_string()) .query("source:source_here".to_string())], ) .has_extended_title(true) .tags(vec!["env:prod".to_string(), "team:security".to_string()]) .type_(SecurityMonitoringRuleTypeTest::LOG_DETECTION), )), ) .rule_query_payloads(vec![SecurityMonitoringRuleQueryPayload::new() .expected_result(true) .index(0) .payload( SecurityMonitoringRuleQueryPayloadData::new() .ddsource("source_here".to_string()) .ddtags("env:staging,version:5.1".to_string()) .hostname("i-012345678".to_string()) .message( "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World" .to_string(), ) .service("payment".to_string()), )]); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.test_security_monitoring_rule(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Test a rule returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiTestSecurityMonitoringRuleRequest = { body: { rule: { cases: [ { name: "", status: "info", notifications: [], condition: "a > 0", }, ], hasExtendedTitle: true, isEnabled: true, message: "My security monitoring rule message.", name: "My security monitoring rule.", options: { decreaseCriticalityBasedOnEnv: false, detectionMethod: "threshold", evaluationWindow: 0, keepAlive: 0, maxSignalDuration: 0, }, queries: [ { query: "source:source_here", groupByFields: ["@userIdentity.assumed_role"], distinctFields: [], aggregation: "count", name: "", }, ], tags: ["env:prod", "team:security"], type: "log_detection", }, ruleQueryPayloads: [ { expectedResult: true, index: 0, payload: { ddsource: "source_here", ddtags: "env:staging,version:5.1", hostname: "i-012345678", message: "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World", service: "payment", }, }, ], }, }; apiInstance .testSecurityMonitoringRule(params) .then((data: v2.SecurityMonitoringRuleTestResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Validate a detection rule{% #validate-a-detection-rule %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------------ | | ap1.datadoghq.com | POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/validation | | ap2.datadoghq.com | POST https://api.ap2.datadoghq.com/api/v2/security_monitoring/rules/validation | | app.datadoghq.eu | POST https://api.datadoghq.eu/api/v2/security_monitoring/rules/validation | | app.ddog-gov.com | POST https://api.ddog-gov.com/api/v2/security_monitoring/rules/validation | | app.datadoghq.com | POST https://api.datadoghq.com/api/v2/security_monitoring/rules/validation | | us3.datadoghq.com | POST https://api.us3.datadoghq.com/api/v2/security_monitoring/rules/validation | | us5.datadoghq.com | POST https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/validation | ### Overview Validate a detection rule. This endpoint requires the `security_monitoring_rules_write` permission. OAuth apps require the `security_monitoring_rules_write` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Request #### Body Data (required) {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------------------ | ----------------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Option 1 | object | The payload of a rule. | | Option 1 | calculatedFields | [object] | Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined. | | calculatedFields | expression [*required*] | string | Expression. | | calculatedFields | name [*required*] | string | Field name. | | Option 1 | cases [*required*] | [object] | Cases for generating signals. | | cases | actions | [object] | Action to perform for each rule case. | | actions | options | object | Options for the rule action | | options | duration | int64 | Duration of the action in seconds. 0 indicates no expiration. | | options | flaggedIPType | enum | Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: `SUSPICIOUS,FLAGGED` | | options | userBehaviorName | string | Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule. | | actions | type | enum | The action type. Allowed enum values: `block_ip,block_user,user_behavior,flag_ip` | | cases | condition | string | A case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated based on the event counts in the previously defined queries. | | cases | name | string | Name of the case. | | cases | notifications | [string] | Notification targets. | | cases | status [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 1 | customMessage | string | Custom/Overridden message for generated signals (used in case of Default rule update). | | Option 1 | customName | string | Custom/Overridden name of the rule (used in case of Default rule update). | | Option 1 | filters | [object] | Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules. | | filters | action | enum | The type of filtering action. Allowed enum values: `require,suppress` | | filters | query | string | Query for selecting logs to apply the filtering action. | | Option 1 | groupSignalsBy | [string] | Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups. | | Option 1 | hasExtendedTitle | boolean | Whether the notifications include the triggering group-by values in their title. | | Option 1 | isEnabled [*required*] | boolean | Whether the rule is enabled. | | Option 1 | message [*required*] | string | Message for generated signals. | | Option 1 | name [*required*] | string | The name of the rule. | | Option 1 | options [*required*] | object | Options. | | options | anomalyDetectionOptions | object | Options on anomaly detection method. | | anomalyDetectionOptions | bucketDuration | enum | Duration in seconds of the time buckets used to aggregate events matched by the rule. Must be greater than or equal to 300. Allowed enum values: `300,600,900,1800,3600,10800` | | anomalyDetectionOptions | detectionTolerance | enum | An optional parameter that sets how permissive anomaly detection is. Higher values require higher deviations before triggering a signal. Allowed enum values: `1,2,3,4,5` | | anomalyDetectionOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | anomalyDetectionOptions | learningDuration | enum | Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. Allowed enum values: `1,6,12,24,48,168,336` | | anomalyDetectionOptions | learningPeriodBaseline | int64 | An optional override baseline to apply while the rule is in the learning period. Must be greater than or equal to 0. | | options | complianceRuleOptions | object | Options for cloud_configuration rules. Fields `resourceType` and `regoRule` are mandatory when managing custom `cloud_configuration` rules. | | complianceRuleOptions | complexRule | boolean | Whether the rule is a complex one. Must be set to true if `regoRule.resourceTypes` contains more than one item. Defaults to false. | | complianceRuleOptions | regoRule | object | Rule details. | | regoRule | policy [*required*] | string | The policy written in `rego`, see: [https://www.openpolicyagent.org/docs/latest/policy-language/](https://www.openpolicyagent.org/docs/latest/policy-language/) | | regoRule | resourceTypes [*required*] | [string] | List of resource types that will be evaluated upon. Must have at least one element. | | complianceRuleOptions | resourceType | string | Main resource type to be checked by the rule. It should be specified again in `regoRule.resourceTypes`. | | options | decreaseCriticalityBasedOnEnv | boolean | If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: `CRITICAL` in production becomes `HIGH` in non-production, `HIGH` becomes `MEDIUM` and so on. `INFO` remains `INFO`. The decrement is applied when the environment tag of the signal starts with `staging`, `test` or `dev`. | | options | detectionMethod | enum | The detection method. Allowed enum values: `threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection` | | options | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | hardcodedEvaluatorType | enum | Hardcoded evaluator type. Allowed enum values: `log4shell` | | options | impossibleTravelOptions | object | Options on impossible travel detection method. | | impossibleTravelOptions | baselineUserLocations | boolean | If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. | | options | keepAlive | enum | Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | maxSignalDuration | enum | A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | newValueOptions | object | Options on new value detection method. | | newValueOptions | forgetAfter | enum | The duration in days after which a learned value is forgotten. Allowed enum values: `1,2,7,14,21,28` | | newValueOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | newValueOptions | learningDuration | enum | The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: `0,1,7` | | newValueOptions | learningMethod | enum | The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: `duration,threshold` | | newValueOptions | learningThreshold | enum | A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: `0,1` | | options | sequenceDetectionOptions | object | Options on sequence detection method. | | sequenceDetectionOptions | stepTransitions | [object] | Transitions defining the allowed order of steps and their evaluation windows. | | stepTransitions | child | string | Name of the child step. | | stepTransitions | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | stepTransitions | parent | string | Name of the parent step. | | sequenceDetectionOptions | steps | [object] | Steps that define the conditions to be matched in sequence. | | steps | condition | string | Condition referencing rule queries (e.g., `a > 0`). | | steps | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | steps | name | string | Unique name identifying the step. | | options | thirdPartyRuleOptions | object | Options on third party detection method. | | thirdPartyRuleOptions | defaultNotifications | [string] | Notification targets for the logs that do not correspond to any of the cases. | | thirdPartyRuleOptions | defaultStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyRuleOptions | rootQueries | [object] | Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert. | | rootQueries | groupByFields | [string] | Fields to group by. | | rootQueries | query | string | Query to run on logs. | | thirdPartyRuleOptions | signalTitleTemplate | string | A template for the signal title; if omitted, the title is generated based on the case name. | | Option 1 | queries [*required*] | [object] | Queries for selecting logs which are part of the rule. | | queries | aggregation | enum | The aggregation type. Allowed enum values: `count,cardinality,sum,max,new_value,geo_data,event_count,none` | | queries | customQueryExtension | string | Query extension to append to the logs query. | | queries | dataSource | enum | Source of events, either logs, audit trail, or Datadog events. `app_sec_spans` is deprecated in favor of `spans`. Allowed enum values: `logs,audit,app_sec_spans,spans,security_runtime,network,events` | | queries | distinctFields | [string] | Field for which the cardinality is measured. Sent as an array. | | queries | groupByFields | [string] | Fields to group by. | | queries | hasOptionalGroupByFields | boolean | When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with `N/A`, replacing the missing values. | | queries | index | string | **This field is currently unstable and might be removed in a minor version upgrade.** The index to run the query on, if the `dataSource` is `logs`. Only used for scheduled rules - in other words, when the `schedulingOptions` field is present in the rule payload. | | queries | indexes | [string] | List of indexes to query when the `dataSource` is `logs`. Only used for scheduled rules, such as when the `schedulingOptions` field is present in the rule payload. | | queries | metric | string | **DEPRECATED**: (Deprecated) The target field to aggregate over when using the sum or max aggregations. `metrics` field should be used instead. | | queries | metrics | [string] | Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values. | | queries | name | string | Name of the query. | | queries | query | string | Query to run on logs. | | Option 1 | referenceTables | [object] | Reference tables for the rule. | | referenceTables | checkPresence | boolean | Whether to include or exclude the matched values. | | referenceTables | columnName | string | The name of the column in the reference table. | | referenceTables | logFieldPath | string | The field in the log to match against the reference table. | | referenceTables | ruleQueryName | string | The name of the query to apply the reference table to. | | referenceTables | tableName | string | The name of the reference table. | | Option 1 | schedulingOptions | object | Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs. | | schedulingOptions | rrule | string | Schedule for the rule queries, written in RRULE syntax. See [RFC](https://icalendar.org/iCalendar-RFC-5545/3-8-5-3-recurrence-rule.html) for syntax reference. | | schedulingOptions | start | string | Start date for the schedule, in ISO 8601 format without timezone. | | schedulingOptions | timezone | string | Time zone of the start date, in the [tz database](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) format. | | Option 1 | tags | [string] | Tags for generated signals. | | Option 1 | thirdPartyCases | [object] | Cases for generating signals from third-party rules. Only available for third-party rules. | | thirdPartyCases | name | string | Name of the case. | | thirdPartyCases | notifications | [string] | Notification targets for each case. | | thirdPartyCases | query | string | A query to map a third party event to this case. | | thirdPartyCases | status [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 1 | type | enum | The rule type. Allowed enum values: `api_security,application_security,log_detection,workload_activity,workload_security` | | | Option 2 | object | The payload of a signal correlation rule. | | Option 2 | cases [*required*] | [object] | Cases for generating signals. | | cases | actions | [object] | Action to perform for each rule case. | | actions | options | object | Options for the rule action | | options | duration | int64 | Duration of the action in seconds. 0 indicates no expiration. | | options | flaggedIPType | enum | Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: `SUSPICIOUS,FLAGGED` | | options | userBehaviorName | string | Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule. | | actions | type | enum | The action type. Allowed enum values: `block_ip,block_user,user_behavior,flag_ip` | | cases | condition | string | A case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated based on the event counts in the previously defined queries. | | cases | name | string | Name of the case. | | cases | notifications | [string] | Notification targets. | | cases | status [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 2 | customMessage | string | Custom/Overridden message for generated signals (used in case of Default rule update). | | Option 2 | customName | string | Custom/Overridden name of the rule (used in case of Default rule update). | | Option 2 | filters | [object] | Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules. | | filters | action | enum | The type of filtering action. Allowed enum values: `require,suppress` | | filters | query | string | Query for selecting logs to apply the filtering action. | | Option 2 | hasExtendedTitle | boolean | Whether the notifications include the triggering group-by values in their title. | | Option 2 | isEnabled [*required*] | boolean | Whether the rule is enabled. | | Option 2 | message [*required*] | string | Message for generated signals. | | Option 2 | name [*required*] | string | The name of the rule. | | Option 2 | options [*required*] | object | Options. | | options | anomalyDetectionOptions | object | Options on anomaly detection method. | | anomalyDetectionOptions | bucketDuration | enum | Duration in seconds of the time buckets used to aggregate events matched by the rule. Must be greater than or equal to 300. Allowed enum values: `300,600,900,1800,3600,10800` | | anomalyDetectionOptions | detectionTolerance | enum | An optional parameter that sets how permissive anomaly detection is. Higher values require higher deviations before triggering a signal. Allowed enum values: `1,2,3,4,5` | | anomalyDetectionOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | anomalyDetectionOptions | learningDuration | enum | Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. Allowed enum values: `1,6,12,24,48,168,336` | | anomalyDetectionOptions | learningPeriodBaseline | int64 | An optional override baseline to apply while the rule is in the learning period. Must be greater than or equal to 0. | | options | complianceRuleOptions | object | Options for cloud_configuration rules. Fields `resourceType` and `regoRule` are mandatory when managing custom `cloud_configuration` rules. | | complianceRuleOptions | complexRule | boolean | Whether the rule is a complex one. Must be set to true if `regoRule.resourceTypes` contains more than one item. Defaults to false. | | complianceRuleOptions | regoRule | object | Rule details. | | regoRule | policy [*required*] | string | The policy written in `rego`, see: [https://www.openpolicyagent.org/docs/latest/policy-language/](https://www.openpolicyagent.org/docs/latest/policy-language/) | | regoRule | resourceTypes [*required*] | [string] | List of resource types that will be evaluated upon. Must have at least one element. | | complianceRuleOptions | resourceType | string | Main resource type to be checked by the rule. It should be specified again in `regoRule.resourceTypes`. | | options | decreaseCriticalityBasedOnEnv | boolean | If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: `CRITICAL` in production becomes `HIGH` in non-production, `HIGH` becomes `MEDIUM` and so on. `INFO` remains `INFO`. The decrement is applied when the environment tag of the signal starts with `staging`, `test` or `dev`. | | options | detectionMethod | enum | The detection method. Allowed enum values: `threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection` | | options | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | hardcodedEvaluatorType | enum | Hardcoded evaluator type. Allowed enum values: `log4shell` | | options | impossibleTravelOptions | object | Options on impossible travel detection method. | | impossibleTravelOptions | baselineUserLocations | boolean | If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. | | options | keepAlive | enum | Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | maxSignalDuration | enum | A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | newValueOptions | object | Options on new value detection method. | | newValueOptions | forgetAfter | enum | The duration in days after which a learned value is forgotten. Allowed enum values: `1,2,7,14,21,28` | | newValueOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | newValueOptions | learningDuration | enum | The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: `0,1,7` | | newValueOptions | learningMethod | enum | The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: `duration,threshold` | | newValueOptions | learningThreshold | enum | A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: `0,1` | | options | sequenceDetectionOptions | object | Options on sequence detection method. | | sequenceDetectionOptions | stepTransitions | [object] | Transitions defining the allowed order of steps and their evaluation windows. | | stepTransitions | child | string | Name of the child step. | | stepTransitions | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | stepTransitions | parent | string | Name of the parent step. | | sequenceDetectionOptions | steps | [object] | Steps that define the conditions to be matched in sequence. | | steps | condition | string | Condition referencing rule queries (e.g., `a > 0`). | | steps | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | steps | name | string | Unique name identifying the step. | | options | thirdPartyRuleOptions | object | Options on third party detection method. | | thirdPartyRuleOptions | defaultNotifications | [string] | Notification targets for the logs that do not correspond to any of the cases. | | thirdPartyRuleOptions | defaultStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyRuleOptions | rootQueries | [object] | Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert. | | rootQueries | groupByFields | [string] | Fields to group by. | | rootQueries | query | string | Query to run on logs. | | thirdPartyRuleOptions | signalTitleTemplate | string | A template for the signal title; if omitted, the title is generated based on the case name. | | Option 2 | queries [*required*] | [object] | Queries for selecting signals which are part of the rule. | | queries | aggregation | enum | The aggregation type. Allowed enum values: `count,cardinality,sum,max,new_value,geo_data,event_count,none` | | queries | correlatedByFields | [string] | Fields to group by. | | queries | correlatedQueryIndex | int32 | Index of the rule query used to retrieve the correlated field. | | queries | metrics | [string] | Group of target fields to aggregate over. | | queries | name | string | Name of the query. | | queries | ruleId [*required*] | string | Rule ID to match on signals. | | Option 2 | tags | [string] | Tags for generated signals. | | Option 2 | type | enum | The rule type. Allowed enum values: `signal_correlation` | | | Option 3 | object | The payload of a cloud configuration rule. | | Option 3 | cases [*required*] | [object] | Description of generated findings and signals (severity and channels to be notified in case of a signal). Must contain exactly one item. | | cases | notifications | [string] | Notification targets for each rule case. | | cases | status [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 3 | complianceSignalOptions [*required*] | object | How to generate compliance signals. Useful for cloud_configuration rules only. | | complianceSignalOptions | defaultActivationStatus | boolean | The default activation status. | | complianceSignalOptions | defaultGroupByFields | [string] | The default group by fields. | | complianceSignalOptions | userActivationStatus | boolean | Whether signals will be sent. | | complianceSignalOptions | userGroupByFields | [string] | Fields to use to group findings by when sending signals. | | Option 3 | customMessage | string | Custom/Overridden message for generated signals (used in case of Default rule update). | | Option 3 | customName | string | Custom/Overridden name of the rule (used in case of Default rule update). | | Option 3 | filters | [object] | Additional queries to filter matched events before they are processed. | | filters | action | enum | The type of filtering action. Allowed enum values: `require,suppress` | | filters | query | string | Query for selecting logs to apply the filtering action. | | Option 3 | isEnabled [*required*] | boolean | Whether the rule is enabled. | | Option 3 | message [*required*] | string | Message in markdown format for generated findings and signals. | | Option 3 | name [*required*] | string | The name of the rule. | | Option 3 | options [*required*] | object | Options on cloud configuration rules. | | options | complianceRuleOptions [*required*] | object | Options for cloud_configuration rules. Fields `resourceType` and `regoRule` are mandatory when managing custom `cloud_configuration` rules. | | complianceRuleOptions | complexRule | boolean | Whether the rule is a complex one. Must be set to true if `regoRule.resourceTypes` contains more than one item. Defaults to false. | | complianceRuleOptions | regoRule | object | Rule details. | | regoRule | policy [*required*] | string | The policy written in `rego`, see: [https://www.openpolicyagent.org/docs/latest/policy-language/](https://www.openpolicyagent.org/docs/latest/policy-language/) | | regoRule | resourceTypes [*required*] | [string] | List of resource types that will be evaluated upon. Must have at least one element. | | complianceRuleOptions | resourceType | string | Main resource type to be checked by the rule. It should be specified again in `regoRule.resourceTypes`. | | Option 3 | tags | [string] | Tags for generated findings and signals. | | Option 3 | type | enum | The rule type. Allowed enum values: `cloud_configuration` | {% /tab %} {% tab title="Example" %} ##### ```json { "cases": [ { "name": "", "status": "info", "notifications": [], "condition": "a > 0" } ], "hasExtendedTitle": true, "isEnabled": true, "message": "My security monitoring rule", "name": "My security monitoring rule", "options": { "evaluationWindow": 1800, "keepAlive": 1800, "maxSignalDuration": 1800, "detectionMethod": "threshold" }, "queries": [ { "query": "source:source_here", "groupByFields": [ "@userIdentity.assumed_role" ], "distinctFields": [], "aggregation": "count", "name": "" } ], "tags": [ "env:prod", "team:security" ], "type": "log_detection" } ``` ##### ```json { "cases": [ { "name": "", "status": "info", "notifications": [] } ], "hasExtendedTitle": true, "isEnabled": true, "message": "My security monitoring rule", "name": "My security monitoring rule", "options": { "evaluationWindow": 0, "keepAlive": 300, "maxSignalDuration": 600, "detectionMethod": "new_value", "newValueOptions": { "forgetAfter": 7, "instantaneousBaseline": true, "learningDuration": 1, "learningThreshold": 0, "learningMethod": "duration" } }, "queries": [ { "query": "source:source_here", "groupByFields": [ "@userIdentity.assumed_role" ], "distinctFields": [], "metric": "name", "metrics": [ "name" ], "aggregation": "new_value", "name": "", "dataSource": "logs" } ], "tags": [ "env:prod", "team:security" ], "type": "log_detection" } ``` ##### ```json { "cases": [ { "name": "", "status": "info", "notifications": [], "condition": "step_b > 0" } ], "hasExtendedTitle": true, "isEnabled": true, "message": "My security monitoring rule", "name": "My security monitoring rule", "options": { "evaluationWindow": 0, "keepAlive": 300, "maxSignalDuration": 600, "detectionMethod": "sequence_detection", "sequenceDetectionOptions": { "stepTransitions": [ { "child": "step_b", "evaluationWindow": 900, "parent": "step_a" } ], "steps": [ { "condition": "a > 0", "evaluationWindow": 60, "name": "step_a" }, { "condition": "b > 0", "evaluationWindow": 60, "name": "step_b" } ] } }, "queries": [ { "query": "source:source_here", "groupByFields": [ "@userIdentity.assumed_role" ], "distinctFields": [], "aggregation": "count", "name": "" }, { "query": "source:source_here2", "groupByFields": [], "distinctFields": [], "aggregation": "count", "name": "" } ], "tags": [ "env:prod", "team:security" ], "type": "log_detection" } ``` {% /tab %} ### Response {% tab title="204" %} OK {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/validation" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "cases": [ { "name": "", "status": "info", "notifications": [], "condition": "a > 0" } ], "hasExtendedTitle": true, "isEnabled": true, "message": "My security monitoring rule", "name": "My security monitoring rule", "options": { "evaluationWindow": 1800, "keepAlive": 1800, "maxSignalDuration": 1800, "detectionMethod": "threshold" }, "queries": [ { "query": "source:source_here", "groupByFields": [ "@userIdentity.assumed_role" ], "distinctFields": [], "aggregation": "count", "name": "" } ], "tags": [ "env:prod", "team:security" ], "type": "log_detection" } EOF ##### \# Curl commandcurl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/validation" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "cases": [ { "name": "", "status": "info", "notifications": [] } ], "hasExtendedTitle": true, "isEnabled": true, "message": "My security monitoring rule", "name": "My security monitoring rule", "options": { "evaluationWindow": 0, "keepAlive": 300, "maxSignalDuration": 600, "detectionMethod": "new_value", "newValueOptions": { "forgetAfter": 7, "instantaneousBaseline": true, "learningDuration": 1, "learningThreshold": 0, "learningMethod": "duration" } }, "queries": [ { "query": "source:source_here", "groupByFields": [ "@userIdentity.assumed_role" ], "distinctFields": [], "metric": "name", "metrics": [ "name" ], "aggregation": "new_value", "name": "", "dataSource": "logs" } ], "tags": [ "env:prod", "team:security" ], "type": "log_detection" } EOF ##### \# Curl commandcurl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/validation" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "cases": [ { "name": "", "status": "info", "notifications": [], "condition": "step_b > 0" } ], "hasExtendedTitle": true, "isEnabled": true, "message": "My security monitoring rule", "name": "My security monitoring rule", "options": { "evaluationWindow": 0, "keepAlive": 300, "maxSignalDuration": 600, "detectionMethod": "sequence_detection", "sequenceDetectionOptions": { "stepTransitions": [ { "child": "step_b", "evaluationWindow": 900, "parent": "step_a" } ], "steps": [ { "condition": "a > 0", "evaluationWindow": 60, "name": "step_a" }, { "condition": "b > 0", "evaluationWindow": 60, "name": "step_b" } ] } }, "queries": [ { "query": "source:source_here", "groupByFields": [ "@userIdentity.assumed_role" ], "distinctFields": [], "aggregation": "count", "name": "" }, { "query": "source:source_here2", "groupByFields": [], "distinctFields": [], "aggregation": "count", "name": "" } ], "tags": [ "env:prod", "team:security" ], "type": "log_detection" } EOF ##### ```go // Validate a detection rule returns "OK" response package main import ( "context" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.SecurityMonitoringRuleValidatePayload{ SecurityMonitoringStandardRulePayload: &datadogV2.SecurityMonitoringStandardRulePayload{ Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{ { Name: datadog.PtrString(""), Status: datadogV2.SECURITYMONITORINGRULESEVERITY_INFO, Notifications: []string{}, Condition: datadog.PtrString("a > 0"), }, }, HasExtendedTitle: datadog.PtrBool(true), IsEnabled: true, Message: "My security monitoring rule", Name: "My security monitoring rule", Options: datadogV2.SecurityMonitoringRuleOptions{ EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_THIRTY_MINUTES.Ptr(), KeepAlive: datadogV2.SECURITYMONITORINGRULEKEEPALIVE_THIRTY_MINUTES.Ptr(), MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_THIRTY_MINUTES.Ptr(), DetectionMethod: datadogV2.SECURITYMONITORINGRULEDETECTIONMETHOD_THRESHOLD.Ptr(), }, Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{ { Query: datadog.PtrString("source:source_here"), GroupByFields: []string{ "@userIdentity.assumed_role", }, DistinctFields: []string{}, Aggregation: datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(), Name: datadog.PtrString(""), }, }, Tags: []string{ "env:prod", "team:security", }, Type: datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(), }} ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) r, err := api.ValidateSecurityMonitoringRule(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ValidateSecurityMonitoringRule`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } } ``` ##### ```go // Validate a detection rule with detection method 'new_value' with enabled feature 'instantaneousBaseline' returns "OK" // response package main import ( "context" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.SecurityMonitoringRuleValidatePayload{ SecurityMonitoringStandardRulePayload: &datadogV2.SecurityMonitoringStandardRulePayload{ Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{ { Name: datadog.PtrString(""), Status: datadogV2.SECURITYMONITORINGRULESEVERITY_INFO, Notifications: []string{}, }, }, HasExtendedTitle: datadog.PtrBool(true), IsEnabled: true, Message: "My security monitoring rule", Name: "My security monitoring rule", Options: datadogV2.SecurityMonitoringRuleOptions{ EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_ZERO_MINUTES.Ptr(), KeepAlive: datadogV2.SECURITYMONITORINGRULEKEEPALIVE_FIVE_MINUTES.Ptr(), MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_TEN_MINUTES.Ptr(), DetectionMethod: datadogV2.SECURITYMONITORINGRULEDETECTIONMETHOD_NEW_VALUE.Ptr(), NewValueOptions: &datadogV2.SecurityMonitoringRuleNewValueOptions{ ForgetAfter: datadogV2.SECURITYMONITORINGRULENEWVALUEOPTIONSFORGETAFTER_ONE_WEEK.Ptr(), InstantaneousBaseline: datadog.PtrBool(true), LearningDuration: datadogV2.SECURITYMONITORINGRULENEWVALUEOPTIONSLEARNINGDURATION_ONE_DAY.Ptr(), LearningThreshold: datadogV2.SECURITYMONITORINGRULENEWVALUEOPTIONSLEARNINGTHRESHOLD_ZERO_OCCURRENCES.Ptr(), LearningMethod: datadogV2.SECURITYMONITORINGRULENEWVALUEOPTIONSLEARNINGMETHOD_DURATION.Ptr(), }, }, Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{ { Query: datadog.PtrString("source:source_here"), GroupByFields: []string{ "@userIdentity.assumed_role", }, DistinctFields: []string{}, Metric: datadog.PtrString("name"), Metrics: []string{ "name", }, Aggregation: datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_NEW_VALUE.Ptr(), Name: datadog.PtrString(""), DataSource: datadogV2.SECURITYMONITORINGSTANDARDDATASOURCE_LOGS.Ptr(), }, }, Tags: []string{ "env:prod", "team:security", }, Type: datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(), }} ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) r, err := api.ValidateSecurityMonitoringRule(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ValidateSecurityMonitoringRule`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } } ``` ##### ```go // Validate a detection rule with detection method 'sequence_detection' returns "OK" response package main import ( "context" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.SecurityMonitoringRuleValidatePayload{ SecurityMonitoringStandardRulePayload: &datadogV2.SecurityMonitoringStandardRulePayload{ Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{ { Name: datadog.PtrString(""), Status: datadogV2.SECURITYMONITORINGRULESEVERITY_INFO, Notifications: []string{}, Condition: datadog.PtrString("step_b > 0"), }, }, HasExtendedTitle: datadog.PtrBool(true), IsEnabled: true, Message: "My security monitoring rule", Name: "My security monitoring rule", Options: datadogV2.SecurityMonitoringRuleOptions{ EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_ZERO_MINUTES.Ptr(), KeepAlive: datadogV2.SECURITYMONITORINGRULEKEEPALIVE_FIVE_MINUTES.Ptr(), MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_TEN_MINUTES.Ptr(), DetectionMethod: datadogV2.SECURITYMONITORINGRULEDETECTIONMETHOD_SEQUENCE_DETECTION.Ptr(), SequenceDetectionOptions: &datadogV2.SecurityMonitoringRuleSequenceDetectionOptions{ StepTransitions: []datadogV2.SecurityMonitoringRuleSequenceDetectionStepTransition{ { Child: datadog.PtrString("step_b"), EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(), Parent: datadog.PtrString("step_a"), }, }, Steps: []datadogV2.SecurityMonitoringRuleSequenceDetectionStep{ { Condition: datadog.PtrString("a > 0"), EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_ONE_MINUTE.Ptr(), Name: datadog.PtrString("step_a"), }, { Condition: datadog.PtrString("b > 0"), EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_ONE_MINUTE.Ptr(), Name: datadog.PtrString("step_b"), }, }, }, }, Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{ { Query: datadog.PtrString("source:source_here"), GroupByFields: []string{ "@userIdentity.assumed_role", }, DistinctFields: []string{}, Aggregation: datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(), Name: datadog.PtrString(""), }, { Query: datadog.PtrString("source:source_here2"), GroupByFields: []string{}, DistinctFields: []string{}, Aggregation: datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(), Name: datadog.PtrString(""), }, }, Tags: []string{ "env:prod", "team:security", }, Type: datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(), }} ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) r, err := api.ValidateSecurityMonitoringRule(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ValidateSecurityMonitoringRule`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Validate a detection rule returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate; import com.datadog.api.client.v2.model.SecurityMonitoringRuleDetectionMethod; import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow; import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive; import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration; import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions; import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation; import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity; import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate; import com.datadog.api.client.v2.model.SecurityMonitoringRuleValidatePayload; import com.datadog.api.client.v2.model.SecurityMonitoringStandardRulePayload; import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery; import java.util.Arrays; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); SecurityMonitoringRuleValidatePayload body = new SecurityMonitoringRuleValidatePayload( new SecurityMonitoringStandardRulePayload() .cases( Collections.singletonList( new SecurityMonitoringRuleCaseCreate() .name("") .status(SecurityMonitoringRuleSeverity.INFO) .condition("a > 0"))) .hasExtendedTitle(true) .isEnabled(true) .message("My security monitoring rule") .name("My security monitoring rule") .options( new SecurityMonitoringRuleOptions() .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.THIRTY_MINUTES) .keepAlive(SecurityMonitoringRuleKeepAlive.THIRTY_MINUTES) .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.THIRTY_MINUTES) .detectionMethod(SecurityMonitoringRuleDetectionMethod.THRESHOLD)) .queries( Collections.singletonList( new SecurityMonitoringStandardRuleQuery() .query("source:source_here") .groupByFields(Collections.singletonList("@userIdentity.assumed_role")) .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT) .name(""))) .tags(Arrays.asList("env:prod", "team:security")) .type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION)); try { apiInstance.validateSecurityMonitoringRule(body); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#validateSecurityMonitoringRule"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` ##### ```java // Validate a detection rule with detection method 'new_value' with enabled feature // 'instantaneousBaseline' returns "OK" // response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate; import com.datadog.api.client.v2.model.SecurityMonitoringRuleDetectionMethod; import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow; import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive; import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration; import com.datadog.api.client.v2.model.SecurityMonitoringRuleNewValueOptions; import com.datadog.api.client.v2.model.SecurityMonitoringRuleNewValueOptionsForgetAfter; import com.datadog.api.client.v2.model.SecurityMonitoringRuleNewValueOptionsLearningDuration; import com.datadog.api.client.v2.model.SecurityMonitoringRuleNewValueOptionsLearningMethod; import com.datadog.api.client.v2.model.SecurityMonitoringRuleNewValueOptionsLearningThreshold; import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions; import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation; import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity; import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate; import com.datadog.api.client.v2.model.SecurityMonitoringRuleValidatePayload; import com.datadog.api.client.v2.model.SecurityMonitoringStandardDataSource; import com.datadog.api.client.v2.model.SecurityMonitoringStandardRulePayload; import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery; import java.util.Arrays; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); SecurityMonitoringRuleValidatePayload body = new SecurityMonitoringRuleValidatePayload( new SecurityMonitoringStandardRulePayload() .cases( Collections.singletonList( new SecurityMonitoringRuleCaseCreate() .name("") .status(SecurityMonitoringRuleSeverity.INFO))) .hasExtendedTitle(true) .isEnabled(true) .message("My security monitoring rule") .name("My security monitoring rule") .options( new SecurityMonitoringRuleOptions() .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES) .keepAlive(SecurityMonitoringRuleKeepAlive.FIVE_MINUTES) .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.TEN_MINUTES) .detectionMethod(SecurityMonitoringRuleDetectionMethod.NEW_VALUE) .newValueOptions( new SecurityMonitoringRuleNewValueOptions() .forgetAfter( SecurityMonitoringRuleNewValueOptionsForgetAfter.ONE_WEEK) .instantaneousBaseline(true) .learningDuration( SecurityMonitoringRuleNewValueOptionsLearningDuration.ONE_DAY) .learningThreshold( SecurityMonitoringRuleNewValueOptionsLearningThreshold .ZERO_OCCURRENCES) .learningMethod( SecurityMonitoringRuleNewValueOptionsLearningMethod.DURATION))) .queries( Collections.singletonList( new SecurityMonitoringStandardRuleQuery() .query("source:source_here") .groupByFields(Collections.singletonList("@userIdentity.assumed_role")) .metric("name") .metrics(Collections.singletonList("name")) .aggregation(SecurityMonitoringRuleQueryAggregation.NEW_VALUE) .name("") .dataSource(SecurityMonitoringStandardDataSource.LOGS))) .tags(Arrays.asList("env:prod", "team:security")) .type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION)); try { apiInstance.validateSecurityMonitoringRule(body); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#validateSecurityMonitoringRule"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` ##### ```java // Validate a detection rule with detection method 'sequence_detection' returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate; import com.datadog.api.client.v2.model.SecurityMonitoringRuleDetectionMethod; import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow; import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive; import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration; import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions; import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation; import com.datadog.api.client.v2.model.SecurityMonitoringRuleSequenceDetectionOptions; import com.datadog.api.client.v2.model.SecurityMonitoringRuleSequenceDetectionStep; import com.datadog.api.client.v2.model.SecurityMonitoringRuleSequenceDetectionStepTransition; import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity; import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate; import com.datadog.api.client.v2.model.SecurityMonitoringRuleValidatePayload; import com.datadog.api.client.v2.model.SecurityMonitoringStandardRulePayload; import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery; import java.util.Arrays; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); SecurityMonitoringRuleValidatePayload body = new SecurityMonitoringRuleValidatePayload( new SecurityMonitoringStandardRulePayload() .cases( Collections.singletonList( new SecurityMonitoringRuleCaseCreate() .name("") .status(SecurityMonitoringRuleSeverity.INFO) .condition("step_b > 0"))) .hasExtendedTitle(true) .isEnabled(true) .message("My security monitoring rule") .name("My security monitoring rule") .options( new SecurityMonitoringRuleOptions() .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES) .keepAlive(SecurityMonitoringRuleKeepAlive.FIVE_MINUTES) .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.TEN_MINUTES) .detectionMethod(SecurityMonitoringRuleDetectionMethod.SEQUENCE_DETECTION) .sequenceDetectionOptions( new SecurityMonitoringRuleSequenceDetectionOptions() .stepTransitions( Collections.singletonList( new SecurityMonitoringRuleSequenceDetectionStepTransition() .child("step_b") .evaluationWindow( SecurityMonitoringRuleEvaluationWindow .FIFTEEN_MINUTES) .parent("step_a"))) .steps( Arrays.asList( new SecurityMonitoringRuleSequenceDetectionStep() .condition("a > 0") .evaluationWindow( SecurityMonitoringRuleEvaluationWindow.ONE_MINUTE) .name("step_a"), new SecurityMonitoringRuleSequenceDetectionStep() .condition("b > 0") .evaluationWindow( SecurityMonitoringRuleEvaluationWindow.ONE_MINUTE) .name("step_b"))))) .queries( Arrays.asList( new SecurityMonitoringStandardRuleQuery() .query("source:source_here") .groupByFields(Collections.singletonList("@userIdentity.assumed_role")) .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT) .name(""), new SecurityMonitoringStandardRuleQuery() .query("source:source_here2") .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT) .name(""))) .tags(Arrays.asList("env:prod", "team:security")) .type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION)); try { apiInstance.validateSecurityMonitoringRule(body); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#validateSecurityMonitoringRule"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Validate a detection rule returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import ( SecurityMonitoringRuleEvaluationWindow, ) from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import ( SecurityMonitoringRuleMaxSignalDuration, ) from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import ( SecurityMonitoringRuleQueryAggregation, ) from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate from datadog_api_client.v2.model.security_monitoring_standard_rule_payload import SecurityMonitoringStandardRulePayload from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery body = SecurityMonitoringStandardRulePayload( cases=[ SecurityMonitoringRuleCaseCreate( name="", status=SecurityMonitoringRuleSeverity.INFO, notifications=[], condition="a > 0", ), ], has_extended_title=True, is_enabled=True, message="My security monitoring rule", name="My security monitoring rule", options=SecurityMonitoringRuleOptions( evaluation_window=SecurityMonitoringRuleEvaluationWindow.THIRTY_MINUTES, keep_alive=SecurityMonitoringRuleKeepAlive.THIRTY_MINUTES, max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.THIRTY_MINUTES, detection_method=SecurityMonitoringRuleDetectionMethod.THRESHOLD, ), queries=[ SecurityMonitoringStandardRuleQuery( query="source:source_here", group_by_fields=[ "@userIdentity.assumed_role", ], distinct_fields=[], aggregation=SecurityMonitoringRuleQueryAggregation.COUNT, name="", ), ], tags=[ "env:prod", "team:security", ], type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION, ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) api_instance.validate_security_monitoring_rule(body=body) ``` ##### ```python """ Validate a detection rule with detection method 'new_value' with enabled feature 'instantaneousBaseline' returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import ( SecurityMonitoringRuleEvaluationWindow, ) from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import ( SecurityMonitoringRuleMaxSignalDuration, ) from datadog_api_client.v2.model.security_monitoring_rule_new_value_options import SecurityMonitoringRuleNewValueOptions from datadog_api_client.v2.model.security_monitoring_rule_new_value_options_forget_after import ( SecurityMonitoringRuleNewValueOptionsForgetAfter, ) from datadog_api_client.v2.model.security_monitoring_rule_new_value_options_learning_duration import ( SecurityMonitoringRuleNewValueOptionsLearningDuration, ) from datadog_api_client.v2.model.security_monitoring_rule_new_value_options_learning_method import ( SecurityMonitoringRuleNewValueOptionsLearningMethod, ) from datadog_api_client.v2.model.security_monitoring_rule_new_value_options_learning_threshold import ( SecurityMonitoringRuleNewValueOptionsLearningThreshold, ) from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import ( SecurityMonitoringRuleQueryAggregation, ) from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate from datadog_api_client.v2.model.security_monitoring_standard_data_source import SecurityMonitoringStandardDataSource from datadog_api_client.v2.model.security_monitoring_standard_rule_payload import SecurityMonitoringStandardRulePayload from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery body = SecurityMonitoringStandardRulePayload( cases=[ SecurityMonitoringRuleCaseCreate( name="", status=SecurityMonitoringRuleSeverity.INFO, notifications=[], ), ], has_extended_title=True, is_enabled=True, message="My security monitoring rule", name="My security monitoring rule", options=SecurityMonitoringRuleOptions( evaluation_window=SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES, keep_alive=SecurityMonitoringRuleKeepAlive.FIVE_MINUTES, max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.TEN_MINUTES, detection_method=SecurityMonitoringRuleDetectionMethod.NEW_VALUE, new_value_options=SecurityMonitoringRuleNewValueOptions( forget_after=SecurityMonitoringRuleNewValueOptionsForgetAfter.ONE_WEEK, instantaneous_baseline=True, learning_duration=SecurityMonitoringRuleNewValueOptionsLearningDuration.ONE_DAY, learning_threshold=SecurityMonitoringRuleNewValueOptionsLearningThreshold.ZERO_OCCURRENCES, learning_method=SecurityMonitoringRuleNewValueOptionsLearningMethod.DURATION, ), ), queries=[ SecurityMonitoringStandardRuleQuery( query="source:source_here", group_by_fields=[ "@userIdentity.assumed_role", ], distinct_fields=[], metric="name", metrics=[ "name", ], aggregation=SecurityMonitoringRuleQueryAggregation.NEW_VALUE, name="", data_source=SecurityMonitoringStandardDataSource.LOGS, ), ], tags=[ "env:prod", "team:security", ], type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION, ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) api_instance.validate_security_monitoring_rule(body=body) ``` ##### ```python """ Validate a detection rule with detection method 'sequence_detection' returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import ( SecurityMonitoringRuleEvaluationWindow, ) from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import ( SecurityMonitoringRuleMaxSignalDuration, ) from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import ( SecurityMonitoringRuleQueryAggregation, ) from datadog_api_client.v2.model.security_monitoring_rule_sequence_detection_options import ( SecurityMonitoringRuleSequenceDetectionOptions, ) from datadog_api_client.v2.model.security_monitoring_rule_sequence_detection_step import ( SecurityMonitoringRuleSequenceDetectionStep, ) from datadog_api_client.v2.model.security_monitoring_rule_sequence_detection_step_transition import ( SecurityMonitoringRuleSequenceDetectionStepTransition, ) from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate from datadog_api_client.v2.model.security_monitoring_standard_rule_payload import SecurityMonitoringStandardRulePayload from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery body = SecurityMonitoringStandardRulePayload( cases=[ SecurityMonitoringRuleCaseCreate( name="", status=SecurityMonitoringRuleSeverity.INFO, notifications=[], condition="step_b > 0", ), ], has_extended_title=True, is_enabled=True, message="My security monitoring rule", name="My security monitoring rule", options=SecurityMonitoringRuleOptions( evaluation_window=SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES, keep_alive=SecurityMonitoringRuleKeepAlive.FIVE_MINUTES, max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.TEN_MINUTES, detection_method=SecurityMonitoringRuleDetectionMethod.SEQUENCE_DETECTION, sequence_detection_options=SecurityMonitoringRuleSequenceDetectionOptions( step_transitions=[ SecurityMonitoringRuleSequenceDetectionStepTransition( child="step_b", evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES, parent="step_a", ), ], steps=[ SecurityMonitoringRuleSequenceDetectionStep( condition="a > 0", evaluation_window=SecurityMonitoringRuleEvaluationWindow.ONE_MINUTE, name="step_a", ), SecurityMonitoringRuleSequenceDetectionStep( condition="b > 0", evaluation_window=SecurityMonitoringRuleEvaluationWindow.ONE_MINUTE, name="step_b", ), ], ), ), queries=[ SecurityMonitoringStandardRuleQuery( query="source:source_here", group_by_fields=[ "@userIdentity.assumed_role", ], distinct_fields=[], aggregation=SecurityMonitoringRuleQueryAggregation.COUNT, name="", ), SecurityMonitoringStandardRuleQuery( query="source:source_here2", group_by_fields=[], distinct_fields=[], aggregation=SecurityMonitoringRuleQueryAggregation.COUNT, name="", ), ], tags=[ "env:prod", "team:security", ], type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION, ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) api_instance.validate_security_monitoring_rule(body=body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Validate a detection rule returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::SecurityMonitoringStandardRulePayload.new({ cases: [ DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({ name: "", status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO, notifications: [], condition: "a > 0", }), ], has_extended_title: true, is_enabled: true, message: "My security monitoring rule", name: "My security monitoring rule", options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({ evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::THIRTY_MINUTES, keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::THIRTY_MINUTES, max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::THIRTY_MINUTES, detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::THRESHOLD, }), queries: [ DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({ query: "source:source_here", group_by_fields: [ "@userIdentity.assumed_role", ], distinct_fields: [], aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT, name: "", }), ], tags: [ "env:prod", "team:security", ], type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION, }) api_instance.validate_security_monitoring_rule(body) ``` ##### ```ruby # Validate a detection rule with detection method 'new_value' with enabled feature 'instantaneousBaseline' returns "OK" # response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::SecurityMonitoringStandardRulePayload.new({ cases: [ DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({ name: "", status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO, notifications: [], }), ], has_extended_title: true, is_enabled: true, message: "My security monitoring rule", name: "My security monitoring rule", options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({ evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES, keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::FIVE_MINUTES, max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::TEN_MINUTES, detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::NEW_VALUE, new_value_options: DatadogAPIClient::V2::SecurityMonitoringRuleNewValueOptions.new({ forget_after: DatadogAPIClient::V2::SecurityMonitoringRuleNewValueOptionsForgetAfter::ONE_WEEK, instantaneous_baseline: true, learning_duration: DatadogAPIClient::V2::SecurityMonitoringRuleNewValueOptionsLearningDuration::ONE_DAY, learning_threshold: DatadogAPIClient::V2::SecurityMonitoringRuleNewValueOptionsLearningThreshold::ZERO_OCCURRENCES, learning_method: DatadogAPIClient::V2::SecurityMonitoringRuleNewValueOptionsLearningMethod::DURATION, }), }), queries: [ DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({ query: "source:source_here", group_by_fields: [ "@userIdentity.assumed_role", ], distinct_fields: [], metric: "name", metrics: [ "name", ], aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::NEW_VALUE, name: "", data_source: DatadogAPIClient::V2::SecurityMonitoringStandardDataSource::LOGS, }), ], tags: [ "env:prod", "team:security", ], type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION, }) api_instance.validate_security_monitoring_rule(body) ``` ##### ```ruby # Validate a detection rule with detection method 'sequence_detection' returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::SecurityMonitoringStandardRulePayload.new({ cases: [ DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({ name: "", status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO, notifications: [], condition: "step_b > 0", }), ], has_extended_title: true, is_enabled: true, message: "My security monitoring rule", name: "My security monitoring rule", options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({ evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES, keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::FIVE_MINUTES, max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::TEN_MINUTES, detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::SEQUENCE_DETECTION, sequence_detection_options: DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionOptions.new({ step_transitions: [ DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionStepTransition.new({ child: "step_b", evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES, parent: "step_a", }), ], steps: [ DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionStep.new({ condition: "a > 0", evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE, name: "step_a", }), DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionStep.new({ condition: "b > 0", evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE, name: "step_b", }), ], }), }), queries: [ DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({ query: "source:source_here", group_by_fields: [ "@userIdentity.assumed_role", ], distinct_fields: [], aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT, name: "", }), DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({ query: "source:source_here2", group_by_fields: [], distinct_fields: [], aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT, name: "", }), ], tags: [ "env:prod", "team:security", ], type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION, }) api_instance.validate_security_monitoring_rule(body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Validate a detection rule returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleDetectionMethod; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleValidatePayload; use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRulePayload; use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery; #[tokio::main] async fn main() { let body = SecurityMonitoringRuleValidatePayload::SecurityMonitoringStandardRulePayload(Box::new( SecurityMonitoringStandardRulePayload::new( vec![ SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO) .condition("a > 0".to_string()) .name("".to_string()) .notifications(vec![]), ], true, "My security monitoring rule".to_string(), "My security monitoring rule".to_string(), SecurityMonitoringRuleOptions::new() .detection_method(SecurityMonitoringRuleDetectionMethod::THRESHOLD) .evaluation_window(SecurityMonitoringRuleEvaluationWindow::THIRTY_MINUTES) .keep_alive(SecurityMonitoringRuleKeepAlive::THIRTY_MINUTES) .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::THIRTY_MINUTES), vec![SecurityMonitoringStandardRuleQuery::new() .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT) .distinct_fields(vec![]) .group_by_fields(vec!["@userIdentity.assumed_role".to_string()]) .name("".to_string()) .query("source:source_here".to_string())], ) .has_extended_title(true) .tags(vec!["env:prod".to_string(), "team:security".to_string()]) .type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION), )); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.validate_security_monitoring_rule(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` ##### ```rust // Validate a detection rule with detection method 'new_value' with enabled // feature 'instantaneousBaseline' returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleDetectionMethod; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleNewValueOptions; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleNewValueOptionsForgetAfter; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleNewValueOptionsLearningDuration; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleNewValueOptionsLearningMethod; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleNewValueOptionsLearningThreshold; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleValidatePayload; use datadog_api_client::datadogV2::model::SecurityMonitoringStandardDataSource; use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRulePayload; use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery; #[tokio::main] async fn main() { let body = SecurityMonitoringRuleValidatePayload::SecurityMonitoringStandardRulePayload( Box::new( SecurityMonitoringStandardRulePayload::new( vec![ SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO) .name("".to_string()) .notifications(vec![]) ], true, "My security monitoring rule".to_string(), "My security monitoring rule".to_string(), SecurityMonitoringRuleOptions::new() .detection_method(SecurityMonitoringRuleDetectionMethod::NEW_VALUE) .evaluation_window(SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES) .keep_alive(SecurityMonitoringRuleKeepAlive::FIVE_MINUTES) .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::TEN_MINUTES) .new_value_options( SecurityMonitoringRuleNewValueOptions::new() .forget_after(SecurityMonitoringRuleNewValueOptionsForgetAfter::ONE_WEEK) .instantaneous_baseline(true) .learning_duration(SecurityMonitoringRuleNewValueOptionsLearningDuration::ONE_DAY) .learning_method(SecurityMonitoringRuleNewValueOptionsLearningMethod::DURATION) .learning_threshold( SecurityMonitoringRuleNewValueOptionsLearningThreshold::ZERO_OCCURRENCES, ), ), vec![ SecurityMonitoringStandardRuleQuery::new() .aggregation(SecurityMonitoringRuleQueryAggregation::NEW_VALUE) .data_source(SecurityMonitoringStandardDataSource::LOGS) .distinct_fields(vec![]) .group_by_fields(vec!["@userIdentity.assumed_role".to_string()]) .metric("name".to_string()) .metrics(vec!["name".to_string()]) .name("".to_string()) .query("source:source_here".to_string()) ], ) .has_extended_title(true) .tags(vec!["env:prod".to_string(), "team:security".to_string()]) .type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION), ), ); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.validate_security_monitoring_rule(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` ##### ```rust // Validate a detection rule with detection method 'sequence_detection' returns // "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleDetectionMethod; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSequenceDetectionOptions; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSequenceDetectionStep; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSequenceDetectionStepTransition; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleValidatePayload; use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRulePayload; use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery; #[tokio::main] async fn main() { let body = SecurityMonitoringRuleValidatePayload::SecurityMonitoringStandardRulePayload(Box::new( SecurityMonitoringStandardRulePayload::new( vec![ SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO) .condition("step_b > 0".to_string()) .name("".to_string()) .notifications(vec![]), ], true, "My security monitoring rule".to_string(), "My security monitoring rule".to_string(), SecurityMonitoringRuleOptions::new() .detection_method(SecurityMonitoringRuleDetectionMethod::SEQUENCE_DETECTION) .evaluation_window(SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES) .keep_alive(SecurityMonitoringRuleKeepAlive::FIVE_MINUTES) .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::TEN_MINUTES) .sequence_detection_options( SecurityMonitoringRuleSequenceDetectionOptions::new() .step_transitions(vec![ SecurityMonitoringRuleSequenceDetectionStepTransition::new() .child("step_b".to_string()) .evaluation_window( SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES, ) .parent("step_a".to_string()), ]) .steps(vec![ SecurityMonitoringRuleSequenceDetectionStep::new() .condition("a > 0".to_string()) .evaluation_window( SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE, ) .name("step_a".to_string()), SecurityMonitoringRuleSequenceDetectionStep::new() .condition("b > 0".to_string()) .evaluation_window( SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE, ) .name("step_b".to_string()), ]), ), vec![ SecurityMonitoringStandardRuleQuery::new() .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT) .distinct_fields(vec![]) .group_by_fields(vec!["@userIdentity.assumed_role".to_string()]) .name("".to_string()) .query("source:source_here".to_string()), SecurityMonitoringStandardRuleQuery::new() .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT) .distinct_fields(vec![]) .group_by_fields(vec![]) .name("".to_string()) .query("source:source_here2".to_string()), ], ) .has_extended_title(true) .tags(vec!["env:prod".to_string(), "team:security".to_string()]) .type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION), )); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.validate_security_monitoring_rule(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Validate a detection rule returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiValidateSecurityMonitoringRuleRequest = { body: { cases: [ { name: "", status: "info", notifications: [], condition: "a > 0", }, ], hasExtendedTitle: true, isEnabled: true, message: "My security monitoring rule", name: "My security monitoring rule", options: { evaluationWindow: 1800, keepAlive: 1800, maxSignalDuration: 1800, detectionMethod: "threshold", }, queries: [ { query: "source:source_here", groupByFields: ["@userIdentity.assumed_role"], distinctFields: [], aggregation: "count", name: "", }, ], tags: ["env:prod", "team:security"], type: "log_detection", }, }; apiInstance .validateSecurityMonitoringRule(params) .then((data: any) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` ##### ```typescript /** * Validate a detection rule with detection method 'new_value' with enabled feature 'instantaneousBaseline' returns "OK" * response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiValidateSecurityMonitoringRuleRequest = { body: { cases: [ { name: "", status: "info", notifications: [], }, ], hasExtendedTitle: true, isEnabled: true, message: "My security monitoring rule", name: "My security monitoring rule", options: { evaluationWindow: 0, keepAlive: 300, maxSignalDuration: 600, detectionMethod: "new_value", newValueOptions: { forgetAfter: 7, instantaneousBaseline: true, learningDuration: 1, learningThreshold: 0, learningMethod: "duration", }, }, queries: [ { query: "source:source_here", groupByFields: ["@userIdentity.assumed_role"], distinctFields: [], metric: "name", metrics: ["name"], aggregation: "new_value", name: "", dataSource: "logs", }, ], tags: ["env:prod", "team:security"], type: "log_detection", }, }; apiInstance .validateSecurityMonitoringRule(params) .then((data: any) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` ##### ```typescript /** * Validate a detection rule with detection method 'sequence_detection' returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiValidateSecurityMonitoringRuleRequest = { body: { cases: [ { name: "", status: "info", notifications: [], condition: "step_b > 0", }, ], hasExtendedTitle: true, isEnabled: true, message: "My security monitoring rule", name: "My security monitoring rule", options: { evaluationWindow: 0, keepAlive: 300, maxSignalDuration: 600, detectionMethod: "sequence_detection", sequenceDetectionOptions: { stepTransitions: [ { child: "step_b", evaluationWindow: 900, parent: "step_a", }, ], steps: [ { condition: "a > 0", evaluationWindow: 60, name: "step_a", }, { condition: "b > 0", evaluationWindow: 60, name: "step_b", }, ], }, }, queries: [ { query: "source:source_here", groupByFields: ["@userIdentity.assumed_role"], distinctFields: [], aggregation: "count", name: "", }, { query: "source:source_here2", groupByFields: [], distinctFields: [], aggregation: "count", name: "", }, ], tags: ["env:prod", "team:security"], type: "log_detection", }, }; apiInstance .validateSecurityMonitoringRule(params) .then((data: any) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Convert an existing rule from JSON to Terraform{% #convert-an-existing-rule-from-json-to-terraform %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------------------ | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/convert | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/convert | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}/convert | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/security_monitoring/rules/{rule_id}/convert | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/convert | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/convert | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/convert | ### Overview Convert an existing rule from JSON to Terraform for Datadog provider resource `datadog_security_monitoring_rule`. You can do so for the following rule types: - App and API Protection - Cloud SIEM (log detection and signal correlation) - Workload Protection You can convert Cloud Security configuration rules using Terraform's [Datadog Cloud Configuration Rule resource](https://registry.terraform.io/providers/DataDog/datadog/latest/docs/resources/cloud_configuration_rule). This endpoint requires the `security_monitoring_rules_read` permission. OAuth apps require the `security_monitoring_rules_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Arguments #### Path Parameters | Name | Type | Description | | ------------------------- | ------ | ------------------- | | rule_id [*required*] | string | The ID of the rule. | ### Response {% tab title="200" %} OK {% tab title="Model" %} Result of the convert rule request containing Terraform content. | Field | Type | Description | | ---------------- | ------ | -------------------------------------------------------------- | | ruleId | string | the ID of the rule. | | terraformContent | string | Terraform string as a result of converting the rule from JSON. | {% /tab %} {% tab title="Example" %} ```json { "ruleId": "string", "terraformContent": "string" } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport rule_id="CHANGE_ME"\# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}/convert" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Convert an existing rule from JSON to Terraform returns "OK" response """ from os import environ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi # there is a valid "security_rule_hash" in the system SECURITY_RULE_HASH_ID = environ["SECURITY_RULE_HASH_ID"] configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.convert_existing_security_monitoring_rule( rule_id=SECURITY_RULE_HASH_ID, ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Convert an existing rule from JSON to Terraform returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new # there is a valid "security_rule_hash" in the system SECURITY_RULE_HASH_ID = ENV["SECURITY_RULE_HASH_ID"] p api_instance.convert_existing_security_monitoring_rule(SECURITY_RULE_HASH_ID) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Convert an existing rule from JSON to Terraform returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { // there is a valid "security_rule_hash" in the system SecurityRuleHashID := os.Getenv("SECURITY_RULE_HASH_ID") ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.ConvertExistingSecurityMonitoringRule(ctx, SecurityRuleHashID) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ConvertExistingSecurityMonitoringRule`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ConvertExistingSecurityMonitoringRule`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Convert an existing rule from JSON to Terraform returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringRuleConvertResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); // there is a valid "security_rule_hash" in the system String SECURITY_RULE_HASH_ID = System.getenv("SECURITY_RULE_HASH_ID"); try { SecurityMonitoringRuleConvertResponse result = apiInstance.convertExistingSecurityMonitoringRule(SECURITY_RULE_HASH_ID); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#convertExistingSecurityMonitoringRule"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Convert an existing rule from JSON to Terraform returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { // there is a valid "security_rule_hash" in the system let security_rule_hash_id = std::env::var("SECURITY_RULE_HASH_ID").unwrap(); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .convert_existing_security_monitoring_rule(security_rule_hash_id.clone()) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Convert an existing rule from JSON to Terraform returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); // there is a valid "security_rule_hash" in the system const SECURITY_RULE_HASH_ID = process.env.SECURITY_RULE_HASH_ID as string; const params: v2.SecurityMonitoringApiConvertExistingSecurityMonitoringRuleRequest = { ruleId: SECURITY_RULE_HASH_ID, }; apiInstance .convertExistingSecurityMonitoringRule(params) .then((data: v2.SecurityMonitoringRuleConvertResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Convert a rule from JSON to Terraform{% #convert-a-rule-from-json-to-terraform %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | --------------------------------------------------------------------------- | | ap1.datadoghq.com | POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/convert | | ap2.datadoghq.com | POST https://api.ap2.datadoghq.com/api/v2/security_monitoring/rules/convert | | app.datadoghq.eu | POST https://api.datadoghq.eu/api/v2/security_monitoring/rules/convert | | app.ddog-gov.com | POST https://api.ddog-gov.com/api/v2/security_monitoring/rules/convert | | app.datadoghq.com | POST https://api.datadoghq.com/api/v2/security_monitoring/rules/convert | | us3.datadoghq.com | POST https://api.us3.datadoghq.com/api/v2/security_monitoring/rules/convert | | us5.datadoghq.com | POST https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/convert | ### Overview Convert a rule that doesn't (yet) exist from JSON to Terraform for Datadog provider resource `datadog_security_monitoring_rule`. You can do so for the following rule types: - App and API Protection - Cloud SIEM (log detection and signal correlation) - Workload Protection You can convert Cloud Security configuration rules using Terraform's [Datadog Cloud Configuration Rule resource](https://registry.terraform.io/providers/DataDog/datadog/latest/docs/resources/cloud_configuration_rule). This endpoint requires the `security_monitoring_rules_write` permission. OAuth apps require the `security_monitoring_rules_write` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Request #### Body Data (required) {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------------------ | ------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Option 1 | object | The payload of a rule. | | Option 1 | calculatedFields | [object] | Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined. | | calculatedFields | expression [*required*] | string | Expression. | | calculatedFields | name [*required*] | string | Field name. | | Option 1 | cases [*required*] | [object] | Cases for generating signals. | | cases | actions | [object] | Action to perform for each rule case. | | actions | options | object | Options for the rule action | | options | duration | int64 | Duration of the action in seconds. 0 indicates no expiration. | | options | flaggedIPType | enum | Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: `SUSPICIOUS,FLAGGED` | | options | userBehaviorName | string | Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule. | | actions | type | enum | The action type. Allowed enum values: `block_ip,block_user,user_behavior,flag_ip` | | cases | condition | string | A case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated based on the event counts in the previously defined queries. | | cases | name | string | Name of the case. | | cases | notifications | [string] | Notification targets. | | cases | status [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 1 | customMessage | string | Custom/Overridden message for generated signals (used in case of Default rule update). | | Option 1 | customName | string | Custom/Overridden name of the rule (used in case of Default rule update). | | Option 1 | filters | [object] | Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules. | | filters | action | enum | The type of filtering action. Allowed enum values: `require,suppress` | | filters | query | string | Query for selecting logs to apply the filtering action. | | Option 1 | groupSignalsBy | [string] | Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups. | | Option 1 | hasExtendedTitle | boolean | Whether the notifications include the triggering group-by values in their title. | | Option 1 | isEnabled [*required*] | boolean | Whether the rule is enabled. | | Option 1 | message [*required*] | string | Message for generated signals. | | Option 1 | name [*required*] | string | The name of the rule. | | Option 1 | options [*required*] | object | Options. | | options | anomalyDetectionOptions | object | Options on anomaly detection method. | | anomalyDetectionOptions | bucketDuration | enum | Duration in seconds of the time buckets used to aggregate events matched by the rule. Must be greater than or equal to 300. Allowed enum values: `300,600,900,1800,3600,10800` | | anomalyDetectionOptions | detectionTolerance | enum | An optional parameter that sets how permissive anomaly detection is. Higher values require higher deviations before triggering a signal. Allowed enum values: `1,2,3,4,5` | | anomalyDetectionOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | anomalyDetectionOptions | learningDuration | enum | Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. Allowed enum values: `1,6,12,24,48,168,336` | | anomalyDetectionOptions | learningPeriodBaseline | int64 | An optional override baseline to apply while the rule is in the learning period. Must be greater than or equal to 0. | | options | complianceRuleOptions | object | Options for cloud_configuration rules. Fields `resourceType` and `regoRule` are mandatory when managing custom `cloud_configuration` rules. | | complianceRuleOptions | complexRule | boolean | Whether the rule is a complex one. Must be set to true if `regoRule.resourceTypes` contains more than one item. Defaults to false. | | complianceRuleOptions | regoRule | object | Rule details. | | regoRule | policy [*required*] | string | The policy written in `rego`, see: [https://www.openpolicyagent.org/docs/latest/policy-language/](https://www.openpolicyagent.org/docs/latest/policy-language/) | | regoRule | resourceTypes [*required*] | [string] | List of resource types that will be evaluated upon. Must have at least one element. | | complianceRuleOptions | resourceType | string | Main resource type to be checked by the rule. It should be specified again in `regoRule.resourceTypes`. | | options | decreaseCriticalityBasedOnEnv | boolean | If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: `CRITICAL` in production becomes `HIGH` in non-production, `HIGH` becomes `MEDIUM` and so on. `INFO` remains `INFO`. The decrement is applied when the environment tag of the signal starts with `staging`, `test` or `dev`. | | options | detectionMethod | enum | The detection method. Allowed enum values: `threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection` | | options | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | hardcodedEvaluatorType | enum | Hardcoded evaluator type. Allowed enum values: `log4shell` | | options | impossibleTravelOptions | object | Options on impossible travel detection method. | | impossibleTravelOptions | baselineUserLocations | boolean | If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. | | options | keepAlive | enum | Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | maxSignalDuration | enum | A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | newValueOptions | object | Options on new value detection method. | | newValueOptions | forgetAfter | enum | The duration in days after which a learned value is forgotten. Allowed enum values: `1,2,7,14,21,28` | | newValueOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | newValueOptions | learningDuration | enum | The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: `0,1,7` | | newValueOptions | learningMethod | enum | The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: `duration,threshold` | | newValueOptions | learningThreshold | enum | A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: `0,1` | | options | sequenceDetectionOptions | object | Options on sequence detection method. | | sequenceDetectionOptions | stepTransitions | [object] | Transitions defining the allowed order of steps and their evaluation windows. | | stepTransitions | child | string | Name of the child step. | | stepTransitions | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | stepTransitions | parent | string | Name of the parent step. | | sequenceDetectionOptions | steps | [object] | Steps that define the conditions to be matched in sequence. | | steps | condition | string | Condition referencing rule queries (e.g., `a > 0`). | | steps | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | steps | name | string | Unique name identifying the step. | | options | thirdPartyRuleOptions | object | Options on third party detection method. | | thirdPartyRuleOptions | defaultNotifications | [string] | Notification targets for the logs that do not correspond to any of the cases. | | thirdPartyRuleOptions | defaultStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyRuleOptions | rootQueries | [object] | Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert. | | rootQueries | groupByFields | [string] | Fields to group by. | | rootQueries | query | string | Query to run on logs. | | thirdPartyRuleOptions | signalTitleTemplate | string | A template for the signal title; if omitted, the title is generated based on the case name. | | Option 1 | queries [*required*] | [object] | Queries for selecting logs which are part of the rule. | | queries | aggregation | enum | The aggregation type. Allowed enum values: `count,cardinality,sum,max,new_value,geo_data,event_count,none` | | queries | customQueryExtension | string | Query extension to append to the logs query. | | queries | dataSource | enum | Source of events, either logs, audit trail, or Datadog events. `app_sec_spans` is deprecated in favor of `spans`. Allowed enum values: `logs,audit,app_sec_spans,spans,security_runtime,network,events` | | queries | distinctFields | [string] | Field for which the cardinality is measured. Sent as an array. | | queries | groupByFields | [string] | Fields to group by. | | queries | hasOptionalGroupByFields | boolean | When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with `N/A`, replacing the missing values. | | queries | index | string | **This field is currently unstable and might be removed in a minor version upgrade.** The index to run the query on, if the `dataSource` is `logs`. Only used for scheduled rules - in other words, when the `schedulingOptions` field is present in the rule payload. | | queries | indexes | [string] | List of indexes to query when the `dataSource` is `logs`. Only used for scheduled rules, such as when the `schedulingOptions` field is present in the rule payload. | | queries | metric | string | **DEPRECATED**: (Deprecated) The target field to aggregate over when using the sum or max aggregations. `metrics` field should be used instead. | | queries | metrics | [string] | Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values. | | queries | name | string | Name of the query. | | queries | query | string | Query to run on logs. | | Option 1 | referenceTables | [object] | Reference tables for the rule. | | referenceTables | checkPresence | boolean | Whether to include or exclude the matched values. | | referenceTables | columnName | string | The name of the column in the reference table. | | referenceTables | logFieldPath | string | The field in the log to match against the reference table. | | referenceTables | ruleQueryName | string | The name of the query to apply the reference table to. | | referenceTables | tableName | string | The name of the reference table. | | Option 1 | schedulingOptions | object | Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs. | | schedulingOptions | rrule | string | Schedule for the rule queries, written in RRULE syntax. See [RFC](https://icalendar.org/iCalendar-RFC-5545/3-8-5-3-recurrence-rule.html) for syntax reference. | | schedulingOptions | start | string | Start date for the schedule, in ISO 8601 format without timezone. | | schedulingOptions | timezone | string | Time zone of the start date, in the [tz database](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) format. | | Option 1 | tags | [string] | Tags for generated signals. | | Option 1 | thirdPartyCases | [object] | Cases for generating signals from third-party rules. Only available for third-party rules. | | thirdPartyCases | name | string | Name of the case. | | thirdPartyCases | notifications | [string] | Notification targets for each case. | | thirdPartyCases | query | string | A query to map a third party event to this case. | | thirdPartyCases | status [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 1 | type | enum | The rule type. Allowed enum values: `api_security,application_security,log_detection,workload_activity,workload_security` | | | Option 2 | object | The payload of a signal correlation rule. | | Option 2 | cases [*required*] | [object] | Cases for generating signals. | | cases | actions | [object] | Action to perform for each rule case. | | actions | options | object | Options for the rule action | | options | duration | int64 | Duration of the action in seconds. 0 indicates no expiration. | | options | flaggedIPType | enum | Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: `SUSPICIOUS,FLAGGED` | | options | userBehaviorName | string | Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule. | | actions | type | enum | The action type. Allowed enum values: `block_ip,block_user,user_behavior,flag_ip` | | cases | condition | string | A case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated based on the event counts in the previously defined queries. | | cases | name | string | Name of the case. | | cases | notifications | [string] | Notification targets. | | cases | status [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 2 | customMessage | string | Custom/Overridden message for generated signals (used in case of Default rule update). | | Option 2 | customName | string | Custom/Overridden name of the rule (used in case of Default rule update). | | Option 2 | filters | [object] | Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules. | | filters | action | enum | The type of filtering action. Allowed enum values: `require,suppress` | | filters | query | string | Query for selecting logs to apply the filtering action. | | Option 2 | hasExtendedTitle | boolean | Whether the notifications include the triggering group-by values in their title. | | Option 2 | isEnabled [*required*] | boolean | Whether the rule is enabled. | | Option 2 | message [*required*] | string | Message for generated signals. | | Option 2 | name [*required*] | string | The name of the rule. | | Option 2 | options [*required*] | object | Options. | | options | anomalyDetectionOptions | object | Options on anomaly detection method. | | anomalyDetectionOptions | bucketDuration | enum | Duration in seconds of the time buckets used to aggregate events matched by the rule. Must be greater than or equal to 300. Allowed enum values: `300,600,900,1800,3600,10800` | | anomalyDetectionOptions | detectionTolerance | enum | An optional parameter that sets how permissive anomaly detection is. Higher values require higher deviations before triggering a signal. Allowed enum values: `1,2,3,4,5` | | anomalyDetectionOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | anomalyDetectionOptions | learningDuration | enum | Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. Allowed enum values: `1,6,12,24,48,168,336` | | anomalyDetectionOptions | learningPeriodBaseline | int64 | An optional override baseline to apply while the rule is in the learning period. Must be greater than or equal to 0. | | options | complianceRuleOptions | object | Options for cloud_configuration rules. Fields `resourceType` and `regoRule` are mandatory when managing custom `cloud_configuration` rules. | | complianceRuleOptions | complexRule | boolean | Whether the rule is a complex one. Must be set to true if `regoRule.resourceTypes` contains more than one item. Defaults to false. | | complianceRuleOptions | regoRule | object | Rule details. | | regoRule | policy [*required*] | string | The policy written in `rego`, see: [https://www.openpolicyagent.org/docs/latest/policy-language/](https://www.openpolicyagent.org/docs/latest/policy-language/) | | regoRule | resourceTypes [*required*] | [string] | List of resource types that will be evaluated upon. Must have at least one element. | | complianceRuleOptions | resourceType | string | Main resource type to be checked by the rule. It should be specified again in `regoRule.resourceTypes`. | | options | decreaseCriticalityBasedOnEnv | boolean | If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: `CRITICAL` in production becomes `HIGH` in non-production, `HIGH` becomes `MEDIUM` and so on. `INFO` remains `INFO`. The decrement is applied when the environment tag of the signal starts with `staging`, `test` or `dev`. | | options | detectionMethod | enum | The detection method. Allowed enum values: `threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection` | | options | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | hardcodedEvaluatorType | enum | Hardcoded evaluator type. Allowed enum values: `log4shell` | | options | impossibleTravelOptions | object | Options on impossible travel detection method. | | impossibleTravelOptions | baselineUserLocations | boolean | If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. | | options | keepAlive | enum | Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | maxSignalDuration | enum | A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | newValueOptions | object | Options on new value detection method. | | newValueOptions | forgetAfter | enum | The duration in days after which a learned value is forgotten. Allowed enum values: `1,2,7,14,21,28` | | newValueOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | newValueOptions | learningDuration | enum | The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: `0,1,7` | | newValueOptions | learningMethod | enum | The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: `duration,threshold` | | newValueOptions | learningThreshold | enum | A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: `0,1` | | options | sequenceDetectionOptions | object | Options on sequence detection method. | | sequenceDetectionOptions | stepTransitions | [object] | Transitions defining the allowed order of steps and their evaluation windows. | | stepTransitions | child | string | Name of the child step. | | stepTransitions | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | stepTransitions | parent | string | Name of the parent step. | | sequenceDetectionOptions | steps | [object] | Steps that define the conditions to be matched in sequence. | | steps | condition | string | Condition referencing rule queries (e.g., `a > 0`). | | steps | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | steps | name | string | Unique name identifying the step. | | options | thirdPartyRuleOptions | object | Options on third party detection method. | | thirdPartyRuleOptions | defaultNotifications | [string] | Notification targets for the logs that do not correspond to any of the cases. | | thirdPartyRuleOptions | defaultStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyRuleOptions | rootQueries | [object] | Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert. | | rootQueries | groupByFields | [string] | Fields to group by. | | rootQueries | query | string | Query to run on logs. | | thirdPartyRuleOptions | signalTitleTemplate | string | A template for the signal title; if omitted, the title is generated based on the case name. | | Option 2 | queries [*required*] | [object] | Queries for selecting signals which are part of the rule. | | queries | aggregation | enum | The aggregation type. Allowed enum values: `count,cardinality,sum,max,new_value,geo_data,event_count,none` | | queries | correlatedByFields | [string] | Fields to group by. | | queries | correlatedQueryIndex | int32 | Index of the rule query used to retrieve the correlated field. | | queries | metrics | [string] | Group of target fields to aggregate over. | | queries | name | string | Name of the query. | | queries | ruleId [*required*] | string | Rule ID to match on signals. | | Option 2 | tags | [string] | Tags for generated signals. | | Option 2 | type | enum | The rule type. Allowed enum values: `signal_correlation` | {% /tab %} {% tab title="Example" %} ```json { "name": "_49768568946de993", "queries": [ { "query": "@test:true", "aggregation": "count", "groupByFields": [], "distinctFields": [], "metric": "" } ], "filters": [], "cases": [ { "name": "", "status": "info", "condition": "a > 0", "notifications": [] } ], "options": { "evaluationWindow": 900, "keepAlive": 3600, "maxSignalDuration": 86400 }, "message": "Test rule", "tags": [], "isEnabled": true, "type": "log_detection" } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} Result of the convert rule request containing Terraform content. | Field | Type | Description | | ---------------- | ------ | -------------------------------------------------------------- | | ruleId | string | the ID of the rule. | | terraformContent | string | Terraform string as a result of converting the rule from JSON. | {% /tab %} {% tab title="Example" %} ```json { "ruleId": "string", "terraformContent": "string" } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="401" %} Concurrent Modification {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/convert" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "name": "_49768568946de993", "queries": [ { "query": "@test:true", "aggregation": "count", "groupByFields": [], "distinctFields": [], "metric": "" } ], "filters": [], "cases": [ { "name": "", "status": "info", "condition": "a > 0", "notifications": [] } ], "options": { "evaluationWindow": 900, "keepAlive": 3600, "maxSignalDuration": 86400 }, "message": "Test rule", "tags": [], "isEnabled": true, "type": "log_detection" } EOF ##### ```go // Convert a rule from JSON to Terraform returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.SecurityMonitoringRuleConvertPayload{ SecurityMonitoringStandardRulePayload: &datadogV2.SecurityMonitoringStandardRulePayload{ Name: "_49768568946de993", Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{ { Query: datadog.PtrString("@test:true"), Aggregation: datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(), GroupByFields: []string{}, DistinctFields: []string{}, Metric: datadog.PtrString(""), }, }, Filters: []datadogV2.SecurityMonitoringFilter{}, Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{ { Name: datadog.PtrString(""), Status: datadogV2.SECURITYMONITORINGRULESEVERITY_INFO, Condition: datadog.PtrString("a > 0"), Notifications: []string{}, }, }, Options: datadogV2.SecurityMonitoringRuleOptions{ EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(), KeepAlive: datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ONE_HOUR.Ptr(), MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ONE_DAY.Ptr(), }, Message: "Test rule", Tags: []string{}, IsEnabled: true, Type: datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(), }} ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.ConvertSecurityMonitoringRuleFromJSONToTerraform(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ConvertSecurityMonitoringRuleFromJSONToTerraform`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ConvertSecurityMonitoringRuleFromJSONToTerraform`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Convert a rule from JSON to Terraform returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate; import com.datadog.api.client.v2.model.SecurityMonitoringRuleConvertPayload; import com.datadog.api.client.v2.model.SecurityMonitoringRuleConvertResponse; import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow; import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive; import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration; import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions; import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation; import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity; import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate; import com.datadog.api.client.v2.model.SecurityMonitoringStandardRulePayload; import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); SecurityMonitoringRuleConvertPayload body = new SecurityMonitoringRuleConvertPayload( new SecurityMonitoringStandardRulePayload() .name("_49768568946de993") .queries( Collections.singletonList( new SecurityMonitoringStandardRuleQuery() .query("@test:true") .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT) .metric(""))) .cases( Collections.singletonList( new SecurityMonitoringRuleCaseCreate() .name("") .status(SecurityMonitoringRuleSeverity.INFO) .condition("a > 0"))) .options( new SecurityMonitoringRuleOptions() .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES) .keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR) .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.ONE_DAY)) .message("Test rule") .isEnabled(true) .type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION)); try { SecurityMonitoringRuleConvertResponse result = apiInstance.convertSecurityMonitoringRuleFromJSONToTerraform(body); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling" + " SecurityMonitoringApi#convertSecurityMonitoringRuleFromJSONToTerraform"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Convert a rule from JSON to Terraform returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import ( SecurityMonitoringRuleEvaluationWindow, ) from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import ( SecurityMonitoringRuleMaxSignalDuration, ) from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import ( SecurityMonitoringRuleQueryAggregation, ) from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate from datadog_api_client.v2.model.security_monitoring_standard_rule_payload import SecurityMonitoringStandardRulePayload from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery body = SecurityMonitoringStandardRulePayload( name="_49768568946de993", queries=[ SecurityMonitoringStandardRuleQuery( query="@test:true", aggregation=SecurityMonitoringRuleQueryAggregation.COUNT, group_by_fields=[], distinct_fields=[], metric="", ), ], filters=[], cases=[ SecurityMonitoringRuleCaseCreate( name="", status=SecurityMonitoringRuleSeverity.INFO, condition="a > 0", notifications=[], ), ], options=SecurityMonitoringRuleOptions( evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES, keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR, max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY, ), message="Test rule", tags=[], is_enabled=True, type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION, ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.convert_security_monitoring_rule_from_json_to_terraform(body=body) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Convert a rule from JSON to Terraform returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::SecurityMonitoringStandardRulePayload.new({ name: "_49768568946de993", queries: [ DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({ query: "@test:true", aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT, group_by_fields: [], distinct_fields: [], metric: "", }), ], filters: [], cases: [ DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({ name: "", status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO, condition: "a > 0", notifications: [], }), ], options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({ evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES, keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ONE_HOUR, max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ONE_DAY, }), message: "Test rule", tags: [], is_enabled: true, type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION, }) p api_instance.convert_security_monitoring_rule_from_json_to_terraform(body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Convert a rule from JSON to Terraform returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleConvertPayload; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate; use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRulePayload; use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery; #[tokio::main] async fn main() { let body = SecurityMonitoringRuleConvertPayload::SecurityMonitoringStandardRulePayload(Box::new( SecurityMonitoringStandardRulePayload::new( vec![ SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO) .condition("a > 0".to_string()) .name("".to_string()) .notifications(vec![]), ], true, "Test rule".to_string(), "_49768568946de993".to_string(), SecurityMonitoringRuleOptions::new() .evaluation_window(SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES) .keep_alive(SecurityMonitoringRuleKeepAlive::ONE_HOUR) .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::ONE_DAY), vec![SecurityMonitoringStandardRuleQuery::new() .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT) .distinct_fields(vec![]) .group_by_fields(vec![]) .metric("".to_string()) .query("@test:true".to_string())], ) .filters(vec![]) .tags(vec![]) .type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION), )); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .convert_security_monitoring_rule_from_json_to_terraform(body) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Convert a rule from JSON to Terraform returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiConvertSecurityMonitoringRuleFromJSONToTerraformRequest = { body: { name: "_49768568946de993", queries: [ { query: "@test:true", aggregation: "count", groupByFields: [], distinctFields: [], metric: "", }, ], filters: [], cases: [ { name: "", status: "info", condition: "a > 0", notifications: [], }, ], options: { evaluationWindow: 900, keepAlive: 3600, maxSignalDuration: 86400, }, message: "Test rule", tags: [], isEnabled: true, type: "log_detection", }, }; apiInstance .convertSecurityMonitoringRuleFromJSONToTerraform(params) .then((data: v2.SecurityMonitoringRuleConvertResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Bulk export security monitoring rules{% #bulk-export-security-monitoring-rules %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------------- | | ap1.datadoghq.com | POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/bulk_export | | ap2.datadoghq.com | POST https://api.ap2.datadoghq.com/api/v2/security_monitoring/rules/bulk_export | | app.datadoghq.eu | POST https://api.datadoghq.eu/api/v2/security_monitoring/rules/bulk_export | | app.ddog-gov.com | POST https://api.ddog-gov.com/api/v2/security_monitoring/rules/bulk_export | | app.datadoghq.com | POST https://api.datadoghq.com/api/v2/security_monitoring/rules/bulk_export | | us3.datadoghq.com | POST https://api.us3.datadoghq.com/api/v2/security_monitoring/rules/bulk_export | | us5.datadoghq.com | POST https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/bulk_export | ### Overview Export a list of security monitoring rules as a ZIP file containing JSON rule definitions. The endpoint accepts a list of rule IDs and returns a ZIP archive where each rule is saved as a separate JSON file named after the rule. This endpoint requires the `security_monitoring_rules_read` permission. OAuth apps require the `security_monitoring_rules_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Request #### Body Data (required) {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------ | ---------------------------- | -------- | --------------------------------------------------------------------------------------------------------- | | | data [*required*] | object | Data for bulk exporting security monitoring rules. | | data | attributes [*required*] | object | Attributes for bulk exporting security monitoring rules. | | attributes | ruleIds [*required*] | [string] | List of rule IDs to export. Each rule will be included in the resulting ZIP file as a separate JSON file. | | data | id | string | Request ID. | | data | type [*required*] | enum | The type of the resource. Allowed enum values: `security_monitoring_rules_bulk_export` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "ruleIds": [ "string" ] }, "type": "security_monitoring_rules_bulk_export" } } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} | Field | Type | Description | | ----- | ---- | ----------- | {% /tab %} {% tab title="Example" %} ```json {} ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/bulk_export" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "attributes": { "ruleIds": [ "string" ] }, "type": "security_monitoring_rules_bulk_export" } } EOF ##### ```go // Bulk export security monitoring rules returns "OK" response package main import ( "context" "fmt" "io/ioutil" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { // there is a valid "security_rule" in the system SecurityRuleID := os.Getenv("SECURITY_RULE_ID") body := datadogV2.SecurityMonitoringRuleBulkExportPayload{ Data: datadogV2.SecurityMonitoringRuleBulkExportData{ Attributes: datadogV2.SecurityMonitoringRuleBulkExportAttributes{ RuleIds: []string{ SecurityRuleID, }, }, Type: datadogV2.SECURITYMONITORINGRULEBULKEXPORTDATATYPE_SECURITY_MONITORING_RULES_BULK_EXPORT, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.BulkExportSecurityMonitoringRules(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.BulkExportSecurityMonitoringRules`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := ioutil.ReadAll(resp) fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.BulkExportSecurityMonitoringRules`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Bulk export security monitoring rules returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringRuleBulkExportAttributes; import com.datadog.api.client.v2.model.SecurityMonitoringRuleBulkExportData; import com.datadog.api.client.v2.model.SecurityMonitoringRuleBulkExportDataType; import com.datadog.api.client.v2.model.SecurityMonitoringRuleBulkExportPayload; import java.io.File; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); // there is a valid "security_rule" in the system String SECURITY_RULE_ID = System.getenv("SECURITY_RULE_ID"); SecurityMonitoringRuleBulkExportPayload body = new SecurityMonitoringRuleBulkExportPayload() .data( new SecurityMonitoringRuleBulkExportData() .attributes( new SecurityMonitoringRuleBulkExportAttributes() .ruleIds(Collections.singletonList(SECURITY_RULE_ID))) .type( SecurityMonitoringRuleBulkExportDataType .SECURITY_MONITORING_RULES_BULK_EXPORT)); try { File result = apiInstance.bulkExportSecurityMonitoringRules(body); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#bulkExportSecurityMonitoringRules"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Bulk export security monitoring rules returns "OK" response """ from os import environ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.security_monitoring_rule_bulk_export_attributes import ( SecurityMonitoringRuleBulkExportAttributes, ) from datadog_api_client.v2.model.security_monitoring_rule_bulk_export_data import SecurityMonitoringRuleBulkExportData from datadog_api_client.v2.model.security_monitoring_rule_bulk_export_data_type import ( SecurityMonitoringRuleBulkExportDataType, ) from datadog_api_client.v2.model.security_monitoring_rule_bulk_export_payload import ( SecurityMonitoringRuleBulkExportPayload, ) # there is a valid "security_rule" in the system SECURITY_RULE_ID = environ["SECURITY_RULE_ID"] body = SecurityMonitoringRuleBulkExportPayload( data=SecurityMonitoringRuleBulkExportData( attributes=SecurityMonitoringRuleBulkExportAttributes( rule_ids=[ SECURITY_RULE_ID, ], ), type=SecurityMonitoringRuleBulkExportDataType.SECURITY_MONITORING_RULES_BULK_EXPORT, ), ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.bulk_export_security_monitoring_rules(body=body) print(response.read()) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Bulk export security monitoring rules returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new # there is a valid "security_rule" in the system SECURITY_RULE_ID = ENV["SECURITY_RULE_ID"] body = DatadogAPIClient::V2::SecurityMonitoringRuleBulkExportPayload.new({ data: DatadogAPIClient::V2::SecurityMonitoringRuleBulkExportData.new({ attributes: DatadogAPIClient::V2::SecurityMonitoringRuleBulkExportAttributes.new({ rule_ids: [ SECURITY_RULE_ID, ], }), type: DatadogAPIClient::V2::SecurityMonitoringRuleBulkExportDataType::SECURITY_MONITORING_RULES_BULK_EXPORT, }), }) p api_instance.bulk_export_security_monitoring_rules(body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Bulk export security monitoring rules returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleBulkExportAttributes; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleBulkExportData; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleBulkExportDataType; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleBulkExportPayload; #[tokio::main] async fn main() { // there is a valid "security_rule" in the system let security_rule_id = std::env::var("SECURITY_RULE_ID").unwrap(); let body = SecurityMonitoringRuleBulkExportPayload::new(SecurityMonitoringRuleBulkExportData::new( SecurityMonitoringRuleBulkExportAttributes::new(vec![security_rule_id.clone()]), SecurityMonitoringRuleBulkExportDataType::SECURITY_MONITORING_RULES_BULK_EXPORT, )); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.bulk_export_security_monitoring_rules(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Bulk export security monitoring rules returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); // there is a valid "security_rule" in the system const SECURITY_RULE_ID = process.env.SECURITY_RULE_ID as string; const params: v2.SecurityMonitoringApiBulkExportSecurityMonitoringRulesRequest = { body: { data: { attributes: { ruleIds: [SECURITY_RULE_ID], }, type: "security_monitoring_rules_bulk_export", }, }, }; apiInstance .bulkExportSecurityMonitoringRules(params) .then((data: client.HttpFile) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Get a rule's version history{% #get-a-rules-version-history %} {% tab title="v2" %} **Note**: This endpoint is in beta and may be subject to changes. | Datadog site | API endpoint | | ----------------- | -------------------------------------------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/version_history | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/version_history | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}/version_history | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/security_monitoring/rules/{rule_id}/version_history | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/version_history | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/version_history | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/version_history | ### Overview Get a rule's version history. This endpoint requires the `security_monitoring_rules_read` permission. ### Arguments #### Path Parameters | Name | Type | Description | | ------------------------- | ------ | ------------------- | | rule_id [*required*] | string | The ID of the rule. | #### Query Strings | Name | Type | Description | | ------------ | ------- | -------------------------------------------------------- | | page[size] | integer | Size for a given page. The maximum allowed value is 100. | | page[number] | integer | Specific page number to return. | ### Response {% tab title="200" %} OK {% tab title="Model" %} Response for getting the rule version history. | Parent field | Field | Type | Description | | ------------------------ | ------------------------------- | ------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data | object | Data for the rule version history. | | data | attributes | object | Response object containing the version history of a rule. | | attributes | count | int32 | The number of rule versions. | | attributes | data | object | The `RuleVersionHistory` `data`. | | additionalProperties | | object | A rule version with a list of updates. | | | changes | [object] | A list of changes. | | changes | change | string | The new value of the field. | | changes | field | string | The field that was changed. | | changes | type | enum | The type of change. Allowed enum values: `create,update,delete` | | | rule | | Create a new rule. | | rule | Option 1 | object | Rule. | | Option 1 | calculatedFields | [object] | Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined. | | calculatedFields | expression [*required*] | string | Expression. | | calculatedFields | name [*required*] | string | Field name. | | Option 1 | cases | [object] | Cases for generating signals. | | cases | actions | [object] | Action to perform for each rule case. | | actions | options | object | Options for the rule action | | options | duration | int64 | Duration of the action in seconds. 0 indicates no expiration. | | options | flaggedIPType | enum | Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: `SUSPICIOUS,FLAGGED` | | options | userBehaviorName | string | Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule. | | actions | type | enum | The action type. Allowed enum values: `block_ip,block_user,user_behavior,flag_ip` | | cases | condition | string | A rule case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated based on the event counts in the previously defined queries. | | cases | customStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | cases | name | string | Name of the case. | | cases | notifications | [string] | Notification targets for each rule case. | | cases | status | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 1 | complianceSignalOptions | object | How to generate compliance signals. Useful for cloud_configuration rules only. | | complianceSignalOptions | defaultActivationStatus | boolean | The default activation status. | | complianceSignalOptions | defaultGroupByFields | [string] | The default group by fields. | | complianceSignalOptions | userActivationStatus | boolean | Whether signals will be sent. | | complianceSignalOptions | userGroupByFields | [string] | Fields to use to group findings by when sending signals. | | Option 1 | createdAt | int64 | When the rule was created, timestamp in milliseconds. | | Option 1 | creationAuthorId | int64 | User ID of the user who created the rule. | | Option 1 | customMessage | string | Custom/Overridden message for generated signals (used in case of Default rule update). | | Option 1 | customName | string | Custom/Overridden name of the rule (used in case of Default rule update). | | Option 1 | defaultTags | [string] | Default Tags for default rules (included in tags) | | Option 1 | deprecationDate | int64 | When the rule will be deprecated, timestamp in milliseconds. | | Option 1 | filters | [object] | Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules. | | filters | action | enum | The type of filtering action. Allowed enum values: `require,suppress` | | filters | query | string | Query for selecting logs to apply the filtering action. | | Option 1 | groupSignalsBy | [string] | Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups. | | Option 1 | hasExtendedTitle | boolean | Whether the notifications include the triggering group-by values in their title. | | Option 1 | id | string | The ID of the rule. | | Option 1 | isDefault | boolean | Whether the rule is included by default. | | Option 1 | isDeleted | boolean | Whether the rule has been deleted. | | Option 1 | isEnabled | boolean | Whether the rule is enabled. | | Option 1 | message | string | Message for generated signals. | | Option 1 | name | string | The name of the rule. | | Option 1 | options | object | Options. | | options | anomalyDetectionOptions | object | Options on anomaly detection method. | | anomalyDetectionOptions | bucketDuration | enum | Duration in seconds of the time buckets used to aggregate events matched by the rule. Must be greater than or equal to 300. Allowed enum values: `300,600,900,1800,3600,10800` | | anomalyDetectionOptions | detectionTolerance | enum | An optional parameter that sets how permissive anomaly detection is. Higher values require higher deviations before triggering a signal. Allowed enum values: `1,2,3,4,5` | | anomalyDetectionOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | anomalyDetectionOptions | learningDuration | enum | Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. Allowed enum values: `1,6,12,24,48,168,336` | | anomalyDetectionOptions | learningPeriodBaseline | int64 | An optional override baseline to apply while the rule is in the learning period. Must be greater than or equal to 0. | | options | complianceRuleOptions | object | Options for cloud_configuration rules. Fields `resourceType` and `regoRule` are mandatory when managing custom `cloud_configuration` rules. | | complianceRuleOptions | complexRule | boolean | Whether the rule is a complex one. Must be set to true if `regoRule.resourceTypes` contains more than one item. Defaults to false. | | complianceRuleOptions | regoRule | object | Rule details. | | regoRule | policy [*required*] | string | The policy written in `rego`, see: [https://www.openpolicyagent.org/docs/latest/policy-language/](https://www.openpolicyagent.org/docs/latest/policy-language/) | | regoRule | resourceTypes [*required*] | [string] | List of resource types that will be evaluated upon. Must have at least one element. | | complianceRuleOptions | resourceType | string | Main resource type to be checked by the rule. It should be specified again in `regoRule.resourceTypes`. | | options | decreaseCriticalityBasedOnEnv | boolean | If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: `CRITICAL` in production becomes `HIGH` in non-production, `HIGH` becomes `MEDIUM` and so on. `INFO` remains `INFO`. The decrement is applied when the environment tag of the signal starts with `staging`, `test` or `dev`. | | options | detectionMethod | enum | The detection method. Allowed enum values: `threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection` | | options | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | hardcodedEvaluatorType | enum | Hardcoded evaluator type. Allowed enum values: `log4shell` | | options | impossibleTravelOptions | object | Options on impossible travel detection method. | | impossibleTravelOptions | baselineUserLocations | boolean | If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. | | options | keepAlive | enum | Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | maxSignalDuration | enum | A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | newValueOptions | object | Options on new value detection method. | | newValueOptions | forgetAfter | enum | The duration in days after which a learned value is forgotten. Allowed enum values: `1,2,7,14,21,28` | | newValueOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | newValueOptions | learningDuration | enum | The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: `0,1,7` | | newValueOptions | learningMethod | enum | The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: `duration,threshold` | | newValueOptions | learningThreshold | enum | A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: `0,1` | | options | sequenceDetectionOptions | object | Options on sequence detection method. | | sequenceDetectionOptions | stepTransitions | [object] | Transitions defining the allowed order of steps and their evaluation windows. | | stepTransitions | child | string | Name of the child step. | | stepTransitions | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | stepTransitions | parent | string | Name of the parent step. | | sequenceDetectionOptions | steps | [object] | Steps that define the conditions to be matched in sequence. | | steps | condition | string | Condition referencing rule queries (e.g., `a > 0`). | | steps | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | steps | name | string | Unique name identifying the step. | | options | thirdPartyRuleOptions | object | Options on third party detection method. | | thirdPartyRuleOptions | defaultNotifications | [string] | Notification targets for the logs that do not correspond to any of the cases. | | thirdPartyRuleOptions | defaultStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyRuleOptions | rootQueries | [object] | Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert. | | rootQueries | groupByFields | [string] | Fields to group by. | | rootQueries | query | string | Query to run on logs. | | thirdPartyRuleOptions | signalTitleTemplate | string | A template for the signal title; if omitted, the title is generated based on the case name. | | Option 1 | queries | [object] | Queries for selecting logs which are part of the rule. | | queries | aggregation | enum | The aggregation type. Allowed enum values: `count,cardinality,sum,max,new_value,geo_data,event_count,none` | | queries | customQueryExtension | string | Query extension to append to the logs query. | | queries | dataSource | enum | Source of events, either logs, audit trail, or Datadog events. `app_sec_spans` is deprecated in favor of `spans`. Allowed enum values: `logs,audit,app_sec_spans,spans,security_runtime,network,events` | | queries | distinctFields | [string] | Field for which the cardinality is measured. Sent as an array. | | queries | groupByFields | [string] | Fields to group by. | | queries | hasOptionalGroupByFields | boolean | When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with `N/A`, replacing the missing values. | | queries | index | string | **This field is currently unstable and might be removed in a minor version upgrade.** The index to run the query on, if the `dataSource` is `logs`. Only used for scheduled rules - in other words, when the `schedulingOptions` field is present in the rule payload. | | queries | indexes | [string] | List of indexes to query when the `dataSource` is `logs`. Only used for scheduled rules, such as when the `schedulingOptions` field is present in the rule payload. | | queries | metric | string | **DEPRECATED**: (Deprecated) The target field to aggregate over when using the sum or max aggregations. `metrics` field should be used instead. | | queries | metrics | [string] | Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values. | | queries | name | string | Name of the query. | | queries | query | string | Query to run on logs. | | Option 1 | referenceTables | [object] | Reference tables for the rule. | | referenceTables | checkPresence | boolean | Whether to include or exclude the matched values. | | referenceTables | columnName | string | The name of the column in the reference table. | | referenceTables | logFieldPath | string | The field in the log to match against the reference table. | | referenceTables | ruleQueryName | string | The name of the query to apply the reference table to. | | referenceTables | tableName | string | The name of the reference table. | | Option 1 | schedulingOptions | object | Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs. | | schedulingOptions | rrule | string | Schedule for the rule queries, written in RRULE syntax. See [RFC](https://icalendar.org/iCalendar-RFC-5545/3-8-5-3-recurrence-rule.html) for syntax reference. | | schedulingOptions | start | string | Start date for the schedule, in ISO 8601 format without timezone. | | schedulingOptions | timezone | string | Time zone of the start date, in the [tz database](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) format. | | Option 1 | tags | [string] | Tags for generated signals. | | Option 1 | thirdPartyCases | [object] | Cases for generating signals from third-party rules. Only available for third-party rules. | | thirdPartyCases | customStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyCases | name | string | Name of the case. | | thirdPartyCases | notifications | [string] | Notification targets for each rule case. | | thirdPartyCases | query | string | A query to map a third party event to this case. | | thirdPartyCases | status | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 1 | type | enum | The rule type. Allowed enum values: `log_detection,infrastructure_configuration,workload_security,cloud_configuration,application_security,api_security,workload_activity` | | Option 1 | updateAuthorId | int64 | User ID of the user who updated the rule. | | Option 1 | updatedAt | int64 | The date the rule was last updated, in milliseconds. | | Option 1 | version | int64 | The version of the rule. | | rule | Option 2 | object | Rule. | | Option 2 | cases | [object] | Cases for generating signals. | | cases | actions | [object] | Action to perform for each rule case. | | actions | options | object | Options for the rule action | | options | duration | int64 | Duration of the action in seconds. 0 indicates no expiration. | | options | flaggedIPType | enum | Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: `SUSPICIOUS,FLAGGED` | | options | userBehaviorName | string | Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule. | | actions | type | enum | The action type. Allowed enum values: `block_ip,block_user,user_behavior,flag_ip` | | cases | condition | string | A rule case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated based on the event counts in the previously defined queries. | | cases | customStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | cases | name | string | Name of the case. | | cases | notifications | [string] | Notification targets for each rule case. | | cases | status | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 2 | createdAt | int64 | When the rule was created, timestamp in milliseconds. | | Option 2 | creationAuthorId | int64 | User ID of the user who created the rule. | | Option 2 | customMessage | string | Custom/Overridden message for generated signals (used in case of Default rule update). | | Option 2 | customName | string | Custom/Overridden name of the rule (used in case of Default rule update). | | Option 2 | deprecationDate | int64 | When the rule will be deprecated, timestamp in milliseconds. | | Option 2 | filters | [object] | Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules. | | filters | action | enum | The type of filtering action. Allowed enum values: `require,suppress` | | filters | query | string | Query for selecting logs to apply the filtering action. | | Option 2 | hasExtendedTitle | boolean | Whether the notifications include the triggering group-by values in their title. | | Option 2 | id | string | The ID of the rule. | | Option 2 | isDefault | boolean | Whether the rule is included by default. | | Option 2 | isDeleted | boolean | Whether the rule has been deleted. | | Option 2 | isEnabled | boolean | Whether the rule is enabled. | | Option 2 | message | string | Message for generated signals. | | Option 2 | name | string | The name of the rule. | | Option 2 | options | object | Options. | | options | anomalyDetectionOptions | object | Options on anomaly detection method. | | anomalyDetectionOptions | bucketDuration | enum | Duration in seconds of the time buckets used to aggregate events matched by the rule. Must be greater than or equal to 300. Allowed enum values: `300,600,900,1800,3600,10800` | | anomalyDetectionOptions | detectionTolerance | enum | An optional parameter that sets how permissive anomaly detection is. Higher values require higher deviations before triggering a signal. Allowed enum values: `1,2,3,4,5` | | anomalyDetectionOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | anomalyDetectionOptions | learningDuration | enum | Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. Allowed enum values: `1,6,12,24,48,168,336` | | anomalyDetectionOptions | learningPeriodBaseline | int64 | An optional override baseline to apply while the rule is in the learning period. Must be greater than or equal to 0. | | options | complianceRuleOptions | object | Options for cloud_configuration rules. Fields `resourceType` and `regoRule` are mandatory when managing custom `cloud_configuration` rules. | | complianceRuleOptions | complexRule | boolean | Whether the rule is a complex one. Must be set to true if `regoRule.resourceTypes` contains more than one item. Defaults to false. | | complianceRuleOptions | regoRule | object | Rule details. | | regoRule | policy [*required*] | string | The policy written in `rego`, see: [https://www.openpolicyagent.org/docs/latest/policy-language/](https://www.openpolicyagent.org/docs/latest/policy-language/) | | regoRule | resourceTypes [*required*] | [string] | List of resource types that will be evaluated upon. Must have at least one element. | | complianceRuleOptions | resourceType | string | Main resource type to be checked by the rule. It should be specified again in `regoRule.resourceTypes`. | | options | decreaseCriticalityBasedOnEnv | boolean | If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: `CRITICAL` in production becomes `HIGH` in non-production, `HIGH` becomes `MEDIUM` and so on. `INFO` remains `INFO`. The decrement is applied when the environment tag of the signal starts with `staging`, `test` or `dev`. | | options | detectionMethod | enum | The detection method. Allowed enum values: `threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection` | | options | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | hardcodedEvaluatorType | enum | Hardcoded evaluator type. Allowed enum values: `log4shell` | | options | impossibleTravelOptions | object | Options on impossible travel detection method. | | impossibleTravelOptions | baselineUserLocations | boolean | If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. | | options | keepAlive | enum | Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | maxSignalDuration | enum | A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | newValueOptions | object | Options on new value detection method. | | newValueOptions | forgetAfter | enum | The duration in days after which a learned value is forgotten. Allowed enum values: `1,2,7,14,21,28` | | newValueOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | newValueOptions | learningDuration | enum | The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: `0,1,7` | | newValueOptions | learningMethod | enum | The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: `duration,threshold` | | newValueOptions | learningThreshold | enum | A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: `0,1` | | options | sequenceDetectionOptions | object | Options on sequence detection method. | | sequenceDetectionOptions | stepTransitions | [object] | Transitions defining the allowed order of steps and their evaluation windows. | | stepTransitions | child | string | Name of the child step. | | stepTransitions | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | stepTransitions | parent | string | Name of the parent step. | | sequenceDetectionOptions | steps | [object] | Steps that define the conditions to be matched in sequence. | | steps | condition | string | Condition referencing rule queries (e.g., `a > 0`). | | steps | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | steps | name | string | Unique name identifying the step. | | options | thirdPartyRuleOptions | object | Options on third party detection method. | | thirdPartyRuleOptions | defaultNotifications | [string] | Notification targets for the logs that do not correspond to any of the cases. | | thirdPartyRuleOptions | defaultStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyRuleOptions | rootQueries | [object] | Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert. | | rootQueries | groupByFields | [string] | Fields to group by. | | rootQueries | query | string | Query to run on logs. | | thirdPartyRuleOptions | signalTitleTemplate | string | A template for the signal title; if omitted, the title is generated based on the case name. | | Option 2 | queries | [object] | Queries for selecting logs which are part of the rule. | | queries | aggregation | enum | The aggregation type. Allowed enum values: `count,cardinality,sum,max,new_value,geo_data,event_count,none` | | queries | correlatedByFields | [string] | Fields to correlate by. | | queries | correlatedQueryIndex | int32 | Index of the rule query used to retrieve the correlated field. | | queries | defaultRuleId | string | Default Rule ID to match on signals. | | queries | distinctFields | [string] | Field for which the cardinality is measured. Sent as an array. | | queries | groupByFields | [string] | Fields to group by. | | queries | metrics | [string] | Group of target fields to aggregate over. | | queries | name | string | Name of the query. | | queries | ruleId | string | Rule ID to match on signals. | | Option 2 | tags | [string] | Tags for generated signals. | | Option 2 | type | enum | The rule type. Allowed enum values: `signal_correlation` | | Option 2 | updateAuthorId | int64 | User ID of the user who updated the rule. | | Option 2 | version | int64 | The version of the rule. | | data | id | string | ID of the rule. | | data | type | enum | Type of data. Allowed enum values: `GetRuleVersionHistoryResponse` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "count": "integer", "data": { "": { "changes": [ { "change": "cloud_provider:aws", "field": "Tags", "type": "string" } ], "rule": { "calculatedFields": [ { "expression": "@request_end_timestamp - @request_start_timestamp", "name": "response_time" } ], "cases": [ { "actions": [ { "options": { "duration": 0, "flaggedIPType": "FLAGGED", "userBehaviorName": "string" }, "type": "string" } ], "condition": "string", "customStatus": "critical", "name": "string", "notifications": [], "status": "critical" } ], "complianceSignalOptions": { "defaultActivationStatus": false, "defaultGroupByFields": [], "userActivationStatus": false, "userGroupByFields": [] }, "createdAt": "integer", "creationAuthorId": "integer", "customMessage": "string", "customName": "string", "defaultTags": [ "security:attacks" ], "deprecationDate": "integer", "filters": [ { "action": "string", "query": "string" } ], "groupSignalsBy": [ "service" ], "hasExtendedTitle": false, "id": "string", "isDefault": false, "isDeleted": false, "isEnabled": false, "message": "string", "name": "string", "options": { "anomalyDetectionOptions": { "bucketDuration": 300, "detectionTolerance": 5, "instantaneousBaseline": false, "learningDuration": "integer", "learningPeriodBaseline": "integer" }, "complianceRuleOptions": { "complexRule": false, "regoRule": { "policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n # Logic that evaluates to true if the resource should be skipped\n true\n} else = \"pass\" {\n # Logic that evaluates to true if the resource is compliant\n true\n} else = \"fail\" {\n # Logic that evaluates to true if the resource is not compliant\n true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n some resource in input.resources[input.main_resource_type]\n result := dd_output.format(resource, eval(resource))\n}", "resourceTypes": [ "gcp_iam_service_account", "gcp_iam_policy" ] }, "resourceType": "aws_acm" }, "decreaseCriticalityBasedOnEnv": false, "detectionMethod": "string", "evaluationWindow": "integer", "hardcodedEvaluatorType": "string", "impossibleTravelOptions": { "baselineUserLocations": true }, "keepAlive": "integer", "maxSignalDuration": "integer", "newValueOptions": { "forgetAfter": "integer", "instantaneousBaseline": false, "learningDuration": "integer", "learningMethod": "string", "learningThreshold": "integer" }, "sequenceDetectionOptions": { "stepTransitions": [ { "child": "string", "evaluationWindow": "integer", "parent": "string" } ], "steps": [ { "condition": "string", "evaluationWindow": "integer", "name": "string" } ] }, "thirdPartyRuleOptions": { "defaultNotifications": [], "defaultStatus": "critical", "rootQueries": [ { "groupByFields": [], "query": "source:cloudtrail" } ], "signalTitleTemplate": "string" } }, "queries": [ { "aggregation": "string", "customQueryExtension": "a > 3", "dataSource": "logs", "distinctFields": [], "groupByFields": [], "hasOptionalGroupByFields": false, "index": "string", "indexes": [], "metric": "string", "metrics": [], "name": "string", "query": "a > 3" } ], "referenceTables": [ { "checkPresence": false, "columnName": "string", "logFieldPath": "string", "ruleQueryName": "string", "tableName": "string" } ], "schedulingOptions": { "rrule": "FREQ=HOURLY;INTERVAL=1;", "start": "2025-07-14T12:00:00", "timezone": "America/New_York" }, "tags": [], "thirdPartyCases": [ { "customStatus": "critical", "name": "string", "notifications": [], "query": "string", "status": "critical" } ], "type": "string", "updateAuthorId": "integer", "updatedAt": "integer", "version": "integer" } } } }, "id": "string", "type": "string" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport rule_id="CHANGE_ME"\# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}/version_history" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Get a rule's version history returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi configuration = Configuration() configuration.unstable_operations["get_rule_version_history"] = True with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.get_rule_version_history( rule_id="rule_id", ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Get a rule's version history returns "OK" response require "datadog_api_client" DatadogAPIClient.configure do |config| config.unstable_operations["v2.get_rule_version_history".to_sym] = true end api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new p api_instance.get_rule_version_history("rule_id") ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Get a rule's version history returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() configuration.SetUnstableOperationEnabled("v2.GetRuleVersionHistory", true) apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.GetRuleVersionHistory(ctx, "rule_id", *datadogV2.NewGetRuleVersionHistoryOptionalParameters()) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetRuleVersionHistory`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetRuleVersionHistory`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Get a rule's version history returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.GetRuleVersionHistoryResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); defaultClient.setUnstableOperationEnabled("v2.getRuleVersionHistory", true); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { GetRuleVersionHistoryResponse result = apiInstance.getRuleVersionHistory("rule_id"); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#getRuleVersionHistory"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Get a rule's version history returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::GetRuleVersionHistoryOptionalParams; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { let mut configuration = datadog::Configuration::new(); configuration.set_unstable_operation_enabled("v2.GetRuleVersionHistory", true); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .get_rule_version_history( "rule_id".to_string(), GetRuleVersionHistoryOptionalParams::default(), ) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Get a rule's version history returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); configuration.unstableOperations["v2.getRuleVersionHistory"] = true; const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiGetRuleVersionHistoryRequest = { ruleId: "rule_id", }; apiInstance .getRuleVersionHistory(params) .then((data: v2.GetRuleVersionHistoryResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Run a threat hunting job{% #run-a-threat-hunting-job %} {% tab title="v2" %} **Note**: This endpoint is in beta and may be subject to changes. Please check the documentation regularly for updates. | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------ | | ap1.datadoghq.com | POST https://api.ap1.datadoghq.com/api/v2/siem-threat-hunting/jobs | | ap2.datadoghq.com | POST https://api.ap2.datadoghq.com/api/v2/siem-threat-hunting/jobs | | app.datadoghq.eu | POST https://api.datadoghq.eu/api/v2/siem-threat-hunting/jobs | | app.ddog-gov.com | POST https://api.ddog-gov.com/api/v2/siem-threat-hunting/jobs | | app.datadoghq.com | POST https://api.datadoghq.com/api/v2/siem-threat-hunting/jobs | | us3.datadoghq.com | POST https://api.us3.datadoghq.com/api/v2/siem-threat-hunting/jobs | | us5.datadoghq.com | POST https://api.us5.datadoghq.com/api/v2/siem-threat-hunting/jobs | ### Overview Run a threat hunting job. This endpoint requires the `security_monitoring_rules_write` permission. OAuth apps require the `security_monitoring_rules_write` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Request #### Body Data (required) {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------------------ | ---------------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | data | object | Data for running a threat hunting job request. | | data | attributes | object | Run a threat hunting job request. | | attributes | fromRule | object | Definition of a threat hunting job based on a security monitoring rule. | | fromRule | from [*required*] | int64 | Starting time of data analyzed by the job. | | fromRule | id [*required*] | string | ID of the detection rule used to create the job. | | fromRule | index [*required*] | string | Index used to load the data. | | fromRule | notifications | [string] | Notifications sent when the job is completed. | | fromRule | to [*required*] | int64 | Ending time of data analyzed by the job. | | attributes | id | string | Request ID. | | attributes | jobDefinition | object | Definition of a threat hunting job. | | jobDefinition | calculatedFields | [object] | Calculated fields. | | calculatedFields | expression [*required*] | string | Expression. | | calculatedFields | name [*required*] | string | Field name. | | jobDefinition | cases [*required*] | [object] | Cases used for generating job results. | | cases | actions | [object] | Action to perform for each rule case. | | actions | options | object | Options for the rule action | | options | duration | int64 | Duration of the action in seconds. 0 indicates no expiration. | | options | flaggedIPType | enum | Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: `SUSPICIOUS,FLAGGED` | | options | userBehaviorName | string | Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule. | | actions | type | enum | The action type. Allowed enum values: `block_ip,block_user,user_behavior,flag_ip` | | cases | condition | string | A case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated based on the event counts in the previously defined queries. | | cases | name | string | Name of the case. | | cases | notifications | [string] | Notification targets. | | cases | status [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | jobDefinition | from [*required*] | int64 | Starting time of data analyzed by the job. | | jobDefinition | groupSignalsBy | [string] | Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups. | | jobDefinition | index [*required*] | string | Index used to load the data. | | jobDefinition | message [*required*] | string | Message for generated results. | | jobDefinition | name [*required*] | string | Job name. | | jobDefinition | options | object | Job options. | | options | anomalyDetectionOptions | object | Options on anomaly detection method. | | anomalyDetectionOptions | bucketDuration | enum | Duration in seconds of the time buckets used to aggregate events matched by the rule. Must be greater than or equal to 300. Allowed enum values: `300,600,900,1800,3600,10800` | | anomalyDetectionOptions | detectionTolerance | enum | An optional parameter that sets how permissive anomaly detection is. Higher values require higher deviations before triggering a signal. Allowed enum values: `1,2,3,4,5` | | anomalyDetectionOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | anomalyDetectionOptions | learningDuration | enum | Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. Allowed enum values: `1,6,12,24,48,168,336` | | anomalyDetectionOptions | learningPeriodBaseline | int64 | An optional override baseline to apply while the rule is in the learning period. Must be greater than or equal to 0. | | options | detectionMethod | enum | The detection method. Allowed enum values: `threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection` | | options | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | impossibleTravelOptions | object | Options on impossible travel detection method. | | impossibleTravelOptions | baselineUserLocations | boolean | If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. | | options | keepAlive | enum | Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | maxSignalDuration | enum | A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | newValueOptions | object | Options on new value detection method. | | newValueOptions | forgetAfter | enum | The duration in days after which a learned value is forgotten. Allowed enum values: `1,2,7,14,21,28` | | newValueOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | newValueOptions | learningDuration | enum | The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: `0,1,7` | | newValueOptions | learningMethod | enum | The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: `duration,threshold` | | newValueOptions | learningThreshold | enum | A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: `0,1` | | options | sequenceDetectionOptions | object | Options on sequence detection method. | | sequenceDetectionOptions | stepTransitions | [object] | Transitions defining the allowed order of steps and their evaluation windows. | | stepTransitions | child | string | Name of the child step. | | stepTransitions | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | stepTransitions | parent | string | Name of the parent step. | | sequenceDetectionOptions | steps | [object] | Steps that define the conditions to be matched in sequence. | | steps | condition | string | Condition referencing rule queries (e.g., `a > 0`). | | steps | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | steps | name | string | Unique name identifying the step. | | options | thirdPartyRuleOptions | object | Options on third party detection method. | | thirdPartyRuleOptions | defaultNotifications | [string] | Notification targets for the logs that do not correspond to any of the cases. | | thirdPartyRuleOptions | defaultStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyRuleOptions | rootQueries | [object] | Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert. | | rootQueries | groupByFields | [string] | Fields to group by. | | rootQueries | query | string | Query to run on logs. | | thirdPartyRuleOptions | signalTitleTemplate | string | A template for the signal title; if omitted, the title is generated based on the case name. | | jobDefinition | queries [*required*] | [object] | Queries for selecting logs analyzed by the job. | | queries | aggregation | enum | The aggregation type. Allowed enum values: `count,cardinality,sum,max,new_value,geo_data,event_count,none` | | queries | dataSource | enum | Source of events, either logs, audit trail, or Datadog events. `app_sec_spans` is deprecated in favor of `spans`. Allowed enum values: `logs,audit,app_sec_spans,spans,security_runtime,network,events` | | queries | distinctFields | [string] | Field for which the cardinality is measured. Sent as an array. | | queries | groupByFields | [string] | Fields to group by. | | queries | hasOptionalGroupByFields | boolean | When false, events without a group-by value are ignored by the query. When true, events with missing group-by fields are processed with `N/A`, replacing the missing values. | | queries | metrics | [string] | Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values. | | queries | name | string | Name of the query. | | queries | query | string | Query to run on logs. | | jobDefinition | referenceTables | [object] | Reference tables used in the queries. | | referenceTables | checkPresence | boolean | Whether to include or exclude the matched values. | | referenceTables | columnName | string | The name of the column in the reference table. | | referenceTables | logFieldPath | string | The field in the log to match against the reference table. | | referenceTables | ruleQueryName | string | The name of the query to apply the reference table to. | | referenceTables | tableName | string | The name of the reference table. | | jobDefinition | tags | [string] | Tags for generated signals. | | jobDefinition | thirdPartyCases | [object] | Cases for generating results from third-party detection method. Only available for third-party detection method. | | thirdPartyCases | name | string | Name of the case. | | thirdPartyCases | notifications | [string] | Notification targets for each case. | | thirdPartyCases | query | string | A query to map a third party event to this case. | | thirdPartyCases | status [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | jobDefinition | to [*required*] | int64 | Ending time of data analyzed by the job. | | jobDefinition | type | string | Job type. | | data | type | enum | Type of data. Allowed enum values: `historicalDetectionsJobCreate` | {% /tab %} {% tab title="Example" %} ```json { "data": { "type": "historicalDetectionsJobCreate", "attributes": { "jobDefinition": { "type": "log_detection", "name": "Excessive number of failed attempts.", "queries": [ { "query": "source:non_existing_src_weekend", "aggregation": "count", "groupByFields": [], "distinctFields": [] } ], "cases": [ { "name": "Condition 1", "status": "info", "notifications": [], "condition": "a > 1" } ], "options": { "keepAlive": 3600, "maxSignalDuration": 86400, "evaluationWindow": 900 }, "message": "A large number of failed login attempts.", "tags": [], "from": 1730387522611, "to": 1730387532611, "index": "main" } } } } ``` {% /tab %} ### Response {% tab title="201" %} Status created {% tab title="Model" %} Run a threat hunting job response. | Parent field | Field | Type | Description | | ------------ | ----- | ------ | --------------------------------------------------------------- | | | data | object | The definition of `JobCreateResponseData` object. | | data | id | string | ID of the created job. | | data | type | enum | Type of payload. Allowed enum values: `historicalDetectionsJob` | {% /tab %} {% tab title="Example" %} ```json { "data": { "id": "string", "type": "string" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="401" %} Concurrent Modification {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/siem-threat-hunting/jobs" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "type": "historicalDetectionsJobCreate", "attributes": { "jobDefinition": { "type": "log_detection", "name": "Excessive number of failed attempts.", "queries": [ { "query": "source:non_existing_src_weekend", "aggregation": "count", "groupByFields": [], "distinctFields": [] } ], "cases": [ { "name": "Condition 1", "status": "info", "notifications": [], "condition": "a > 1" } ], "options": { "keepAlive": 3600, "maxSignalDuration": 86400, "evaluationWindow": 900 }, "message": "A large number of failed login attempts.", "tags": [], "from": 1730387522611, "to": 1730387532611, "index": "main" } } } } EOF ##### ```go // Run a threat hunting job returns "Status created" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.RunThreatHuntingJobRequest{ Data: &datadogV2.RunThreatHuntingJobRequestData{ Type: datadogV2.RUNTHREATHUNTINGJOBREQUESTDATATYPE_HISTORICALDETECTIONSJOBCREATE.Ptr(), Attributes: &datadogV2.RunThreatHuntingJobRequestAttributes{ JobDefinition: &datadogV2.JobDefinition{ Type: datadog.PtrString("log_detection"), Name: "Excessive number of failed attempts.", Queries: []datadogV2.ThreatHuntingJobQuery{ { Query: datadog.PtrString("source:non_existing_src_weekend"), Aggregation: datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(), GroupByFields: []string{}, DistinctFields: []string{}, }, }, Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{ { Name: datadog.PtrString("Condition 1"), Status: datadogV2.SECURITYMONITORINGRULESEVERITY_INFO, Notifications: []string{}, Condition: datadog.PtrString("a > 1"), }, }, Options: &datadogV2.ThreatHuntingJobOptions{ KeepAlive: datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ONE_HOUR.Ptr(), MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ONE_DAY.Ptr(), EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(), }, Message: "A large number of failed login attempts.", Tags: []string{}, From: 1730387522611, To: 1730387532611, Index: "main", }, }, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() configuration.SetUnstableOperationEnabled("v2.RunThreatHuntingJob", true) apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.RunThreatHuntingJob(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.RunThreatHuntingJob`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.RunThreatHuntingJob`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Run a threat hunting job returns "Status created" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.JobCreateResponse; import com.datadog.api.client.v2.model.JobDefinition; import com.datadog.api.client.v2.model.RunThreatHuntingJobRequest; import com.datadog.api.client.v2.model.RunThreatHuntingJobRequestAttributes; import com.datadog.api.client.v2.model.RunThreatHuntingJobRequestData; import com.datadog.api.client.v2.model.RunThreatHuntingJobRequestDataType; import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate; import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow; import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive; import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration; import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation; import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity; import com.datadog.api.client.v2.model.ThreatHuntingJobOptions; import com.datadog.api.client.v2.model.ThreatHuntingJobQuery; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); defaultClient.setUnstableOperationEnabled("v2.runThreatHuntingJob", true); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); RunThreatHuntingJobRequest body = new RunThreatHuntingJobRequest() .data( new RunThreatHuntingJobRequestData() .type(RunThreatHuntingJobRequestDataType.HISTORICALDETECTIONSJOBCREATE) .attributes( new RunThreatHuntingJobRequestAttributes() .jobDefinition( new JobDefinition() .type("log_detection") .name("Excessive number of failed attempts.") .queries( Collections.singletonList( new ThreatHuntingJobQuery() .query("source:non_existing_src_weekend") .aggregation( SecurityMonitoringRuleQueryAggregation.COUNT))) .cases( Collections.singletonList( new SecurityMonitoringRuleCaseCreate() .name("Condition 1") .status(SecurityMonitoringRuleSeverity.INFO) .condition("a > 1"))) .options( new ThreatHuntingJobOptions() .keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR) .maxSignalDuration( SecurityMonitoringRuleMaxSignalDuration.ONE_DAY) .evaluationWindow( SecurityMonitoringRuleEvaluationWindow .FIFTEEN_MINUTES)) .message("A large number of failed login attempts.") .from(1730387522611L) .to(1730387532611L) .index("main")))); try { JobCreateResponse result = apiInstance.runThreatHuntingJob(body); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#runThreatHuntingJob"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Run a threat hunting job returns "Status created" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.job_definition import JobDefinition from datadog_api_client.v2.model.run_threat_hunting_job_request import RunThreatHuntingJobRequest from datadog_api_client.v2.model.run_threat_hunting_job_request_attributes import RunThreatHuntingJobRequestAttributes from datadog_api_client.v2.model.run_threat_hunting_job_request_data import RunThreatHuntingJobRequestData from datadog_api_client.v2.model.run_threat_hunting_job_request_data_type import RunThreatHuntingJobRequestDataType from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import ( SecurityMonitoringRuleEvaluationWindow, ) from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import ( SecurityMonitoringRuleMaxSignalDuration, ) from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import ( SecurityMonitoringRuleQueryAggregation, ) from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity from datadog_api_client.v2.model.threat_hunting_job_options import ThreatHuntingJobOptions from datadog_api_client.v2.model.threat_hunting_job_query import ThreatHuntingJobQuery body = RunThreatHuntingJobRequest( data=RunThreatHuntingJobRequestData( type=RunThreatHuntingJobRequestDataType.HISTORICALDETECTIONSJOBCREATE, attributes=RunThreatHuntingJobRequestAttributes( job_definition=JobDefinition( type="log_detection", name="Excessive number of failed attempts.", queries=[ ThreatHuntingJobQuery( query="source:non_existing_src_weekend", aggregation=SecurityMonitoringRuleQueryAggregation.COUNT, group_by_fields=[], distinct_fields=[], ), ], cases=[ SecurityMonitoringRuleCaseCreate( name="Condition 1", status=SecurityMonitoringRuleSeverity.INFO, notifications=[], condition="a > 1", ), ], options=ThreatHuntingJobOptions( keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR, max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY, evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES, ), message="A large number of failed login attempts.", tags=[], _from=1730387522611, to=1730387532611, index="main", ), ), ), ) configuration = Configuration() configuration.unstable_operations["run_threat_hunting_job"] = True with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.run_threat_hunting_job(body=body) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Run a threat hunting job returns "Status created" response require "datadog_api_client" DatadogAPIClient.configure do |config| config.unstable_operations["v2.run_threat_hunting_job".to_sym] = true end api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::RunThreatHuntingJobRequest.new({ data: DatadogAPIClient::V2::RunThreatHuntingJobRequestData.new({ type: DatadogAPIClient::V2::RunThreatHuntingJobRequestDataType::HISTORICALDETECTIONSJOBCREATE, attributes: DatadogAPIClient::V2::RunThreatHuntingJobRequestAttributes.new({ job_definition: DatadogAPIClient::V2::JobDefinition.new({ type: "log_detection", name: "Excessive number of failed attempts.", queries: [ DatadogAPIClient::V2::ThreatHuntingJobQuery.new({ query: "source:non_existing_src_weekend", aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT, group_by_fields: [], distinct_fields: [], }), ], cases: [ DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({ name: "Condition 1", status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO, notifications: [], condition: "a > 1", }), ], options: DatadogAPIClient::V2::ThreatHuntingJobOptions.new({ keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ONE_HOUR, max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ONE_DAY, evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES, }), message: "A large number of failed login attempts.", tags: [], from: 1730387522611, to: 1730387532611, index: "main", }), }), }), }) p api_instance.run_threat_hunting_job(body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Run a threat hunting job returns "Status created" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::JobDefinition; use datadog_api_client::datadogV2::model::RunThreatHuntingJobRequest; use datadog_api_client::datadogV2::model::RunThreatHuntingJobRequestAttributes; use datadog_api_client::datadogV2::model::RunThreatHuntingJobRequestData; use datadog_api_client::datadogV2::model::RunThreatHuntingJobRequestDataType; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity; use datadog_api_client::datadogV2::model::ThreatHuntingJobOptions; use datadog_api_client::datadogV2::model::ThreatHuntingJobQuery; #[tokio::main] async fn main() { let body = RunThreatHuntingJobRequest::new().data( RunThreatHuntingJobRequestData::new() .attributes( RunThreatHuntingJobRequestAttributes::new().job_definition( JobDefinition::new( vec![SecurityMonitoringRuleCaseCreate::new( SecurityMonitoringRuleSeverity::INFO, ) .condition("a > 1".to_string()) .name("Condition 1".to_string()) .notifications(vec![])], 1730387522611, "main".to_string(), "A large number of failed login attempts.".to_string(), "Excessive number of failed attempts.".to_string(), vec![ThreatHuntingJobQuery::new() .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT) .distinct_fields(vec![]) .group_by_fields(vec![]) .query("source:non_existing_src_weekend".to_string())], 1730387532611, ) .options( ThreatHuntingJobOptions::new() .evaluation_window( SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES, ) .keep_alive(SecurityMonitoringRuleKeepAlive::ONE_HOUR) .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::ONE_DAY), ) .tags(vec![]) .type_("log_detection".to_string()), ), ) .type_(RunThreatHuntingJobRequestDataType::HISTORICALDETECTIONSJOBCREATE), ); let mut configuration = datadog::Configuration::new(); configuration.set_unstable_operation_enabled("v2.RunThreatHuntingJob", true); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.run_threat_hunting_job(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Run a threat hunting job returns "Status created" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); configuration.unstableOperations["v2.runThreatHuntingJob"] = true; const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiRunThreatHuntingJobRequest = { body: { data: { type: "historicalDetectionsJobCreate", attributes: { jobDefinition: { type: "log_detection", name: "Excessive number of failed attempts.", queries: [ { query: "source:non_existing_src_weekend", aggregation: "count", groupByFields: [], distinctFields: [], }, ], cases: [ { name: "Condition 1", status: "info", notifications: [], condition: "a > 1", }, ], options: { keepAlive: 3600, maxSignalDuration: 86400, evaluationWindow: 900, }, message: "A large number of failed login attempts.", tags: [], from: 1730387522611, to: 1730387532611, index: "main", }, }, }, }, }; apiInstance .runThreatHuntingJob(params) .then((data: v2.JobCreateResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## List threat hunting jobs{% #list-threat-hunting-jobs %} {% tab title="v2" %} **Note**: This endpoint is in beta and may be subject to changes. Please check the documentation regularly for updates. | Datadog site | API endpoint | | ----------------- | ----------------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/siem-threat-hunting/jobs | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/siem-threat-hunting/jobs | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/siem-threat-hunting/jobs | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/siem-threat-hunting/jobs | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/siem-threat-hunting/jobs | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/siem-threat-hunting/jobs | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/siem-threat-hunting/jobs | ### Overview List threat hunting jobs. ### Arguments #### Query Strings | Name | Type | Description | | ------------- | ------- | -------------------------------------------------------- | | page[size] | integer | Size for a given page. The maximum allowed value is 100. | | page[number] | integer | Specific page number to return. | | sort | string | The order of the jobs in results. | | filter[query] | string | Query used to filter items from the fetched list. | ### Response {% tab title="200" %} OK {% tab title="Model" %} List of threat hunting jobs. | Parent field | Field | Type | Description | | ------------------------ | ---------------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | data | [object] | Array containing the list of threat hunting jobs. | | data | attributes | object | Threat hunting job attributes. | | attributes | createdAt | string | Time when the job was created. | | attributes | createdByHandle | string | The handle of the user who created the job. | | attributes | createdByName | string | The name of the user who created the job. | | attributes | createdFromRuleId | string | ID of the rule used to create the job (if it is created from a rule). | | attributes | jobDefinition | object | Definition of a threat hunting job. | | jobDefinition | calculatedFields | [object] | Calculated fields. | | calculatedFields | expression [*required*] | string | Expression. | | calculatedFields | name [*required*] | string | Field name. | | jobDefinition | cases [*required*] | [object] | Cases used for generating job results. | | cases | actions | [object] | Action to perform for each rule case. | | actions | options | object | Options for the rule action | | options | duration | int64 | Duration of the action in seconds. 0 indicates no expiration. | | options | flaggedIPType | enum | Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: `SUSPICIOUS,FLAGGED` | | options | userBehaviorName | string | Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule. | | actions | type | enum | The action type. Allowed enum values: `block_ip,block_user,user_behavior,flag_ip` | | cases | condition | string | A case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated based on the event counts in the previously defined queries. | | cases | name | string | Name of the case. | | cases | notifications | [string] | Notification targets. | | cases | status [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | jobDefinition | from [*required*] | int64 | Starting time of data analyzed by the job. | | jobDefinition | groupSignalsBy | [string] | Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups. | | jobDefinition | index [*required*] | string | Index used to load the data. | | jobDefinition | message [*required*] | string | Message for generated results. | | jobDefinition | name [*required*] | string | Job name. | | jobDefinition | options | object | Job options. | | options | anomalyDetectionOptions | object | Options on anomaly detection method. | | anomalyDetectionOptions | bucketDuration | enum | Duration in seconds of the time buckets used to aggregate events matched by the rule. Must be greater than or equal to 300. Allowed enum values: `300,600,900,1800,3600,10800` | | anomalyDetectionOptions | detectionTolerance | enum | An optional parameter that sets how permissive anomaly detection is. Higher values require higher deviations before triggering a signal. Allowed enum values: `1,2,3,4,5` | | anomalyDetectionOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | anomalyDetectionOptions | learningDuration | enum | Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. Allowed enum values: `1,6,12,24,48,168,336` | | anomalyDetectionOptions | learningPeriodBaseline | int64 | An optional override baseline to apply while the rule is in the learning period. Must be greater than or equal to 0. | | options | detectionMethod | enum | The detection method. Allowed enum values: `threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection` | | options | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | impossibleTravelOptions | object | Options on impossible travel detection method. | | impossibleTravelOptions | baselineUserLocations | boolean | If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. | | options | keepAlive | enum | Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | maxSignalDuration | enum | A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | newValueOptions | object | Options on new value detection method. | | newValueOptions | forgetAfter | enum | The duration in days after which a learned value is forgotten. Allowed enum values: `1,2,7,14,21,28` | | newValueOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | newValueOptions | learningDuration | enum | The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: `0,1,7` | | newValueOptions | learningMethod | enum | The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: `duration,threshold` | | newValueOptions | learningThreshold | enum | A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: `0,1` | | options | sequenceDetectionOptions | object | Options on sequence detection method. | | sequenceDetectionOptions | stepTransitions | [object] | Transitions defining the allowed order of steps and their evaluation windows. | | stepTransitions | child | string | Name of the child step. | | stepTransitions | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | stepTransitions | parent | string | Name of the parent step. | | sequenceDetectionOptions | steps | [object] | Steps that define the conditions to be matched in sequence. | | steps | condition | string | Condition referencing rule queries (e.g., `a > 0`). | | steps | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | steps | name | string | Unique name identifying the step. | | options | thirdPartyRuleOptions | object | Options on third party detection method. | | thirdPartyRuleOptions | defaultNotifications | [string] | Notification targets for the logs that do not correspond to any of the cases. | | thirdPartyRuleOptions | defaultStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyRuleOptions | rootQueries | [object] | Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert. | | rootQueries | groupByFields | [string] | Fields to group by. | | rootQueries | query | string | Query to run on logs. | | thirdPartyRuleOptions | signalTitleTemplate | string | A template for the signal title; if omitted, the title is generated based on the case name. | | jobDefinition | queries [*required*] | [object] | Queries for selecting logs analyzed by the job. | | queries | aggregation | enum | The aggregation type. Allowed enum values: `count,cardinality,sum,max,new_value,geo_data,event_count,none` | | queries | dataSource | enum | Source of events, either logs, audit trail, or Datadog events. `app_sec_spans` is deprecated in favor of `spans`. Allowed enum values: `logs,audit,app_sec_spans,spans,security_runtime,network,events` | | queries | distinctFields | [string] | Field for which the cardinality is measured. Sent as an array. | | queries | groupByFields | [string] | Fields to group by. | | queries | hasOptionalGroupByFields | boolean | When false, events without a group-by value are ignored by the query. When true, events with missing group-by fields are processed with `N/A`, replacing the missing values. | | queries | metrics | [string] | Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values. | | queries | name | string | Name of the query. | | queries | query | string | Query to run on logs. | | jobDefinition | referenceTables | [object] | Reference tables used in the queries. | | referenceTables | checkPresence | boolean | Whether to include or exclude the matched values. | | referenceTables | columnName | string | The name of the column in the reference table. | | referenceTables | logFieldPath | string | The field in the log to match against the reference table. | | referenceTables | ruleQueryName | string | The name of the query to apply the reference table to. | | referenceTables | tableName | string | The name of the reference table. | | jobDefinition | tags | [string] | Tags for generated signals. | | jobDefinition | thirdPartyCases | [object] | Cases for generating results from third-party detection method. Only available for third-party detection method. | | thirdPartyCases | name | string | Name of the case. | | thirdPartyCases | notifications | [string] | Notification targets for each case. | | thirdPartyCases | query | string | A query to map a third party event to this case. | | thirdPartyCases | status [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | jobDefinition | to [*required*] | int64 | Ending time of data analyzed by the job. | | jobDefinition | type | string | Job type. | | attributes | jobName | string | Job name. | | attributes | jobStatus | string | Job status. | | attributes | modifiedAt | string | Last modification time of the job. | | attributes | signalOutput | boolean | Whether the job outputs signals. | | data | id | string | ID of the job. | | data | type | enum | Type of payload. Allowed enum values: `historicalDetectionsJob` | | | meta | object | Metadata about the list of jobs. | | meta | totalCount | int32 | Number of jobs in the list. | {% /tab %} {% tab title="Example" %} ```json { "data": [ { "attributes": { "createdAt": "string", "createdByHandle": "string", "createdByName": "string", "createdFromRuleId": "string", "jobDefinition": { "calculatedFields": [ { "expression": "@request_end_timestamp - @request_start_timestamp", "name": "response_time" } ], "cases": [ { "actions": [ { "options": { "duration": 0, "flaggedIPType": "FLAGGED", "userBehaviorName": "string" }, "type": "string" } ], "condition": "string", "name": "string", "notifications": [], "status": "critical" } ], "from": 1729843470000, "groupSignalsBy": [ "service" ], "index": "cloud_siem", "message": "A large number of failed login attempts.", "name": "Excessive number of failed attempts.", "options": { "anomalyDetectionOptions": { "bucketDuration": 300, "detectionTolerance": 5, "instantaneousBaseline": false, "learningDuration": "integer", "learningPeriodBaseline": "integer" }, "detectionMethod": "string", "evaluationWindow": "integer", "impossibleTravelOptions": { "baselineUserLocations": true }, "keepAlive": "integer", "maxSignalDuration": "integer", "newValueOptions": { "forgetAfter": "integer", "instantaneousBaseline": false, "learningDuration": "integer", "learningMethod": "string", "learningThreshold": "integer" }, "sequenceDetectionOptions": { "stepTransitions": [ { "child": "string", "evaluationWindow": "integer", "parent": "string" } ], "steps": [ { "condition": "string", "evaluationWindow": "integer", "name": "string" } ] }, "thirdPartyRuleOptions": { "defaultNotifications": [], "defaultStatus": "critical", "rootQueries": [ { "groupByFields": [], "query": "source:cloudtrail" } ], "signalTitleTemplate": "string" } }, "queries": [ { "aggregation": "string", "dataSource": "logs", "distinctFields": [], "groupByFields": [], "hasOptionalGroupByFields": false, "metrics": [], "name": "string", "query": "a > 3" } ], "referenceTables": [ { "checkPresence": false, "columnName": "string", "logFieldPath": "string", "ruleQueryName": "string", "tableName": "string" } ], "tags": [], "thirdPartyCases": [ { "name": "string", "notifications": [], "query": "string", "status": "critical" } ], "to": 1729847070000, "type": "string" }, "jobName": "string", "jobStatus": "string", "modifiedAt": "string", "signalOutput": false }, "id": "string", "type": "string" } ], "meta": { "totalCount": "integer" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/siem-threat-hunting/jobs" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ List threat hunting jobs returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi configuration = Configuration() configuration.unstable_operations["list_threat_hunting_jobs"] = True with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.list_threat_hunting_jobs() print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # List threat hunting jobs returns "OK" response require "datadog_api_client" DatadogAPIClient.configure do |config| config.unstable_operations["v2.list_threat_hunting_jobs".to_sym] = true end api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new p api_instance.list_threat_hunting_jobs() ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // List threat hunting jobs returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() configuration.SetUnstableOperationEnabled("v2.ListThreatHuntingJobs", true) apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.ListThreatHuntingJobs(ctx, *datadogV2.NewListThreatHuntingJobsOptionalParameters()) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListThreatHuntingJobs`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListThreatHuntingJobs`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // List threat hunting jobs returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.ListThreatHuntingJobsResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); defaultClient.setUnstableOperationEnabled("v2.listThreatHuntingJobs", true); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { ListThreatHuntingJobsResponse result = apiInstance.listThreatHuntingJobs(); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#listThreatHuntingJobs"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // List threat hunting jobs returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::ListThreatHuntingJobsOptionalParams; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { let mut configuration = datadog::Configuration::new(); configuration.set_unstable_operation_enabled("v2.ListThreatHuntingJobs", true); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .list_threat_hunting_jobs(ListThreatHuntingJobsOptionalParams::default()) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * List threat hunting jobs returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); configuration.unstableOperations["v2.listThreatHuntingJobs"] = true; const apiInstance = new v2.SecurityMonitoringApi(configuration); apiInstance .listThreatHuntingJobs() .then((data: v2.ListThreatHuntingJobsResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Get a job's details{% #get-a-jobs-details %} {% tab title="v2" %} **Note**: This endpoint is in beta and may be subject to changes. Please check the documentation regularly for updates. | Datadog site | API endpoint | | ----------------- | -------------------------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/siem-threat-hunting/jobs/{job_id} | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/siem-threat-hunting/jobs/{job_id} | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/siem-threat-hunting/jobs/{job_id} | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/siem-threat-hunting/jobs/{job_id} | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/siem-threat-hunting/jobs/{job_id} | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/siem-threat-hunting/jobs/{job_id} | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/siem-threat-hunting/jobs/{job_id} | ### Overview Get a job's details. This endpoint requires the `security_monitoring_rules_read` permission. OAuth apps require the `security_monitoring_rules_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Arguments #### Path Parameters | Name | Type | Description | | ------------------------ | ------ | ------------------ | | job_id [*required*] | string | The ID of the job. | ### Response {% tab title="200" %} OK {% tab title="Model" %} Threat hunting job response. | Parent field | Field | Type | Description | | ------------------------ | ---------------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | data | object | Threat hunting job response data. | | data | attributes | object | Threat hunting job attributes. | | attributes | createdAt | string | Time when the job was created. | | attributes | createdByHandle | string | The handle of the user who created the job. | | attributes | createdByName | string | The name of the user who created the job. | | attributes | createdFromRuleId | string | ID of the rule used to create the job (if it is created from a rule). | | attributes | jobDefinition | object | Definition of a threat hunting job. | | jobDefinition | calculatedFields | [object] | Calculated fields. | | calculatedFields | expression [*required*] | string | Expression. | | calculatedFields | name [*required*] | string | Field name. | | jobDefinition | cases [*required*] | [object] | Cases used for generating job results. | | cases | actions | [object] | Action to perform for each rule case. | | actions | options | object | Options for the rule action | | options | duration | int64 | Duration of the action in seconds. 0 indicates no expiration. | | options | flaggedIPType | enum | Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: `SUSPICIOUS,FLAGGED` | | options | userBehaviorName | string | Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule. | | actions | type | enum | The action type. Allowed enum values: `block_ip,block_user,user_behavior,flag_ip` | | cases | condition | string | A case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated based on the event counts in the previously defined queries. | | cases | name | string | Name of the case. | | cases | notifications | [string] | Notification targets. | | cases | status [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | jobDefinition | from [*required*] | int64 | Starting time of data analyzed by the job. | | jobDefinition | groupSignalsBy | [string] | Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups. | | jobDefinition | index [*required*] | string | Index used to load the data. | | jobDefinition | message [*required*] | string | Message for generated results. | | jobDefinition | name [*required*] | string | Job name. | | jobDefinition | options | object | Job options. | | options | anomalyDetectionOptions | object | Options on anomaly detection method. | | anomalyDetectionOptions | bucketDuration | enum | Duration in seconds of the time buckets used to aggregate events matched by the rule. Must be greater than or equal to 300. Allowed enum values: `300,600,900,1800,3600,10800` | | anomalyDetectionOptions | detectionTolerance | enum | An optional parameter that sets how permissive anomaly detection is. Higher values require higher deviations before triggering a signal. Allowed enum values: `1,2,3,4,5` | | anomalyDetectionOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | anomalyDetectionOptions | learningDuration | enum | Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. Allowed enum values: `1,6,12,24,48,168,336` | | anomalyDetectionOptions | learningPeriodBaseline | int64 | An optional override baseline to apply while the rule is in the learning period. Must be greater than or equal to 0. | | options | detectionMethod | enum | The detection method. Allowed enum values: `threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection` | | options | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | impossibleTravelOptions | object | Options on impossible travel detection method. | | impossibleTravelOptions | baselineUserLocations | boolean | If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. | | options | keepAlive | enum | Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | maxSignalDuration | enum | A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | newValueOptions | object | Options on new value detection method. | | newValueOptions | forgetAfter | enum | The duration in days after which a learned value is forgotten. Allowed enum values: `1,2,7,14,21,28` | | newValueOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | newValueOptions | learningDuration | enum | The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: `0,1,7` | | newValueOptions | learningMethod | enum | The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: `duration,threshold` | | newValueOptions | learningThreshold | enum | A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: `0,1` | | options | sequenceDetectionOptions | object | Options on sequence detection method. | | sequenceDetectionOptions | stepTransitions | [object] | Transitions defining the allowed order of steps and their evaluation windows. | | stepTransitions | child | string | Name of the child step. | | stepTransitions | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | stepTransitions | parent | string | Name of the parent step. | | sequenceDetectionOptions | steps | [object] | Steps that define the conditions to be matched in sequence. | | steps | condition | string | Condition referencing rule queries (e.g., `a > 0`). | | steps | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | steps | name | string | Unique name identifying the step. | | options | thirdPartyRuleOptions | object | Options on third party detection method. | | thirdPartyRuleOptions | defaultNotifications | [string] | Notification targets for the logs that do not correspond to any of the cases. | | thirdPartyRuleOptions | defaultStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyRuleOptions | rootQueries | [object] | Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert. | | rootQueries | groupByFields | [string] | Fields to group by. | | rootQueries | query | string | Query to run on logs. | | thirdPartyRuleOptions | signalTitleTemplate | string | A template for the signal title; if omitted, the title is generated based on the case name. | | jobDefinition | queries [*required*] | [object] | Queries for selecting logs analyzed by the job. | | queries | aggregation | enum | The aggregation type. Allowed enum values: `count,cardinality,sum,max,new_value,geo_data,event_count,none` | | queries | dataSource | enum | Source of events, either logs, audit trail, or Datadog events. `app_sec_spans` is deprecated in favor of `spans`. Allowed enum values: `logs,audit,app_sec_spans,spans,security_runtime,network,events` | | queries | distinctFields | [string] | Field for which the cardinality is measured. Sent as an array. | | queries | groupByFields | [string] | Fields to group by. | | queries | hasOptionalGroupByFields | boolean | When false, events without a group-by value are ignored by the query. When true, events with missing group-by fields are processed with `N/A`, replacing the missing values. | | queries | metrics | [string] | Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values. | | queries | name | string | Name of the query. | | queries | query | string | Query to run on logs. | | jobDefinition | referenceTables | [object] | Reference tables used in the queries. | | referenceTables | checkPresence | boolean | Whether to include or exclude the matched values. | | referenceTables | columnName | string | The name of the column in the reference table. | | referenceTables | logFieldPath | string | The field in the log to match against the reference table. | | referenceTables | ruleQueryName | string | The name of the query to apply the reference table to. | | referenceTables | tableName | string | The name of the reference table. | | jobDefinition | tags | [string] | Tags for generated signals. | | jobDefinition | thirdPartyCases | [object] | Cases for generating results from third-party detection method. Only available for third-party detection method. | | thirdPartyCases | name | string | Name of the case. | | thirdPartyCases | notifications | [string] | Notification targets for each case. | | thirdPartyCases | query | string | A query to map a third party event to this case. | | thirdPartyCases | status [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | jobDefinition | to [*required*] | int64 | Ending time of data analyzed by the job. | | jobDefinition | type | string | Job type. | | attributes | jobName | string | Job name. | | attributes | jobStatus | string | Job status. | | attributes | modifiedAt | string | Last modification time of the job. | | attributes | signalOutput | boolean | Whether the job outputs signals. | | data | id | string | ID of the job. | | data | type | enum | Type of payload. Allowed enum values: `historicalDetectionsJob` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "createdAt": "string", "createdByHandle": "string", "createdByName": "string", "createdFromRuleId": "string", "jobDefinition": { "calculatedFields": [ { "expression": "@request_end_timestamp - @request_start_timestamp", "name": "response_time" } ], "cases": [ { "actions": [ { "options": { "duration": 0, "flaggedIPType": "FLAGGED", "userBehaviorName": "string" }, "type": "string" } ], "condition": "string", "name": "string", "notifications": [], "status": "critical" } ], "from": 1729843470000, "groupSignalsBy": [ "service" ], "index": "cloud_siem", "message": "A large number of failed login attempts.", "name": "Excessive number of failed attempts.", "options": { "anomalyDetectionOptions": { "bucketDuration": 300, "detectionTolerance": 5, "instantaneousBaseline": false, "learningDuration": "integer", "learningPeriodBaseline": "integer" }, "detectionMethod": "string", "evaluationWindow": "integer", "impossibleTravelOptions": { "baselineUserLocations": true }, "keepAlive": "integer", "maxSignalDuration": "integer", "newValueOptions": { "forgetAfter": "integer", "instantaneousBaseline": false, "learningDuration": "integer", "learningMethod": "string", "learningThreshold": "integer" }, "sequenceDetectionOptions": { "stepTransitions": [ { "child": "string", "evaluationWindow": "integer", "parent": "string" } ], "steps": [ { "condition": "string", "evaluationWindow": "integer", "name": "string" } ] }, "thirdPartyRuleOptions": { "defaultNotifications": [], "defaultStatus": "critical", "rootQueries": [ { "groupByFields": [], "query": "source:cloudtrail" } ], "signalTitleTemplate": "string" } }, "queries": [ { "aggregation": "string", "dataSource": "logs", "distinctFields": [], "groupByFields": [], "hasOptionalGroupByFields": false, "metrics": [], "name": "string", "query": "a > 3" } ], "referenceTables": [ { "checkPresence": false, "columnName": "string", "logFieldPath": "string", "ruleQueryName": "string", "tableName": "string" } ], "tags": [], "thirdPartyCases": [ { "name": "string", "notifications": [], "query": "string", "status": "critical" } ], "to": 1729847070000, "type": "string" }, "jobName": "string", "jobStatus": "string", "modifiedAt": "string", "signalOutput": false }, "id": "string", "type": "string" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport job_id="CHANGE_ME"\# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/siem-threat-hunting/jobs/${job_id}" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Get a job's details returns "OK" response """ from os import environ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi # there is a valid "threat_hunting_job" in the system THREAT_HUNTING_JOB_DATA_ID = environ["THREAT_HUNTING_JOB_DATA_ID"] configuration = Configuration() configuration.unstable_operations["get_threat_hunting_job"] = True configuration.unstable_operations["run_threat_hunting_job"] = True with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.get_threat_hunting_job( job_id=THREAT_HUNTING_JOB_DATA_ID, ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Get a job's details returns "OK" response require "datadog_api_client" DatadogAPIClient.configure do |config| config.unstable_operations["v2.get_threat_hunting_job".to_sym] = true config.unstable_operations["v2.run_threat_hunting_job".to_sym] = true end api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new # there is a valid "threat_hunting_job" in the system THREAT_HUNTING_JOB_DATA_ID = ENV["THREAT_HUNTING_JOB_DATA_ID"] p api_instance.get_threat_hunting_job(THREAT_HUNTING_JOB_DATA_ID) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Get a job's details returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { // there is a valid "threat_hunting_job" in the system ThreatHuntingJobDataID := os.Getenv("THREAT_HUNTING_JOB_DATA_ID") ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() configuration.SetUnstableOperationEnabled("v2.GetThreatHuntingJob", true) configuration.SetUnstableOperationEnabled("v2.RunThreatHuntingJob", true) apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.GetThreatHuntingJob(ctx, ThreatHuntingJobDataID) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetThreatHuntingJob`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetThreatHuntingJob`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Get a job's details returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.ThreatHuntingJobResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); defaultClient.setUnstableOperationEnabled("v2.getThreatHuntingJob", true); defaultClient.setUnstableOperationEnabled("v2.runThreatHuntingJob", true); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); // there is a valid "threat_hunting_job" in the system String THREAT_HUNTING_JOB_DATA_ID = System.getenv("THREAT_HUNTING_JOB_DATA_ID"); try { ThreatHuntingJobResponse result = apiInstance.getThreatHuntingJob(THREAT_HUNTING_JOB_DATA_ID); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#getThreatHuntingJob"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Get a job's details returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { // there is a valid "threat_hunting_job" in the system let threat_hunting_job_data_id = std::env::var("THREAT_HUNTING_JOB_DATA_ID").unwrap(); let mut configuration = datadog::Configuration::new(); configuration.set_unstable_operation_enabled("v2.GetThreatHuntingJob", true); configuration.set_unstable_operation_enabled("v2.RunThreatHuntingJob", true); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .get_threat_hunting_job(threat_hunting_job_data_id.clone()) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Get a job's details returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); configuration.unstableOperations["v2.getThreatHuntingJob"] = true; configuration.unstableOperations["v2.runThreatHuntingJob"] = true; const apiInstance = new v2.SecurityMonitoringApi(configuration); // there is a valid "threat_hunting_job" in the system const THREAT_HUNTING_JOB_DATA_ID = process.env .THREAT_HUNTING_JOB_DATA_ID as string; const params: v2.SecurityMonitoringApiGetThreatHuntingJobRequest = { jobId: THREAT_HUNTING_JOB_DATA_ID, }; apiInstance .getThreatHuntingJob(params) .then((data: v2.ThreatHuntingJobResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Delete an existing job{% #delete-an-existing-job %} {% tab title="v2" %} **Note**: This endpoint is in beta and may be subject to changes. Please check the documentation regularly for updates. | Datadog site | API endpoint | | ----------------- | ----------------------------------------------------------------------------- | | ap1.datadoghq.com | DELETE https://api.ap1.datadoghq.com/api/v2/siem-threat-hunting/jobs/{job_id} | | ap2.datadoghq.com | DELETE https://api.ap2.datadoghq.com/api/v2/siem-threat-hunting/jobs/{job_id} | | app.datadoghq.eu | DELETE https://api.datadoghq.eu/api/v2/siem-threat-hunting/jobs/{job_id} | | app.ddog-gov.com | DELETE https://api.ddog-gov.com/api/v2/siem-threat-hunting/jobs/{job_id} | | app.datadoghq.com | DELETE https://api.datadoghq.com/api/v2/siem-threat-hunting/jobs/{job_id} | | us3.datadoghq.com | DELETE https://api.us3.datadoghq.com/api/v2/siem-threat-hunting/jobs/{job_id} | | us5.datadoghq.com | DELETE https://api.us5.datadoghq.com/api/v2/siem-threat-hunting/jobs/{job_id} | ### Overview Delete an existing job. ### Arguments #### Path Parameters | Name | Type | Description | | ------------------------ | ------ | ------------------ | | job_id [*required*] | string | The ID of the job. | ### Response {% tab title="204" %} OK {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="401" %} Concurrent Modification {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="409" %} Conflict {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport job_id="CHANGE_ME"\# Curl commandcurl -X DELETE "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/siem-threat-hunting/jobs/${job_id}" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Delete an existing job returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi configuration = Configuration() configuration.unstable_operations["delete_threat_hunting_job"] = True with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) api_instance.delete_threat_hunting_job( job_id="job_id", ) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Delete an existing job returns "OK" response require "datadog_api_client" DatadogAPIClient.configure do |config| config.unstable_operations["v2.delete_threat_hunting_job".to_sym] = true end api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new api_instance.delete_threat_hunting_job("job_id") ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Delete an existing job returns "OK" response package main import ( "context" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() configuration.SetUnstableOperationEnabled("v2.DeleteThreatHuntingJob", true) apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) r, err := api.DeleteThreatHuntingJob(ctx, "job_id") if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.DeleteThreatHuntingJob`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Delete an existing job returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); defaultClient.setUnstableOperationEnabled("v2.deleteThreatHuntingJob", true); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { apiInstance.deleteThreatHuntingJob("job_id"); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#deleteThreatHuntingJob"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Delete an existing job returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { let mut configuration = datadog::Configuration::new(); configuration.set_unstable_operation_enabled("v2.DeleteThreatHuntingJob", true); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.delete_threat_hunting_job("job_id".to_string()).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Delete an existing job returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); configuration.unstableOperations["v2.deleteThreatHuntingJob"] = true; const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiDeleteThreatHuntingJobRequest = { jobId: "job_id", }; apiInstance .deleteThreatHuntingJob(params) .then((data: any) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Cancel a threat hunting job{% #cancel-a-threat-hunting-job %} {% tab title="v2" %} **Note**: This endpoint is in beta and may be subject to changes. Please check the documentation regularly for updates. | Datadog site | API endpoint | | ----------------- | ----------------------------------------------------------------------------------- | | ap1.datadoghq.com | PATCH https://api.ap1.datadoghq.com/api/v2/siem-threat-hunting/jobs/{job_id}/cancel | | ap2.datadoghq.com | PATCH https://api.ap2.datadoghq.com/api/v2/siem-threat-hunting/jobs/{job_id}/cancel | | app.datadoghq.eu | PATCH https://api.datadoghq.eu/api/v2/siem-threat-hunting/jobs/{job_id}/cancel | | app.ddog-gov.com | PATCH https://api.ddog-gov.com/api/v2/siem-threat-hunting/jobs/{job_id}/cancel | | app.datadoghq.com | PATCH https://api.datadoghq.com/api/v2/siem-threat-hunting/jobs/{job_id}/cancel | | us3.datadoghq.com | PATCH https://api.us3.datadoghq.com/api/v2/siem-threat-hunting/jobs/{job_id}/cancel | | us5.datadoghq.com | PATCH https://api.us5.datadoghq.com/api/v2/siem-threat-hunting/jobs/{job_id}/cancel | ### Overview Cancel a threat hunting job. This endpoint requires the `security_monitoring_rules_write` permission. OAuth apps require the `security_monitoring_rules_write` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Arguments #### Path Parameters | Name | Type | Description | | ------------------------ | ------ | ------------------ | | job_id [*required*] | string | The ID of the job. | ### Response {% tab title="204" %} OK {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="401" %} Concurrent Modification {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="409" %} Conflict {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport job_id="CHANGE_ME"\# Curl commandcurl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/siem-threat-hunting/jobs/${job_id}/cancel" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Cancel a threat hunting job returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi configuration = Configuration() configuration.unstable_operations["cancel_threat_hunting_job"] = True with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) api_instance.cancel_threat_hunting_job( job_id="job_id", ) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Cancel a threat hunting job returns "OK" response require "datadog_api_client" DatadogAPIClient.configure do |config| config.unstable_operations["v2.cancel_threat_hunting_job".to_sym] = true end api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new api_instance.cancel_threat_hunting_job("job_id") ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Cancel a threat hunting job returns "OK" response package main import ( "context" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() configuration.SetUnstableOperationEnabled("v2.CancelThreatHuntingJob", true) apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) r, err := api.CancelThreatHuntingJob(ctx, "job_id") if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CancelThreatHuntingJob`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Cancel a threat hunting job returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); defaultClient.setUnstableOperationEnabled("v2.cancelThreatHuntingJob", true); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { apiInstance.cancelThreatHuntingJob("job_id"); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#cancelThreatHuntingJob"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Cancel a threat hunting job returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { let mut configuration = datadog::Configuration::new(); configuration.set_unstable_operation_enabled("v2.CancelThreatHuntingJob", true); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.cancel_threat_hunting_job("job_id".to_string()).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Cancel a threat hunting job returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); configuration.unstableOperations["v2.cancelThreatHuntingJob"] = true; const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiCancelThreatHuntingJobRequest = { jobId: "job_id", }; apiInstance .cancelThreatHuntingJob(params) .then((data: any) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Convert a job result to a signal{% #convert-a-job-result-to-a-signal %} {% tab title="v2" %} **Note**: This endpoint is in beta and may be subject to changes. Please check the documentation regularly for updates. | Datadog site | API endpoint | | ----------------- | --------------------------------------------------------------------------------- | | ap1.datadoghq.com | POST https://api.ap1.datadoghq.com/api/v2/siem-threat-hunting/jobs/signal_convert | | ap2.datadoghq.com | POST https://api.ap2.datadoghq.com/api/v2/siem-threat-hunting/jobs/signal_convert | | app.datadoghq.eu | POST https://api.datadoghq.eu/api/v2/siem-threat-hunting/jobs/signal_convert | | app.ddog-gov.com | POST https://api.ddog-gov.com/api/v2/siem-threat-hunting/jobs/signal_convert | | app.datadoghq.com | POST https://api.datadoghq.com/api/v2/siem-threat-hunting/jobs/signal_convert | | us3.datadoghq.com | POST https://api.us3.datadoghq.com/api/v2/siem-threat-hunting/jobs/signal_convert | | us5.datadoghq.com | POST https://api.us5.datadoghq.com/api/v2/siem-threat-hunting/jobs/signal_convert | ### Overview Convert a job result to a signal. This endpoint requires the `security_monitoring_signals_write` permission. ### Request #### Body Data (required) {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------ | -------------------------------- | -------- | ------------------------------------------------------------------------------------- | | | data | object | Data for converting threat hunting job results to signals. | | data | attributes | object | Attributes for converting threat hunting job results to signals. | | attributes | id | string | Request ID. | | attributes | jobResultIds [*required*] | [string] | Job result IDs. | | attributes | notifications [*required*] | [string] | Notifications sent. | | attributes | signalMessage [*required*] | string | Message of generated signals. | | attributes | signalSeverity [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | data | type | enum | Type of payload. Allowed enum values: `historicalDetectionsJobResultSignalConversion` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "id": "string", "jobResultIds": [ "" ], "notifications": [ "" ], "signalMessage": "A large number of failed login attempts.", "signalSeverity": "critical" }, "type": "string" } } ``` {% /tab %} ### Response {% tab title="204" %} OK {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="401" %} Concurrent Modification {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/siem-threat-hunting/jobs/signal_convert" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "attributes": { "jobResultIds": [ "" ], "notifications": [ "" ], "signalMessage": "A large number of failed login attempts.", "signalSeverity": "critical" } } } EOF ##### ```python """ Convert a job result to a signal returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.convert_job_results_to_signals_attributes import ConvertJobResultsToSignalsAttributes from datadog_api_client.v2.model.convert_job_results_to_signals_data import ConvertJobResultsToSignalsData from datadog_api_client.v2.model.convert_job_results_to_signals_data_type import ConvertJobResultsToSignalsDataType from datadog_api_client.v2.model.convert_job_results_to_signals_request import ConvertJobResultsToSignalsRequest from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity body = ConvertJobResultsToSignalsRequest( data=ConvertJobResultsToSignalsData( attributes=ConvertJobResultsToSignalsAttributes( job_result_ids=[ "", ], notifications=[ "", ], signal_message="A large number of failed login attempts.", signal_severity=SecurityMonitoringRuleSeverity.CRITICAL, ), type=ConvertJobResultsToSignalsDataType.HISTORICALDETECTIONSJOBRESULTSIGNALCONVERSION, ), ) configuration = Configuration() configuration.unstable_operations["convert_job_result_to_signal"] = True with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) api_instance.convert_job_result_to_signal(body=body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Convert a job result to a signal returns "OK" response require "datadog_api_client" DatadogAPIClient.configure do |config| config.unstable_operations["v2.convert_job_result_to_signal".to_sym] = true end api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::ConvertJobResultsToSignalsRequest.new({ data: DatadogAPIClient::V2::ConvertJobResultsToSignalsData.new({ attributes: DatadogAPIClient::V2::ConvertJobResultsToSignalsAttributes.new({ job_result_ids: [ "", ], notifications: [ "", ], signal_message: "A large number of failed login attempts.", signal_severity: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::CRITICAL, }), type: DatadogAPIClient::V2::ConvertJobResultsToSignalsDataType::HISTORICALDETECTIONSJOBRESULTSIGNALCONVERSION, }), }) api_instance.convert_job_result_to_signal(body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Convert a job result to a signal returns "OK" response package main import ( "context" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.ConvertJobResultsToSignalsRequest{ Data: &datadogV2.ConvertJobResultsToSignalsData{ Attributes: &datadogV2.ConvertJobResultsToSignalsAttributes{ JobResultIds: []string{ "", }, Notifications: []string{ "", }, SignalMessage: "A large number of failed login attempts.", SignalSeverity: datadogV2.SECURITYMONITORINGRULESEVERITY_CRITICAL, }, Type: datadogV2.CONVERTJOBRESULTSTOSIGNALSDATATYPE_HISTORICALDETECTIONSJOBRESULTSIGNALCONVERSION.Ptr(), }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() configuration.SetUnstableOperationEnabled("v2.ConvertJobResultToSignal", true) apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) r, err := api.ConvertJobResultToSignal(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ConvertJobResultToSignal`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Convert a job result to a signal returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.ConvertJobResultsToSignalsAttributes; import com.datadog.api.client.v2.model.ConvertJobResultsToSignalsData; import com.datadog.api.client.v2.model.ConvertJobResultsToSignalsDataType; import com.datadog.api.client.v2.model.ConvertJobResultsToSignalsRequest; import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); defaultClient.setUnstableOperationEnabled("v2.convertJobResultToSignal", true); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); ConvertJobResultsToSignalsRequest body = new ConvertJobResultsToSignalsRequest() .data( new ConvertJobResultsToSignalsData() .attributes( new ConvertJobResultsToSignalsAttributes() .jobResultIds(Collections.singletonList("")) .notifications(Collections.singletonList("")) .signalMessage("A large number of failed login attempts.") .signalSeverity(SecurityMonitoringRuleSeverity.CRITICAL)) .type( ConvertJobResultsToSignalsDataType .HISTORICALDETECTIONSJOBRESULTSIGNALCONVERSION)); try { apiInstance.convertJobResultToSignal(body); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#convertJobResultToSignal"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Convert a job result to a signal returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::ConvertJobResultsToSignalsAttributes; use datadog_api_client::datadogV2::model::ConvertJobResultsToSignalsData; use datadog_api_client::datadogV2::model::ConvertJobResultsToSignalsDataType; use datadog_api_client::datadogV2::model::ConvertJobResultsToSignalsRequest; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity; #[tokio::main] async fn main() { let body = ConvertJobResultsToSignalsRequest::new().data( ConvertJobResultsToSignalsData::new() .attributes(ConvertJobResultsToSignalsAttributes::new( vec!["".to_string()], vec!["".to_string()], "A large number of failed login attempts.".to_string(), SecurityMonitoringRuleSeverity::CRITICAL, )) .type_( ConvertJobResultsToSignalsDataType::HISTORICALDETECTIONSJOBRESULTSIGNALCONVERSION, ), ); let mut configuration = datadog::Configuration::new(); configuration.set_unstable_operation_enabled("v2.ConvertJobResultToSignal", true); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.convert_job_result_to_signal(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Convert a job result to a signal returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); configuration.unstableOperations["v2.convertJobResultToSignal"] = true; const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiConvertJobResultToSignalRequest = { body: { data: { attributes: { jobResultIds: [""], notifications: [""], signalMessage: "A large number of failed login attempts.", signalSeverity: "critical", }, type: "historicalDetectionsJobResultSignalConversion", }, }, }; apiInstance .convertJobResultToSignal(params) .then((data: any) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Get a job's hist signals{% #get-a-jobs-hist-signals %} {% tab title="v2" %} **Note**: This endpoint is in beta and may be subject to changes. Please check the documentation regularly for updates. | Datadog site | API endpoint | | ----------------- | -------------------------------------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/siem-threat-hunting/jobs/{job_id}/histsignals | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/siem-threat-hunting/jobs/{job_id}/histsignals | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/siem-threat-hunting/jobs/{job_id}/histsignals | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/siem-threat-hunting/jobs/{job_id}/histsignals | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/siem-threat-hunting/jobs/{job_id}/histsignals | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/siem-threat-hunting/jobs/{job_id}/histsignals | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/siem-threat-hunting/jobs/{job_id}/histsignals | ### Overview Get a job's hist signals. This endpoint requires the `security_monitoring_signals_read` permission. OAuth apps require the `security_monitoring_signals_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Arguments #### Path Parameters | Name | Type | Description | | ------------------------ | ------ | ------------------ | | job_id [*required*] | string | The ID of the job. | #### Query Strings | Name | Type | Description | | ------------- | ------- | ----------------------------------------------------------------------------------------- | | filter[query] | string | The search query for security signals. | | filter[from] | string | The minimum timestamp for requested security signals. | | filter[to] | string | The maximum timestamp for requested security signals. | | sort | enum | The order of the security signals in results.Allowed enum values: `timestamp, -timestamp` | | page[cursor] | string | A list of results using the cursor provided in the previous query. | | page[limit] | integer | The maximum number of security signals in the response. | ### Response {% tab title="200" %} OK {% tab title="Model" %} The response object with all security signals matching the request and pagination information. | Parent field | Field | Type | Description | | ------------ | ---------- | --------- | ------------------------------------------------------------------------------------------------------------------------------------------- | | | data | [object] | An array of security signals matching the request. | | data | attributes | object | The object containing all signal attributes and their associated values. | | attributes | custom | object | A JSON object of attributes in the security signal. | | attributes | message | string | The message in the security signal defined by the rule that generated the signal. | | attributes | tags | [string] | An array of tags associated with the security signal. | | attributes | timestamp | date-time | The timestamp of the security signal. | | data | id | string | The unique ID of the security signal. | | data | type | enum | The type of event. Allowed enum values: `signal` | | | links | object | Links attributes. | | links | next | string | The link for the next set of results. **Note**: The request can also be made using the POST endpoint. | | | meta | object | Meta attributes. | | meta | page | object | Paging attributes. | | page | after | string | The cursor used to get the next results, if any. To make the next request, use the same parameters with the addition of the `page[cursor]`. | {% /tab %} {% tab title="Example" %} ```json { "data": [ { "attributes": { "custom": { "workflow": { "first_seen": "2020-06-23T14:46:01.000Z", "last_seen": "2020-06-23T14:46:49.000Z", "rule": { "id": "0f5-e0c-805", "name": "Brute Force Attack Grouped By User", "version": 12 } } }, "message": "Detect Account Take Over (ATO) through brute force attempts", "tags": [ "security:attack", "technique:T1110-brute-force" ], "timestamp": "2019-01-02T09:42:36.320Z" }, "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA", "type": "signal" } ], "links": { "next": "https://app.datadoghq.com/api/v2/security_monitoring/signals?filter[query]=foo\u0026page[cursor]=eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==" }, "meta": { "page": { "after": "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==" } } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport job_id="CHANGE_ME"\# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/siem-threat-hunting/jobs/${job_id}/histsignals" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Get a job's hist signals returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi configuration = Configuration() configuration.unstable_operations["get_security_monitoring_histsignals_by_job_id"] = True with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.get_security_monitoring_histsignals_by_job_id( job_id="job_id", ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Get a job's hist signals returns "OK" response require "datadog_api_client" DatadogAPIClient.configure do |config| config.unstable_operations["v2.get_security_monitoring_histsignals_by_job_id".to_sym] = true end api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new p api_instance.get_security_monitoring_histsignals_by_job_id("job_id") ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Get a job's hist signals returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() configuration.SetUnstableOperationEnabled("v2.GetSecurityMonitoringHistsignalsByJobId", true) apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.GetSecurityMonitoringHistsignalsByJobId(ctx, "job_id", *datadogV2.NewGetSecurityMonitoringHistsignalsByJobIdOptionalParameters()) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSecurityMonitoringHistsignalsByJobId`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSecurityMonitoringHistsignalsByJobId`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Get a job's hist signals returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringSignalsListResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); defaultClient.setUnstableOperationEnabled("v2.getSecurityMonitoringHistsignalsByJobId", true); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { SecurityMonitoringSignalsListResponse result = apiInstance.getSecurityMonitoringHistsignalsByJobId("job_id"); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#getSecurityMonitoringHistsignalsByJobId"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Get a job's hist signals returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::GetSecurityMonitoringHistsignalsByJobIdOptionalParams; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { let mut configuration = datadog::Configuration::new(); configuration .set_unstable_operation_enabled("v2.GetSecurityMonitoringHistsignalsByJobId", true); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .get_security_monitoring_histsignals_by_job_id( "job_id".to_string(), GetSecurityMonitoringHistsignalsByJobIdOptionalParams::default(), ) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Get a job's hist signals returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); configuration.unstableOperations["v2.getSecurityMonitoringHistsignalsByJobId"] = true; const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiGetSecurityMonitoringHistsignalsByJobIdRequest = { jobId: "job_id", }; apiInstance .getSecurityMonitoringHistsignalsByJobId(params) .then((data: v2.SecurityMonitoringSignalsListResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## List hist signals{% #list-hist-signals %} {% tab title="v2" %} **Note**: This endpoint is in beta and may be subject to changes. Please check the documentation regularly for updates. | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------ | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/siem-threat-hunting/histsignals | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/siem-threat-hunting/histsignals | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/siem-threat-hunting/histsignals | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/siem-threat-hunting/histsignals | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/siem-threat-hunting/histsignals | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/siem-threat-hunting/histsignals | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/siem-threat-hunting/histsignals | ### Overview List hist signals. This endpoint requires the `security_monitoring_signals_read` permission. OAuth apps require the `security_monitoring_signals_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Arguments #### Query Strings | Name | Type | Description | | ------------- | ------- | ----------------------------------------------------------------------------------------- | | filter[query] | string | The search query for security signals. | | filter[from] | string | The minimum timestamp for requested security signals. | | filter[to] | string | The maximum timestamp for requested security signals. | | sort | enum | The order of the security signals in results.Allowed enum values: `timestamp, -timestamp` | | page[cursor] | string | A list of results using the cursor provided in the previous query. | | page[limit] | integer | The maximum number of security signals in the response. | ### Response {% tab title="200" %} OK {% tab title="Model" %} The response object with all security signals matching the request and pagination information. | Parent field | Field | Type | Description | | ------------ | ---------- | --------- | ------------------------------------------------------------------------------------------------------------------------------------------- | | | data | [object] | An array of security signals matching the request. | | data | attributes | object | The object containing all signal attributes and their associated values. | | attributes | custom | object | A JSON object of attributes in the security signal. | | attributes | message | string | The message in the security signal defined by the rule that generated the signal. | | attributes | tags | [string] | An array of tags associated with the security signal. | | attributes | timestamp | date-time | The timestamp of the security signal. | | data | id | string | The unique ID of the security signal. | | data | type | enum | The type of event. Allowed enum values: `signal` | | | links | object | Links attributes. | | links | next | string | The link for the next set of results. **Note**: The request can also be made using the POST endpoint. | | | meta | object | Meta attributes. | | meta | page | object | Paging attributes. | | page | after | string | The cursor used to get the next results, if any. To make the next request, use the same parameters with the addition of the `page[cursor]`. | {% /tab %} {% tab title="Example" %} ```json { "data": [ { "attributes": { "custom": { "workflow": { "first_seen": "2020-06-23T14:46:01.000Z", "last_seen": "2020-06-23T14:46:49.000Z", "rule": { "id": "0f5-e0c-805", "name": "Brute Force Attack Grouped By User", "version": 12 } } }, "message": "Detect Account Take Over (ATO) through brute force attempts", "tags": [ "security:attack", "technique:T1110-brute-force" ], "timestamp": "2019-01-02T09:42:36.320Z" }, "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA", "type": "signal" } ], "links": { "next": "https://app.datadoghq.com/api/v2/security_monitoring/signals?filter[query]=foo\u0026page[cursor]=eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==" }, "meta": { "page": { "after": "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==" } } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/siem-threat-hunting/histsignals" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ List hist signals returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi configuration = Configuration() configuration.unstable_operations["list_security_monitoring_histsignals"] = True with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.list_security_monitoring_histsignals() print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # List hist signals returns "OK" response require "datadog_api_client" DatadogAPIClient.configure do |config| config.unstable_operations["v2.list_security_monitoring_histsignals".to_sym] = true end api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new p api_instance.list_security_monitoring_histsignals() ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // List hist signals returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() configuration.SetUnstableOperationEnabled("v2.ListSecurityMonitoringHistsignals", true) apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.ListSecurityMonitoringHistsignals(ctx, *datadogV2.NewListSecurityMonitoringHistsignalsOptionalParameters()) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListSecurityMonitoringHistsignals`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListSecurityMonitoringHistsignals`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // List hist signals returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringSignalsListResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); defaultClient.setUnstableOperationEnabled("v2.listSecurityMonitoringHistsignals", true); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { SecurityMonitoringSignalsListResponse result = apiInstance.listSecurityMonitoringHistsignals(); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#listSecurityMonitoringHistsignals"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // List hist signals returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::ListSecurityMonitoringHistsignalsOptionalParams; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { let mut configuration = datadog::Configuration::new(); configuration.set_unstable_operation_enabled("v2.ListSecurityMonitoringHistsignals", true); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .list_security_monitoring_histsignals( ListSecurityMonitoringHistsignalsOptionalParams::default(), ) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * List hist signals returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); configuration.unstableOperations["v2.listSecurityMonitoringHistsignals"] = true; const apiInstance = new v2.SecurityMonitoringApi(configuration); apiInstance .listSecurityMonitoringHistsignals() .then((data: v2.SecurityMonitoringSignalsListResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Get a hist signal's details{% #get-a-hist-signals-details %} {% tab title="v2" %} **Note**: This endpoint is in beta and may be subject to changes. Please check the documentation regularly for updates. | Datadog site | API endpoint | | ----------------- | ---------------------------------------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/siem-threat-hunting/histsignals/{histsignal_id} | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/siem-threat-hunting/histsignals/{histsignal_id} | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/siem-threat-hunting/histsignals/{histsignal_id} | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/siem-threat-hunting/histsignals/{histsignal_id} | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/siem-threat-hunting/histsignals/{histsignal_id} | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/siem-threat-hunting/histsignals/{histsignal_id} | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/siem-threat-hunting/histsignals/{histsignal_id} | ### Overview Get a hist signal's details. This endpoint requires the `security_monitoring_signals_read` permission. OAuth apps require the `security_monitoring_signals_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Arguments #### Path Parameters | Name | Type | Description | | ------------------------------- | ------ | ------------------------------------ | | histsignal_id [*required*] | string | The ID of the threat hunting signal. | ### Response {% tab title="200" %} OK {% tab title="Model" %} Security Signal response data object. | Parent field | Field | Type | Description | | ------------ | ---------- | --------- | --------------------------------------------------------------------------------- | | | data | object | Object description of a security signal. | | data | attributes | object | The object containing all signal attributes and their associated values. | | attributes | custom | object | A JSON object of attributes in the security signal. | | attributes | message | string | The message in the security signal defined by the rule that generated the signal. | | attributes | tags | [string] | An array of tags associated with the security signal. | | attributes | timestamp | date-time | The timestamp of the security signal. | | data | id | string | The unique ID of the security signal. | | data | type | enum | The type of event. Allowed enum values: `signal` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "custom": { "workflow": { "first_seen": "2020-06-23T14:46:01.000Z", "last_seen": "2020-06-23T14:46:49.000Z", "rule": { "id": "0f5-e0c-805", "name": "Brute Force Attack Grouped By User", "version": 12 } } }, "message": "Detect Account Take Over (ATO) through brute force attempts", "tags": [ "security:attack", "technique:T1110-brute-force" ], "timestamp": "2019-01-02T09:42:36.320Z" }, "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA", "type": "signal" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport histsignal_id="CHANGE_ME"\# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/siem-threat-hunting/histsignals/${histsignal_id}" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Get a hist signal's details returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi configuration = Configuration() configuration.unstable_operations["get_security_monitoring_histsignal"] = True with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.get_security_monitoring_histsignal( histsignal_id="histsignal_id", ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Get a hist signal's details returns "OK" response require "datadog_api_client" DatadogAPIClient.configure do |config| config.unstable_operations["v2.get_security_monitoring_histsignal".to_sym] = true end api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new p api_instance.get_security_monitoring_histsignal("histsignal_id") ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Get a hist signal's details returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() configuration.SetUnstableOperationEnabled("v2.GetSecurityMonitoringHistsignal", true) apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.GetSecurityMonitoringHistsignal(ctx, "histsignal_id") if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSecurityMonitoringHistsignal`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSecurityMonitoringHistsignal`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Get a hist signal's details returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringSignalResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); defaultClient.setUnstableOperationEnabled("v2.getSecurityMonitoringHistsignal", true); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { SecurityMonitoringSignalResponse result = apiInstance.getSecurityMonitoringHistsignal("histsignal_id"); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#getSecurityMonitoringHistsignal"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Get a hist signal's details returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { let mut configuration = datadog::Configuration::new(); configuration.set_unstable_operation_enabled("v2.GetSecurityMonitoringHistsignal", true); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .get_security_monitoring_histsignal("histsignal_id".to_string()) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Get a hist signal's details returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); configuration.unstableOperations["v2.getSecurityMonitoringHistsignal"] = true; const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiGetSecurityMonitoringHistsignalRequest = { histsignalId: "histsignal_id", }; apiInstance .getSecurityMonitoringHistsignal(params) .then((data: v2.SecurityMonitoringSignalResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Search hist signals{% #search-hist-signals %} {% tab title="v2" %} **Note**: This endpoint is in beta and may be subject to changes. Please check the documentation regularly for updates. | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/siem-threat-hunting/histsignals/search | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/siem-threat-hunting/histsignals/search | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/siem-threat-hunting/histsignals/search | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/siem-threat-hunting/histsignals/search | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/siem-threat-hunting/histsignals/search | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/siem-threat-hunting/histsignals/search | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/siem-threat-hunting/histsignals/search | ### Overview Search hist signals. This endpoint requires the `security_monitoring_signals_read` permission. OAuth apps require the `security_monitoring_signals_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Request #### Body Data {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------ | ------ | --------- | --------------------------------------------------------------------------------------------------- | | | filter | object | Search filters for listing security signals. | | filter | from | date-time | The minimum timestamp for requested security signals. | | filter | query | string | Search query for listing security signals. | | filter | to | date-time | The maximum timestamp for requested security signals. | | | page | object | The paging attributes for listing security signals. | | page | cursor | string | A list of results using the cursor provided in the previous query. | | page | limit | int32 | The maximum number of security signals in the response. | | | sort | enum | The sort parameters used for querying security signals. Allowed enum values: `timestamp,-timestamp` | {% /tab %} {% tab title="Example" %} ```json { "filter": { "from": "2019-01-02T09:42:36.320Z", "query": "security:attack status:high", "to": "2019-01-03T09:42:36.320Z" }, "page": { "cursor": "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==", "limit": 25 }, "sort": "string" } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} The response object with all security signals matching the request and pagination information. | Parent field | Field | Type | Description | | ------------ | ---------- | --------- | ------------------------------------------------------------------------------------------------------------------------------------------- | | | data | [object] | An array of security signals matching the request. | | data | attributes | object | The object containing all signal attributes and their associated values. | | attributes | custom | object | A JSON object of attributes in the security signal. | | attributes | message | string | The message in the security signal defined by the rule that generated the signal. | | attributes | tags | [string] | An array of tags associated with the security signal. | | attributes | timestamp | date-time | The timestamp of the security signal. | | data | id | string | The unique ID of the security signal. | | data | type | enum | The type of event. Allowed enum values: `signal` | | | links | object | Links attributes. | | links | next | string | The link for the next set of results. **Note**: The request can also be made using the POST endpoint. | | | meta | object | Meta attributes. | | meta | page | object | Paging attributes. | | page | after | string | The cursor used to get the next results, if any. To make the next request, use the same parameters with the addition of the `page[cursor]`. | {% /tab %} {% tab title="Example" %} ```json { "data": [ { "attributes": { "custom": { "workflow": { "first_seen": "2020-06-23T14:46:01.000Z", "last_seen": "2020-06-23T14:46:49.000Z", "rule": { "id": "0f5-e0c-805", "name": "Brute Force Attack Grouped By User", "version": 12 } } }, "message": "Detect Account Take Over (ATO) through brute force attempts", "tags": [ "security:attack", "technique:T1110-brute-force" ], "timestamp": "2019-01-02T09:42:36.320Z" }, "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA", "type": "signal" } ], "links": { "next": "https://app.datadoghq.com/api/v2/security_monitoring/signals?filter[query]=foo\u0026page[cursor]=eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==" }, "meta": { "page": { "after": "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==" } } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/siem-threat-hunting/histsignals/search" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF {} EOF ##### ```python """ Search hist signals returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.security_monitoring_signal_list_request import SecurityMonitoringSignalListRequest from datadog_api_client.v2.model.security_monitoring_signal_list_request_filter import ( SecurityMonitoringSignalListRequestFilter, ) from datadog_api_client.v2.model.security_monitoring_signal_list_request_page import ( SecurityMonitoringSignalListRequestPage, ) from datadog_api_client.v2.model.security_monitoring_signals_sort import SecurityMonitoringSignalsSort from datetime import datetime from dateutil.tz import tzutc body = SecurityMonitoringSignalListRequest( filter=SecurityMonitoringSignalListRequestFilter( _from=datetime(2019, 1, 2, 9, 42, 36, 320000, tzinfo=tzutc()), query="security:attack status:high", to=datetime(2019, 1, 3, 9, 42, 36, 320000, tzinfo=tzutc()), ), page=SecurityMonitoringSignalListRequestPage( cursor="eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==", limit=25, ), sort=SecurityMonitoringSignalsSort.TIMESTAMP_ASCENDING, ) configuration = Configuration() configuration.unstable_operations["search_security_monitoring_histsignals"] = True with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.search_security_monitoring_histsignals(body=body) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Search hist signals returns "OK" response require "datadog_api_client" DatadogAPIClient.configure do |config| config.unstable_operations["v2.search_security_monitoring_histsignals".to_sym] = true end api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::SecurityMonitoringSignalListRequest.new({ filter: DatadogAPIClient::V2::SecurityMonitoringSignalListRequestFilter.new({ from: "2019-01-02T09:42:36.320Z", query: "security:attack status:high", to: "2019-01-03T09:42:36.320Z", }), page: DatadogAPIClient::V2::SecurityMonitoringSignalListRequestPage.new({ cursor: "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==", limit: 25, }), sort: DatadogAPIClient::V2::SecurityMonitoringSignalsSort::TIMESTAMP_ASCENDING, }) opts = { body: body, } p api_instance.search_security_monitoring_histsignals(opts) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Search hist signals returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "time" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.SecurityMonitoringSignalListRequest{ Filter: &datadogV2.SecurityMonitoringSignalListRequestFilter{ From: datadog.PtrTime(time.Date(2019, 1, 2, 9, 42, 36, 320000, time.UTC)), Query: datadog.PtrString("security:attack status:high"), To: datadog.PtrTime(time.Date(2019, 1, 3, 9, 42, 36, 320000, time.UTC)), }, Page: &datadogV2.SecurityMonitoringSignalListRequestPage{ Cursor: datadog.PtrString("eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="), Limit: datadog.PtrInt32(25), }, Sort: datadogV2.SECURITYMONITORINGSIGNALSSORT_TIMESTAMP_ASCENDING.Ptr(), } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() configuration.SetUnstableOperationEnabled("v2.SearchSecurityMonitoringHistsignals", true) apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.SearchSecurityMonitoringHistsignals(ctx, *datadogV2.NewSearchSecurityMonitoringHistsignalsOptionalParameters().WithBody(body)) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.SearchSecurityMonitoringHistsignals`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.SearchSecurityMonitoringHistsignals`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Search hist signals returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.api.SecurityMonitoringApi.SearchSecurityMonitoringHistsignalsOptionalParameters; import com.datadog.api.client.v2.model.SecurityMonitoringSignalListRequest; import com.datadog.api.client.v2.model.SecurityMonitoringSignalListRequestFilter; import com.datadog.api.client.v2.model.SecurityMonitoringSignalListRequestPage; import com.datadog.api.client.v2.model.SecurityMonitoringSignalsListResponse; import com.datadog.api.client.v2.model.SecurityMonitoringSignalsSort; import java.time.OffsetDateTime; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); defaultClient.setUnstableOperationEnabled("v2.searchSecurityMonitoringHistsignals", true); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); SecurityMonitoringSignalListRequest body = new SecurityMonitoringSignalListRequest() .filter( new SecurityMonitoringSignalListRequestFilter() .from(OffsetDateTime.parse("2019-01-02T09:42:36.320Z")) .query("security:attack status:high") .to(OffsetDateTime.parse("2019-01-03T09:42:36.320Z"))) .page( new SecurityMonitoringSignalListRequestPage() .cursor( "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==") .limit(25)) .sort(SecurityMonitoringSignalsSort.TIMESTAMP_ASCENDING); try { SecurityMonitoringSignalsListResponse result = apiInstance.searchSecurityMonitoringHistsignals( new SearchSecurityMonitoringHistsignalsOptionalParameters().body(body)); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#searchSecurityMonitoringHistsignals"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Search hist signals returns "OK" response use chrono::{DateTime, Utc}; use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SearchSecurityMonitoringHistsignalsOptionalParams; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::SecurityMonitoringSignalListRequest; use datadog_api_client::datadogV2::model::SecurityMonitoringSignalListRequestFilter; use datadog_api_client::datadogV2::model::SecurityMonitoringSignalListRequestPage; use datadog_api_client::datadogV2::model::SecurityMonitoringSignalsSort; #[tokio::main] async fn main() { let body = SecurityMonitoringSignalListRequest::new() .filter( SecurityMonitoringSignalListRequestFilter::new() .from( DateTime::parse_from_rfc3339("2019-01-02T09:42:36.320000+00:00") .expect("Failed to parse datetime") .with_timezone(&Utc), ) .query("security:attack status:high".to_string()) .to( DateTime::parse_from_rfc3339("2019-01-03T09:42:36.320000+00:00") .expect("Failed to parse datetime") .with_timezone(&Utc), ), ) .page( SecurityMonitoringSignalListRequestPage::new() .cursor( "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==".to_string(), ) .limit(25), ) .sort(SecurityMonitoringSignalsSort::TIMESTAMP_ASCENDING); let mut configuration = datadog::Configuration::new(); configuration.set_unstable_operation_enabled("v2.SearchSecurityMonitoringHistsignals", true); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .search_security_monitoring_histsignals( SearchSecurityMonitoringHistsignalsOptionalParams::default().body(body), ) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Search hist signals returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); configuration.unstableOperations["v2.searchSecurityMonitoringHistsignals"] = true; const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiSearchSecurityMonitoringHistsignalsRequest = { body: { filter: { from: new Date(2019, 1, 2, 9, 42, 36, 320000), query: "security:attack status:high", to: new Date(2019, 1, 3, 9, 42, 36, 320000), }, page: { cursor: "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==", limit: 25, }, sort: "timestamp", }, }; apiInstance .searchSecurityMonitoringHistsignals(params) .then((data: v2.SecurityMonitoringSignalsListResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Get a list of security signals{% #get-a-list-of-security-signals %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ---------------------------------------------------------------------------- | | ap1.datadoghq.com | POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/signals/search | | ap2.datadoghq.com | POST https://api.ap2.datadoghq.com/api/v2/security_monitoring/signals/search | | app.datadoghq.eu | POST https://api.datadoghq.eu/api/v2/security_monitoring/signals/search | | app.ddog-gov.com | POST https://api.ddog-gov.com/api/v2/security_monitoring/signals/search | | app.datadoghq.com | POST https://api.datadoghq.com/api/v2/security_monitoring/signals/search | | us3.datadoghq.com | POST https://api.us3.datadoghq.com/api/v2/security_monitoring/signals/search | | us5.datadoghq.com | POST https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/search | ### Overview Returns security signals that match a search query. Both this endpoint and the GET endpoint can be used interchangeably for listing security signals. This endpoint requires the `security_monitoring_signals_read` permission. OAuth apps require the `security_monitoring_signals_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Request #### Body Data {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------ | ------ | --------- | --------------------------------------------------------------------------------------------------- | | | filter | object | Search filters for listing security signals. | | filter | from | date-time | The minimum timestamp for requested security signals. | | filter | query | string | Search query for listing security signals. | | filter | to | date-time | The maximum timestamp for requested security signals. | | | page | object | The paging attributes for listing security signals. | | page | cursor | string | A list of results using the cursor provided in the previous query. | | page | limit | int32 | The maximum number of security signals in the response. | | | sort | enum | The sort parameters used for querying security signals. Allowed enum values: `timestamp,-timestamp` | {% /tab %} {% tab title="Example" %} ```json { "filter": { "from": "2021-11-11T10:56:11+00:00", "query": "security:attack status:high", "to": "2021-11-11T11:11:11+00:00" }, "page": { "limit": 2 }, "sort": "timestamp" } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} The response object with all security signals matching the request and pagination information. | Parent field | Field | Type | Description | | ------------ | ---------- | --------- | ------------------------------------------------------------------------------------------------------------------------------------------- | | | data | [object] | An array of security signals matching the request. | | data | attributes | object | The object containing all signal attributes and their associated values. | | attributes | custom | object | A JSON object of attributes in the security signal. | | attributes | message | string | The message in the security signal defined by the rule that generated the signal. | | attributes | tags | [string] | An array of tags associated with the security signal. | | attributes | timestamp | date-time | The timestamp of the security signal. | | data | id | string | The unique ID of the security signal. | | data | type | enum | The type of event. Allowed enum values: `signal` | | | links | object | Links attributes. | | links | next | string | The link for the next set of results. **Note**: The request can also be made using the POST endpoint. | | | meta | object | Meta attributes. | | meta | page | object | Paging attributes. | | page | after | string | The cursor used to get the next results, if any. To make the next request, use the same parameters with the addition of the `page[cursor]`. | {% /tab %} {% tab title="Example" %} ```json { "data": [ { "attributes": { "custom": { "workflow": { "first_seen": "2020-06-23T14:46:01.000Z", "last_seen": "2020-06-23T14:46:49.000Z", "rule": { "id": "0f5-e0c-805", "name": "Brute Force Attack Grouped By User", "version": 12 } } }, "message": "Detect Account Take Over (ATO) through brute force attempts", "tags": [ "security:attack", "technique:T1110-brute-force" ], "timestamp": "2019-01-02T09:42:36.320Z" }, "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA", "type": "signal" } ], "links": { "next": "https://app.datadoghq.com/api/v2/security_monitoring/signals?filter[query]=foo\u0026page[cursor]=eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==" }, "meta": { "page": { "after": "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==" } } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/search" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "filter": { "from": "2021-11-11T10:56:11+00:00", "query": "security:attack status:high", "to": "2021-11-11T11:11:11+00:00" }, "page": { "limit": 2 }, "sort": "timestamp" } EOF ##### ```go // Get a list of security signals returns "OK" response with pagination package main import ( "context" "encoding/json" "fmt" "os" "time" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.SecurityMonitoringSignalListRequest{ Filter: &datadogV2.SecurityMonitoringSignalListRequestFilter{ From: datadog.PtrTime(time.Now().Add(time.Minute * -15)), Query: datadog.PtrString("security:attack status:high"), To: datadog.PtrTime(time.Now()), }, Page: &datadogV2.SecurityMonitoringSignalListRequestPage{ Limit: datadog.PtrInt32(2), }, Sort: datadogV2.SECURITYMONITORINGSIGNALSSORT_TIMESTAMP_ASCENDING.Ptr(), } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, _ := api.SearchSecurityMonitoringSignalsWithPagination(ctx, *datadogV2.NewSearchSecurityMonitoringSignalsOptionalParameters().WithBody(body)) for paginationResult := range resp { if paginationResult.Error != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.SearchSecurityMonitoringSignals`: %v\n", paginationResult.Error) } responseContent, _ := json.MarshalIndent(paginationResult.Item, "", " ") fmt.Fprintf(os.Stdout, "%s\n", responseContent) } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Get a list of security signals returns "OK" response with pagination import com.datadog.api.client.ApiClient; import com.datadog.api.client.PaginationIterable; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.api.SecurityMonitoringApi.SearchSecurityMonitoringSignalsOptionalParameters; import com.datadog.api.client.v2.model.SecurityMonitoringSignal; import com.datadog.api.client.v2.model.SecurityMonitoringSignalListRequest; import com.datadog.api.client.v2.model.SecurityMonitoringSignalListRequestFilter; import com.datadog.api.client.v2.model.SecurityMonitoringSignalListRequestPage; import com.datadog.api.client.v2.model.SecurityMonitoringSignalsSort; import java.time.OffsetDateTime; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); SecurityMonitoringSignalListRequest body = new SecurityMonitoringSignalListRequest() .filter( new SecurityMonitoringSignalListRequestFilter() .from(OffsetDateTime.now().plusMinutes(-15)) .query("security:attack status:high") .to(OffsetDateTime.now())) .page(new SecurityMonitoringSignalListRequestPage().limit(2)) .sort(SecurityMonitoringSignalsSort.TIMESTAMP_ASCENDING); try { PaginationIterable iterable = apiInstance.searchSecurityMonitoringSignalsWithPagination( new SearchSecurityMonitoringSignalsOptionalParameters().body(body)); for (SecurityMonitoringSignal item : iterable) { System.out.println(item); } } catch (RuntimeException e) { System.err.println( "Exception when calling" + " SecurityMonitoringApi#searchSecurityMonitoringSignalsWithPagination"); System.err.println("Reason: " + e.getMessage()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Get a list of security signals returns "OK" response with pagination """ from datetime import datetime from dateutil.relativedelta import relativedelta from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.security_monitoring_signal_list_request import SecurityMonitoringSignalListRequest from datadog_api_client.v2.model.security_monitoring_signal_list_request_filter import ( SecurityMonitoringSignalListRequestFilter, ) from datadog_api_client.v2.model.security_monitoring_signal_list_request_page import ( SecurityMonitoringSignalListRequestPage, ) from datadog_api_client.v2.model.security_monitoring_signals_sort import SecurityMonitoringSignalsSort body = SecurityMonitoringSignalListRequest( filter=SecurityMonitoringSignalListRequestFilter( _from=(datetime.now() + relativedelta(minutes=-15)), query="security:attack status:high", to=datetime.now(), ), page=SecurityMonitoringSignalListRequestPage( limit=2, ), sort=SecurityMonitoringSignalsSort.TIMESTAMP_ASCENDING, ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) items = api_instance.search_security_monitoring_signals_with_pagination(body=body) for item in items: print(item) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Get a list of security signals returns "OK" response with pagination require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::SecurityMonitoringSignalListRequest.new({ filter: DatadogAPIClient::V2::SecurityMonitoringSignalListRequestFilter.new({ from: (Time.now + -15 * 60), query: "security:attack status:high", to: Time.now, }), page: DatadogAPIClient::V2::SecurityMonitoringSignalListRequestPage.new({ limit: 2, }), sort: DatadogAPIClient::V2::SecurityMonitoringSignalsSort::TIMESTAMP_ASCENDING, }) opts = { body: body, } api_instance.search_security_monitoring_signals_with_pagination(opts) { |item| puts item } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Get a list of security signals returns "OK" response with pagination use chrono::{DateTime, Utc}; use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SearchSecurityMonitoringSignalsOptionalParams; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::SecurityMonitoringSignalListRequest; use datadog_api_client::datadogV2::model::SecurityMonitoringSignalListRequestFilter; use datadog_api_client::datadogV2::model::SecurityMonitoringSignalListRequestPage; use datadog_api_client::datadogV2::model::SecurityMonitoringSignalsSort; use futures_util::pin_mut; use futures_util::stream::StreamExt; #[tokio::main] async fn main() { let body = SecurityMonitoringSignalListRequest::new() .filter( SecurityMonitoringSignalListRequestFilter::new() .from( DateTime::parse_from_rfc3339("2021-11-11T10:56:11+00:00") .expect("Failed to parse datetime") .with_timezone(&Utc), ) .query("security:attack status:high".to_string()) .to(DateTime::parse_from_rfc3339("2021-11-11T11:11:11+00:00") .expect("Failed to parse datetime") .with_timezone(&Utc)), ) .page(SecurityMonitoringSignalListRequestPage::new().limit(2)) .sort(SecurityMonitoringSignalsSort::TIMESTAMP_ASCENDING); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let response = api.search_security_monitoring_signals_with_pagination( SearchSecurityMonitoringSignalsOptionalParams::default().body(body), ); pin_mut!(response); while let Some(resp) = response.next().await { if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Get a list of security signals returns "OK" response with pagination */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiSearchSecurityMonitoringSignalsRequest = { body: { filter: { from: new Date(new Date().getTime() + -15 * 60 * 1000), query: "security:attack status:high", to: new Date(), }, page: { limit: 2, }, sort: "timestamp", }, }; (async () => { try { for await (const item of apiInstance.searchSecurityMonitoringSignalsWithPagination( params )) { console.log(item); } } catch (error) { console.error(error); } })(); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Get a quick list of security signals{% #get-a-quick-list-of-security-signals %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | -------------------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/signals | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/security_monitoring/signals | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/security_monitoring/signals | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/security_monitoring/signals | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/security_monitoring/signals | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/security_monitoring/signals | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/security_monitoring/signals | ### Overview The list endpoint returns security signals that match a search query. Both this endpoint and the POST endpoint can be used interchangeably when listing security signals. This endpoint requires the `security_monitoring_signals_read` permission. OAuth apps require the `security_monitoring_signals_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Arguments #### Query Strings | Name | Type | Description | | ------------- | ------- | ----------------------------------------------------------------------------------------- | | filter[query] | string | The search query for security signals. | | filter[from] | string | The minimum timestamp for requested security signals. | | filter[to] | string | The maximum timestamp for requested security signals. | | sort | enum | The order of the security signals in results.Allowed enum values: `timestamp, -timestamp` | | page[cursor] | string | A list of results using the cursor provided in the previous query. | | page[limit] | integer | The maximum number of security signals in the response. | ### Response {% tab title="200" %} OK {% tab title="Model" %} The response object with all security signals matching the request and pagination information. | Parent field | Field | Type | Description | | ------------ | ---------- | --------- | ------------------------------------------------------------------------------------------------------------------------------------------- | | | data | [object] | An array of security signals matching the request. | | data | attributes | object | The object containing all signal attributes and their associated values. | | attributes | custom | object | A JSON object of attributes in the security signal. | | attributes | message | string | The message in the security signal defined by the rule that generated the signal. | | attributes | tags | [string] | An array of tags associated with the security signal. | | attributes | timestamp | date-time | The timestamp of the security signal. | | data | id | string | The unique ID of the security signal. | | data | type | enum | The type of event. Allowed enum values: `signal` | | | links | object | Links attributes. | | links | next | string | The link for the next set of results. **Note**: The request can also be made using the POST endpoint. | | | meta | object | Meta attributes. | | meta | page | object | Paging attributes. | | page | after | string | The cursor used to get the next results, if any. To make the next request, use the same parameters with the addition of the `page[cursor]`. | {% /tab %} {% tab title="Example" %} ```json { "data": [ { "attributes": { "custom": { "workflow": { "first_seen": "2020-06-23T14:46:01.000Z", "last_seen": "2020-06-23T14:46:49.000Z", "rule": { "id": "0f5-e0c-805", "name": "Brute Force Attack Grouped By User", "version": 12 } } }, "message": "Detect Account Take Over (ATO) through brute force attempts", "tags": [ "security:attack", "technique:T1110-brute-force" ], "timestamp": "2019-01-02T09:42:36.320Z" }, "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA", "type": "signal" } ], "links": { "next": "https://app.datadoghq.com/api/v2/security_monitoring/signals?filter[query]=foo\u0026page[cursor]=eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==" }, "meta": { "page": { "after": "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==" } } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/signals" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Get a quick list of security signals returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.list_security_monitoring_signals() print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Get a quick list of security signals returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new p api_instance.list_security_monitoring_signals() ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Get a quick list of security signals returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.ListSecurityMonitoringSignals(ctx, *datadogV2.NewListSecurityMonitoringSignalsOptionalParameters()) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListSecurityMonitoringSignals`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListSecurityMonitoringSignals`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Get a quick list of security signals returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringSignalsListResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { SecurityMonitoringSignalsListResponse result = apiInstance.listSecurityMonitoringSignals(); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#listSecurityMonitoringSignals"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Get a quick list of security signals returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::ListSecurityMonitoringSignalsOptionalParams; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .list_security_monitoring_signals(ListSecurityMonitoringSignalsOptionalParams::default()) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Get a quick list of security signals returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); apiInstance .listSecurityMonitoringSignals() .then((data: v2.SecurityMonitoringSignalsListResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Get a signal's details{% #get-a-signals-details %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | -------------------------------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/signals/{signal_id} | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/security_monitoring/signals/{signal_id} | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/security_monitoring/signals/{signal_id} | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/security_monitoring/signals/{signal_id} | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/security_monitoring/signals/{signal_id} | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/security_monitoring/signals/{signal_id} | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/{signal_id} | ### Overview Get a signal's details. This endpoint requires the `security_monitoring_signals_read` permission. OAuth apps require the `security_monitoring_signals_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Arguments #### Path Parameters | Name | Type | Description | | --------------------------- | ------ | --------------------- | | signal_id [*required*] | string | The ID of the signal. | ### Response {% tab title="200" %} OK {% tab title="Model" %} Security Signal response data object. | Parent field | Field | Type | Description | | ------------ | ---------- | --------- | --------------------------------------------------------------------------------- | | | data | object | Object description of a security signal. | | data | attributes | object | The object containing all signal attributes and their associated values. | | attributes | custom | object | A JSON object of attributes in the security signal. | | attributes | message | string | The message in the security signal defined by the rule that generated the signal. | | attributes | tags | [string] | An array of tags associated with the security signal. | | attributes | timestamp | date-time | The timestamp of the security signal. | | data | id | string | The unique ID of the security signal. | | data | type | enum | The type of event. Allowed enum values: `signal` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "custom": { "workflow": { "first_seen": "2020-06-23T14:46:01.000Z", "last_seen": "2020-06-23T14:46:49.000Z", "rule": { "id": "0f5-e0c-805", "name": "Brute Force Attack Grouped By User", "version": 12 } } }, "message": "Detect Account Take Over (ATO) through brute force attempts", "tags": [ "security:attack", "technique:T1110-brute-force" ], "timestamp": "2019-01-02T09:42:36.320Z" }, "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA", "type": "signal" } } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport signal_id="CHANGE_ME"\# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/${signal_id}" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Get a signal's details returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.get_security_monitoring_signal( signal_id="AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptMDdQUnF3QUE", ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Get a signal's details returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new p api_instance.get_security_monitoring_signal("AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptMDdQUnF3QUE") ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Get a signal's details returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.GetSecurityMonitoringSignal(ctx, "AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptMDdQUnF3QUE") if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSecurityMonitoringSignal`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSecurityMonitoringSignal`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Get a signal's details returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringSignalResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { SecurityMonitoringSignalResponse result = apiInstance.getSecurityMonitoringSignal( "AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptMDdQUnF3QUE"); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#getSecurityMonitoringSignal"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Get a signal's details returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .get_security_monitoring_signal( "AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptMDdQUnF3QUE".to_string(), ) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Get a signal's details returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiGetSecurityMonitoringSignalRequest = { signalId: "AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptMDdQUnF3QUE", }; apiInstance .getSecurityMonitoringSignal(params) .then((data: v2.SecurityMonitoringSignalResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Change the related incidents of a security signal{% #change-the-related-incidents-of-a-security-signal %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | -------------------------------------------------------------------------------------------- | | ap1.datadoghq.com | PATCH https://api.ap1.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/incidents | | ap2.datadoghq.com | PATCH https://api.ap2.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/incidents | | app.datadoghq.eu | PATCH https://api.datadoghq.eu/api/v2/security_monitoring/signals/{signal_id}/incidents | | app.ddog-gov.com | PATCH https://api.ddog-gov.com/api/v2/security_monitoring/signals/{signal_id}/incidents | | app.datadoghq.com | PATCH https://api.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/incidents | | us3.datadoghq.com | PATCH https://api.us3.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/incidents | | us5.datadoghq.com | PATCH https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/incidents | ### Overview Change the related incidents for a security signal. This endpoint requires the `security_monitoring_signals_write` permission. ### Arguments #### Path Parameters | Name | Type | Description | | --------------------------- | ------ | --------------------- | | signal_id [*required*] | string | The ID of the signal. | ### Request #### Body Data (required) Attributes describing the signal update. {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------ | ------------------------------ | --------- | ----------------------------------------------------------------------------------------- | | | data [*required*] | object | Data containing the patch for changing the related incidents of a signal. | | data | attributes [*required*] | object | Attributes describing the new list of related signals for a security signal. | | attributes | incident_ids [*required*] | [integer] | Array of incidents that are associated with this signal. | | attributes | version | int64 | Version of the updated signal. If server side version is higher, update will be rejected. | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "incident_ids": [ 2066 ] } } } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} The response returned after all triage operations, containing the updated signal triage data. | Parent field | Field | Type | Description | | -------------------- | ------------------------------ | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data [*required*] | object | Data containing the updated triage attributes of the signal. | | data | attributes | object | Attributes describing a triage state update operation over a security signal. | | attributes | archive_comment | string | Optional comment to display on archived signals. | | attributes | archive_comment_timestamp | int64 | Timestamp of the last edit to the comment. | | attributes | archive_comment_user | object | Object representing a given user entity. | | archive_comment_user | handle | string | The handle for this user account. | | archive_comment_user | icon | string | Gravatar icon associated to the user. | | archive_comment_user | id | int64 | Numerical ID assigned by Datadog to this user account. | | archive_comment_user | name | string | The name for this user account. | | archive_comment_user | uuid [*required*] | string | UUID assigned by Datadog to this user account. | | attributes | archive_reason | enum | Reason a signal is archived. Allowed enum values: `none,false_positive,testing_or_maintenance,remediated,investigated_case_opened,true_positive_benign,true_positive_malicious,other` | | attributes | assignee [*required*] | object | Object representing a given user entity. | | assignee | handle | string | The handle for this user account. | | assignee | icon | string | Gravatar icon associated to the user. | | assignee | id | int64 | Numerical ID assigned by Datadog to this user account. | | assignee | name | string | The name for this user account. | | assignee | uuid [*required*] | string | UUID assigned by Datadog to this user account. | | attributes | incident_ids [*required*] | [integer] | Array of incidents that are associated with this signal. | | attributes | state [*required*] | enum | The new triage state of the signal. Allowed enum values: `open,archived,under_review` | | attributes | state_update_timestamp | int64 | Timestamp of the last update to the signal state. | | attributes | state_update_user | object | Object representing a given user entity. | | state_update_user | handle | string | The handle for this user account. | | state_update_user | icon | string | Gravatar icon associated to the user. | | state_update_user | id | int64 | Numerical ID assigned by Datadog to this user account. | | state_update_user | name | string | The name for this user account. | | state_update_user | uuid [*required*] | string | UUID assigned by Datadog to this user account. | | data | id | string | The unique ID of the security signal. | | data | type | enum | The type of event. Allowed enum values: `signal_metadata` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "archive_comment": "string", "archive_comment_timestamp": "integer", "archive_comment_user": { "handle": "string", "icon": "/path/to/matching/gravatar/icon", "id": "integer", "name": "string", "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940" }, "archive_reason": "string", "assignee": { "handle": "string", "icon": "/path/to/matching/gravatar/icon", "id": "integer", "name": "string", "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940" }, "incident_ids": [ 2066 ], "state": "open", "state_update_timestamp": "integer", "state_update_user": { "handle": "string", "icon": "/path/to/matching/gravatar/icon", "id": "integer", "name": "string", "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940" } }, "id": "string", "type": "signal_metadata" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport signal_id="CHANGE_ME"\# Curl commandcurl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/${signal_id}/incidents" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "attributes": { "incident_ids": [ 2066 ] } } } EOF ##### ```go // Change the related incidents of a security signal returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.SecurityMonitoringSignalIncidentsUpdateRequest{ Data: datadogV2.SecurityMonitoringSignalIncidentsUpdateData{ Attributes: datadogV2.SecurityMonitoringSignalIncidentsUpdateAttributes{ IncidentIds: []int64{ 2066, }, }, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.EditSecurityMonitoringSignalIncidents(ctx, "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.EditSecurityMonitoringSignalIncidents`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.EditSecurityMonitoringSignalIncidents`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Change the related incidents of a security signal returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringSignalIncidentsUpdateAttributes; import com.datadog.api.client.v2.model.SecurityMonitoringSignalIncidentsUpdateData; import com.datadog.api.client.v2.model.SecurityMonitoringSignalIncidentsUpdateRequest; import com.datadog.api.client.v2.model.SecurityMonitoringSignalTriageUpdateResponse; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); SecurityMonitoringSignalIncidentsUpdateRequest body = new SecurityMonitoringSignalIncidentsUpdateRequest() .data( new SecurityMonitoringSignalIncidentsUpdateData() .attributes( new SecurityMonitoringSignalIncidentsUpdateAttributes() .incidentIds(Collections.singletonList(2066L)))); try { SecurityMonitoringSignalTriageUpdateResponse result = apiInstance.editSecurityMonitoringSignalIncidents( "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body); System.out.println(result); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#editSecurityMonitoringSignalIncidents"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Change the related incidents of a security signal returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.security_monitoring_signal_incident_ids import SecurityMonitoringSignalIncidentIds from datadog_api_client.v2.model.security_monitoring_signal_incidents_update_attributes import ( SecurityMonitoringSignalIncidentsUpdateAttributes, ) from datadog_api_client.v2.model.security_monitoring_signal_incidents_update_data import ( SecurityMonitoringSignalIncidentsUpdateData, ) from datadog_api_client.v2.model.security_monitoring_signal_incidents_update_request import ( SecurityMonitoringSignalIncidentsUpdateRequest, ) body = SecurityMonitoringSignalIncidentsUpdateRequest( data=SecurityMonitoringSignalIncidentsUpdateData( attributes=SecurityMonitoringSignalIncidentsUpdateAttributes( incident_ids=SecurityMonitoringSignalIncidentIds( [ 2066, ] ), ), ), ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.edit_security_monitoring_signal_incidents( signal_id="AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body=body ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Change the related incidents of a security signal returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::SecurityMonitoringSignalIncidentsUpdateRequest.new({ data: DatadogAPIClient::V2::SecurityMonitoringSignalIncidentsUpdateData.new({ attributes: DatadogAPIClient::V2::SecurityMonitoringSignalIncidentsUpdateAttributes.new({ incident_ids: [ 2066, ], }), }), }) p api_instance.edit_security_monitoring_signal_incidents("AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Change the related incidents of a security signal returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::SecurityMonitoringSignalIncidentsUpdateAttributes; use datadog_api_client::datadogV2::model::SecurityMonitoringSignalIncidentsUpdateData; use datadog_api_client::datadogV2::model::SecurityMonitoringSignalIncidentsUpdateRequest; #[tokio::main] async fn main() { let body = SecurityMonitoringSignalIncidentsUpdateRequest::new( SecurityMonitoringSignalIncidentsUpdateData::new( SecurityMonitoringSignalIncidentsUpdateAttributes::new(vec![2066]), ), ); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .edit_security_monitoring_signal_incidents( "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE".to_string(), body, ) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Change the related incidents of a security signal returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiEditSecurityMonitoringSignalIncidentsRequest = { body: { data: { attributes: { incidentIds: [2066], }, }, }, signalId: "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", }; apiInstance .editSecurityMonitoringSignalIncidents(params) .then((data: v2.SecurityMonitoringSignalTriageUpdateResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Returns a list of Secrets rules{% #returns-a-list-of-secrets-rules %} {% tab title="v2" %} **Note**: This endpoint may be subject to changes. | Datadog site | API endpoint | | ----------------- | ---------------------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/static-analysis/secrets/rules | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/static-analysis/secrets/rules | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/static-analysis/secrets/rules | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/static-analysis/secrets/rules | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/static-analysis/secrets/rules | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/static-analysis/secrets/rules | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/static-analysis/secrets/rules | ### Overview Returns a list of Secrets rules with ID, Pattern, Description, Priority, and SDS ID. OAuth apps require the `code_analysis_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Response {% tab title="200" %} OK {% tab title="Model" %} A collection of secret detection rules returned by the list endpoint. | Parent field | Field | Type | Description | | ------------------------ | ------------------------- | -------- | ----------------------------------------------------------------------------------------------------------------------- | | | data [*required*] | [object] | The list of secret detection rules. | | data | attributes | object | The attributes of a secret detection rule, including its pattern, priority, and validation configuration. | | attributes | default_included_keywords | [string] | A list of keywords that are included by default when scanning for secrets matching this rule. | | attributes | description | string | A detailed explanation of what type of secret this rule detects. | | attributes | license | string | The license under which this secret rule is distributed. | | attributes | match_validation | object | Configuration for validating whether a detected secret is active by making an HTTP request and inspecting the response. | | match_validation | endpoint | string | The URL endpoint to call when validating a detected secret. | | match_validation | hosts | [string] | The list of hostnames to include when performing secret match validation. | | match_validation | http_method | string | The HTTP method (e.g., GET, POST) to use when making the validation request. | | match_validation | invalid_http_status_code | [object] | The HTTP status code ranges that indicate the detected secret is invalid or inactive. | | invalid_http_status_code | end | int64 | The inclusive upper bound of the HTTP status code range. | | invalid_http_status_code | start | int64 | The inclusive lower bound of the HTTP status code range. | | match_validation | request_headers | object | A map of HTTP header names to values to include in the validation request. | | additionalProperties | | string | | match_validation | timeout_seconds | int64 | The maximum number of seconds to wait for a response during validation before timing out. | | match_validation | type | string | The type of match validation to perform (e.g., http). | | match_validation | valid_http_status_code | [object] | The HTTP status code ranges that indicate the detected secret is valid and active. | | valid_http_status_code | end | int64 | The inclusive upper bound of the HTTP status code range. | | valid_http_status_code | start | int64 | The inclusive lower bound of the HTTP status code range. | | attributes | name | string | The unique name of the secret detection rule. | | attributes | pattern | string | The regular expression pattern used to identify potential secrets in source code or configuration. | | attributes | priority | string | The priority level of this rule, used to rank findings when multiple rules match. | | attributes | sds_id | string | The identifier of the corresponding Sensitive Data Scanner rule, if one exists. | | attributes | validators | [string] | A list of validator identifiers used to further confirm a detected secret is genuine. | | data | id | string | The unique identifier of the secret rule resource. | | data | type [*required*] | enum | Secret rule resource type. Allowed enum values: `secret_rule` | {% /tab %} {% tab title="Example" %} ```json { "data": [ { "attributes": { "default_included_keywords": [], "description": "string", "license": "string", "match_validation": { "endpoint": "string", "hosts": [], "http_method": "string", "invalid_http_status_code": [ { "end": "integer", "start": "integer" } ], "request_headers": { "": "string" }, "timeout_seconds": "integer", "type": "string", "valid_http_status_code": [ { "end": "integer", "start": "integer" } ] }, "name": "string", "pattern": "string", "priority": "string", "sds_id": "string", "validators": [] }, "id": "string", "type": "secret_rule" } ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/static-analysis/secrets/rules" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Returns a list of Secrets rules returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi configuration = Configuration() configuration.unstable_operations["get_secrets_rules"] = True with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.get_secrets_rules() print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Returns a list of Secrets rules returns "OK" response require "datadog_api_client" DatadogAPIClient.configure do |config| config.unstable_operations["v2.get_secrets_rules".to_sym] = true end api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new p api_instance.get_secrets_rules() ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Returns a list of Secrets rules returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() configuration.SetUnstableOperationEnabled("v2.GetSecretsRules", true) apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.GetSecretsRules(ctx) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSecretsRules`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSecretsRules`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Returns a list of Secrets rules returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecretRuleArray; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); defaultClient.setUnstableOperationEnabled("v2.getSecretsRules", true); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { SecretRuleArray result = apiInstance.getSecretsRules(); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#getSecretsRules"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Returns a list of Secrets rules returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { let mut configuration = datadog::Configuration::new(); configuration.set_unstable_operation_enabled("v2.GetSecretsRules", true); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.get_secrets_rules().await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Returns a list of Secrets rules returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); configuration.unstableOperations["v2.getSecretsRules"] = true; const apiInstance = new v2.SecurityMonitoringApi(configuration); apiInstance .getSecretsRules() .then((data: v2.SecretRuleArray) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Ruleset get multiple{% #ruleset-get-multiple %} {% tab title="v2" %} **Note**: This endpoint may be subject to changes. | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------ | | ap1.datadoghq.com | POST https://api.ap1.datadoghq.com/api/v2/static-analysis/rulesets | | ap2.datadoghq.com | POST https://api.ap2.datadoghq.com/api/v2/static-analysis/rulesets | | app.datadoghq.eu | POST https://api.datadoghq.eu/api/v2/static-analysis/rulesets | | app.ddog-gov.com | POST https://api.ddog-gov.com/api/v2/static-analysis/rulesets | | app.datadoghq.com | POST https://api.datadoghq.com/api/v2/static-analysis/rulesets | | us3.datadoghq.com | POST https://api.us3.datadoghq.com/api/v2/static-analysis/rulesets | | us5.datadoghq.com | POST https://api.us5.datadoghq.com/api/v2/static-analysis/rulesets | ### Overview Get rules for multiple rulesets in batch. OAuth apps require the `code_analysis_read` authorization [scope](https://docs.datadoghq.com/api/latest/scopes/#security-monitoring) to access this endpoint. ### Request #### Body Data (required) {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------ | ---------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------- | | | data | object | The primary data object in the get-multiple-rulesets request, containing request attributes and resource type. | | data | attributes | object | The request attributes for fetching multiple rulesets, specifying which rulesets to retrieve and what data to include. | | attributes | include_testing_rules | boolean | When true, rules that are available in testing mode are included in the response. | | attributes | include_tests | boolean | When true, test cases associated with each rule are included in the response. | | attributes | rulesets | [string] | The list of ruleset names to retrieve. | | data | id | string | An optional identifier for the get-multiple-rulesets request resource. | | data | type [*required*] | enum | Get multiple rulesets request resource type. Allowed enum values: `get_multiple_rulesets_request` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "include_testing_rules": false, "include_tests": false, "rulesets": [] }, "id": "string", "type": "get_multiple_rulesets_request" } } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} The response payload for the get-multiple-rulesets endpoint, containing the requested rulesets and their rules. | Parent field | Field | Type | Description | | ------------ | ---------------------- | --------- | -------------------------------------------------------------------------------------------------------------------- | | | data | object | The primary data object in the get-multiple-rulesets response, containing the response attributes and resource type. | | data | attributes | object | The attributes of the get-multiple-rulesets response, containing the list of requested rulesets. | | attributes | rulesets | [object] | The list of rulesets returned in response to the batch request. | | rulesets | data [*required*] | object | The resource identifier and type for a ruleset. | | data | id | string | The unique identifier of the ruleset resource. | | data | type [*required*] | enum | Rulesets resource type. Allowed enum values: `rulesets` | | rulesets | description | string | A detailed description of the ruleset's purpose and the types of issues it targets. | | rulesets | name | string | The unique name of the ruleset. | | rulesets | rules | [object] | The list of static analysis rules included in this ruleset. | | rules | arguments | [object] | The list of configurable arguments accepted by this rule. | | arguments | description | string | A human-readable explanation of the argument's purpose and accepted values. | | arguments | name | string | The name of the rule argument. | | rules | category | string | The category classifying the type of issue this rule detects (e.g., security, style, performance). | | rules | checksum | string | A checksum of the rule definition used to detect changes. | | rules | code | string | The rule implementation code used by the static analysis engine. | | rules | created_at | date-time | The date and time when the rule was created. | | rules | created_by | string | The identifier of the user or system that created the rule. | | rules | cve | string | The CVE identifier associated with the vulnerability this rule detects, if applicable. | | rules | cwe | string | The CWE identifier associated with the weakness category this rule detects, if applicable. | | rules | data [*required*] | object | The resource identifier and type for a static analysis rule. | | data | id | string | The unique identifier of the rule resource. | | data | type [*required*] | enum | Rules resource type. Allowed enum values: `rules` | | rules | description | string | A detailed explanation of what the rule detects and why it matters. | | rules | documentation_url | string | A URL pointing to additional documentation for this rule. | | rules | entity_checked | string | The code entity type (e.g., function, class, variable) that this rule inspects. | | rules | is_published | boolean | Indicates whether the rule is publicly published and available to all users. | | rules | is_testing | boolean | Indicates whether the rule is in testing mode and not yet promoted to production. | | rules | language | string | The programming language this rule applies to. | | rules | last_updated_at | date-time | The date and time when the rule was last modified. | | rules | last_updated_by | string | The identifier of the user or system that last updated the rule. | | rules | name | string | The unique name identifying this rule within its ruleset. | | rules | regex | string | A regular expression pattern used by the rule for pattern-based detection. | | rules | severity | string | The severity level of findings produced by this rule (e.g., ERROR, WARNING, NOTICE). | | rules | short_description | string | A brief summary of what the rule detects, suitable for display in listings. | | rules | should_use_ai_fix | boolean | Indicates whether an AI-generated fix suggestion should be offered for findings from this rule. | | rules | tests | [object] | The list of test cases used to validate the rule's behavior. | | tests | annotation_count | int64 | The expected number of annotations (findings) the rule should produce when run against the test code. | | tests | code | string | The source code snippet used as input for the rule test. | | tests | filename | string | The filename associated with the test code snippet. | | rules | tree_sitter_query | string | The Tree-sitter query expression used by the rule to match code patterns in the AST. | | rules | type | string | The rule type indicating the detection mechanism used (e.g., tree_sitter, regex). | | rulesets | short_description | string | A brief summary of the ruleset, suitable for display in listings. | | data | id | string | The unique identifier of the get-multiple-rulesets response resource. | | data | type [*required*] | enum | Get multiple rulesets response resource type. Allowed enum values: `get_multiple_rulesets_response` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "rulesets": [ { "data": { "id": "string", "type": "rulesets" }, "description": "string", "name": "string", "rules": [ { "arguments": [ { "description": "string", "name": "string" } ], "category": "string", "checksum": "string", "code": "string", "created_at": "2019-09-19T10:00:00.000Z", "created_by": "string", "cve": "string", "cwe": "string", "data": { "id": "string", "type": "rules" }, "description": "string", "documentation_url": "string", "entity_checked": "string", "is_published": false, "is_testing": false, "language": "string", "last_updated_at": "2019-09-19T10:00:00.000Z", "last_updated_by": "string", "name": "string", "regex": "string", "severity": "string", "short_description": "string", "should_use_ai_fix": false, "tests": [ { "annotation_count": "integer", "code": "string", "filename": "string" } ], "tree_sitter_query": "string", "type": "string" } ], "short_description": "string" } ] }, "id": "string", "type": "get_multiple_rulesets_response" } } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/static-analysis/rulesets" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "type": "get_multiple_rulesets_request" } } EOF ##### ```python """ Ruleset get multiple returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.get_multiple_rulesets_request import GetMultipleRulesetsRequest from datadog_api_client.v2.model.get_multiple_rulesets_request_data import GetMultipleRulesetsRequestData from datadog_api_client.v2.model.get_multiple_rulesets_request_data_attributes import ( GetMultipleRulesetsRequestDataAttributes, ) from datadog_api_client.v2.model.get_multiple_rulesets_request_data_type import GetMultipleRulesetsRequestDataType body = GetMultipleRulesetsRequest( data=GetMultipleRulesetsRequestData( attributes=GetMultipleRulesetsRequestDataAttributes( rulesets=[], ), type=GetMultipleRulesetsRequestDataType.GET_MULTIPLE_RULESETS_REQUEST, ), ) configuration = Configuration() configuration.unstable_operations["list_multiple_rulesets"] = True with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.list_multiple_rulesets(body=body) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Ruleset get multiple returns "OK" response require "datadog_api_client" DatadogAPIClient.configure do |config| config.unstable_operations["v2.list_multiple_rulesets".to_sym] = true end api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::GetMultipleRulesetsRequest.new({ data: DatadogAPIClient::V2::GetMultipleRulesetsRequestData.new({ attributes: DatadogAPIClient::V2::GetMultipleRulesetsRequestDataAttributes.new({ rulesets: [], }), type: DatadogAPIClient::V2::GetMultipleRulesetsRequestDataType::GET_MULTIPLE_RULESETS_REQUEST, }), }) p api_instance.list_multiple_rulesets(body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Ruleset get multiple returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.GetMultipleRulesetsRequest{ Data: &datadogV2.GetMultipleRulesetsRequestData{ Attributes: &datadogV2.GetMultipleRulesetsRequestDataAttributes{ Rulesets: []string{}, }, Type: datadogV2.GETMULTIPLERULESETSREQUESTDATATYPE_GET_MULTIPLE_RULESETS_REQUEST, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() configuration.SetUnstableOperationEnabled("v2.ListMultipleRulesets", true) apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.ListMultipleRulesets(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListMultipleRulesets`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListMultipleRulesets`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Ruleset get multiple returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.GetMultipleRulesetsRequest; import com.datadog.api.client.v2.model.GetMultipleRulesetsRequestData; import com.datadog.api.client.v2.model.GetMultipleRulesetsRequestDataAttributes; import com.datadog.api.client.v2.model.GetMultipleRulesetsRequestDataType; import com.datadog.api.client.v2.model.GetMultipleRulesetsResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); defaultClient.setUnstableOperationEnabled("v2.listMultipleRulesets", true); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); GetMultipleRulesetsRequest body = new GetMultipleRulesetsRequest() .data( new GetMultipleRulesetsRequestData() .attributes(new GetMultipleRulesetsRequestDataAttributes()) .type(GetMultipleRulesetsRequestDataType.GET_MULTIPLE_RULESETS_REQUEST)); try { GetMultipleRulesetsResponse result = apiInstance.listMultipleRulesets(body); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#listMultipleRulesets"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Ruleset get multiple returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::GetMultipleRulesetsRequest; use datadog_api_client::datadogV2::model::GetMultipleRulesetsRequestData; use datadog_api_client::datadogV2::model::GetMultipleRulesetsRequestDataAttributes; use datadog_api_client::datadogV2::model::GetMultipleRulesetsRequestDataType; #[tokio::main] async fn main() { let body = GetMultipleRulesetsRequest::new().data( GetMultipleRulesetsRequestData::new( GetMultipleRulesetsRequestDataType::GET_MULTIPLE_RULESETS_REQUEST, ) .attributes(GetMultipleRulesetsRequestDataAttributes::new().rulesets(vec![])), ); let mut configuration = datadog::Configuration::new(); configuration.set_unstable_operation_enabled("v2.ListMultipleRulesets", true); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.list_multiple_rulesets(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Ruleset get multiple returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); configuration.unstableOperations["v2.listMultipleRulesets"] = true; const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiListMultipleRulesetsRequest = { body: { data: { attributes: { rulesets: [], }, type: "get_multiple_rulesets_request", }, }, }; apiInstance .listMultipleRulesets(params) .then((data: v2.GetMultipleRulesetsResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## List vulnerabilities{% #list-vulnerabilities %} **Note**: This endpoint is deprecated. See the [List Security Findings endpoint](https://docs.datadoghq.com/api/latest/security-monitoring/#list-security-findings). | Datadog site | API endpoint | | ----------------- | ----------------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/security/vulnerabilities | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/security/vulnerabilities | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/security/vulnerabilities | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/security/vulnerabilities | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/security/vulnerabilities | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/security/vulnerabilities | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/security/vulnerabilities | ### Overview Get a list of vulnerabilities. ### Pagination{% #pagination %} Pagination is enabled by default in both `vulnerabilities` and `assets`. The size of the page varies depending on the endpoint and cannot be modified. To automate the request of the next page, you can use the links section in the response. This endpoint will return paginated responses. The pages are stored in the links section of the response: ```JSON { "data": [...], "meta": {...}, "links": { "self": "https://.../api/v2/security/vulnerabilities", "first": "https://.../api/v2/security/vulnerabilities?page[number]=1&page[token]=abc", "last": "https://.../api/v2/security/vulnerabilities?page[number]=43&page[token]=abc", "next": "https://.../api/v2/security/vulnerabilities?page[number]=2&page[token]=abc" } } ``` - `links.previous` is empty if the first page is requested. - `links.next` is empty if the last page is requested. #### Token{% #token %} Vulnerabilities can be created, updated or deleted at any point in time. Upon the first request, a token is created to ensure consistency across subsequent paginated requests. A token is valid only for 24 hours. #### First request{% #first-request %} We consider a request to be the first request when there is no `page[token]` parameter. The response of this first request contains the newly created token in the `links` section. This token can then be used in the subsequent paginated requests. *Note: The first request may take longer to complete than subsequent requests.* #### Subsequent requests{% #subsequent-requests %} Any request containing valid `page[token]` and `page[number]` parameters will be considered a subsequent request. If the `token` is invalid, a `404` response will be returned. If the page `number` is invalid, a `400` response will be returned. The returned `token` is valid for all requests in the pagination sequence. To send paginated requests in parallel, reuse the same `token` and change only the `page[number]` parameter. ### Filtering{% #filtering %} The request can include some filter parameters to filter the data to be retrieved. The format of the filter parameters follows the [JSON:API format](https://jsonapi.org/format/#fetching-filtering): `filter[$prop_name]`, where `prop_name` is the property name in the entity being filtered by. All filters can include multiple values, where data will be filtered with an OR clause: `filter[title]=Title1,Title2` will filter all vulnerabilities where title is equal to `Title1` OR `Title2`. String filters are case sensitive. Boolean filters accept `true` or `false` as values. Number filters must include an operator as a second filter input: `filter[$prop_name][$operator]`. For example, for the vulnerabilities endpoint: `filter[cvss.base.score][lte]=8`. Available operators are: `eq` (==), `lt` (<), `lte` (<=), `gt` (>) and `gte` (>=). ### Metadata{% #metadata %} Following [JSON:API format](https://jsonapi.org/format/#document-meta), object including non-standard meta-information. This endpoint includes the meta member in the response. For more details on each of the properties included in this section, check the endpoints response tables. ```JSON { "data": [...], "meta": { "total": 1500, "count": 18732, "token": "some_token" }, "links": {...} } ``` ### Extensions{% #extensions %} Requests may include extensions to modify the behavior of the requested endpoint. The filter parameters follow the [JSON:API format](https://jsonapi.org/extensions/#extensions) format: `ext:$extension_name`, where `extension_name` is the name of the modifier that is being applied. Extensions can only include one value: `ext:modifier=value`. This endpoint requires the `appsec_vm_read` permission. ### Arguments #### Query Strings | Name | Type | Description | | ------------------------------------------------ | ------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | page[token] | string | Its value must come from the `links` section of the response of the first request. Do not manually edit it. | | page[number] | integer | The page number to be retrieved. It should be equal or greater than `1` | | filter[type] | enum | Filter by vulnerability type.Allowed enum values: `AdminConsoleActive, CodeInjection, CommandInjection, ComponentWithKnownVulnerability, DangerousWorkflows, DefaultAppDeployed, DefaultHtmlEscapeInvalid, DirectoryListingLeak, EmailHtmlInjection, EndOfLife` | | filter[cvss.base.score][`$op`] | number | Filter by vulnerability base (i.e. from the original advisory) severity score. | | filter[cvss.base.severity] | enum | Filter by vulnerability base severity.Allowed enum values: `Unknown, None, Low, Medium, High, Critical` | | filter[cvss.base.vector] | string | Filter by vulnerability base CVSS vector. | | filter[cvss.datadog.score][`$op`] | number | Filter by vulnerability Datadog severity score. | | filter[cvss.datadog.severity] | enum | Filter by vulnerability Datadog severity.Allowed enum values: `Unknown, None, Low, Medium, High, Critical` | | filter[cvss.datadog.vector] | string | Filter by vulnerability Datadog CVSS vector. | | filter[status] | enum | Filter by the status of the vulnerability.Allowed enum values: `Open, Muted, Remediated, InProgress, AutoClosed` | | filter[tool] | enum | Filter by the tool of the vulnerability.Allowed enum values: `IAST, SCA, Infra, SAST` | | filter[library.name] | string | Filter by library name. | | filter[library.version] | string | Filter by library version. | | filter[advisory.id] | string | Filter by advisory ID. | | filter[risks.exploitation_probability] | boolean | Filter by exploitation probability. | | filter[risks.poc_exploit_available] | boolean | Filter by POC exploit availability. | | filter[risks.exploit_available] | boolean | Filter by public exploit availability. | | filter[risks.epss.score][`$op`] | number | Filter by vulnerability [EPSS](https://www.first.org/epss/) severity score. | | filter[risks.epss.severity] | enum | Filter by vulnerability [EPSS](https://www.first.org/epss/) severity.Allowed enum values: `Unknown, None, Low, Medium, High, Critical` | | filter[language] | string | Filter by language. | | filter[ecosystem] | enum | Filter by ecosystem.Allowed enum values: `PyPI, Maven, NuGet, Npm, RubyGems, Go, Packagist, Deb, Rpm, Apk` | | filter[code_location.location] | string | Filter by vulnerability location. | | filter[code_location.file_path] | string | Filter by vulnerability file path. | | filter[code_location.method] | string | Filter by method. | | filter[fix_available] | boolean | Filter by fix availability. | | filter[repo_digests] | string | Filter by vulnerability `repo_digest` (when the vulnerability is related to `Image` asset). | | filter[origin] | string | Filter by origin. | | filter[running_kernel] | boolean | Filter for whether the vulnerability affects a running kernel (for vulnerabilities related to a `Host` asset). | | filter[asset.name] | string | Filter by asset name. This field supports the usage of wildcards (*). | | filter[asset.type] | enum | Filter by asset type.Allowed enum values: `Repository, Service, Host, HostImage, Image` | | filter[asset.version.first] | string | Filter by the first version of the asset this vulnerability has been detected on. | | filter[asset.version.last] | string | Filter by the last version of the asset this vulnerability has been detected on. | | filter[asset.repository_url] | string | Filter by the repository url associated to the asset. | | filter[asset.risks.in_production] | boolean | Filter whether the asset is in production or not. | | filter[asset.risks.under_attack] | boolean | Filter whether the asset is under attack or not. | | filter[asset.risks.is_publicly_accessible] | boolean | Filter whether the asset is publicly accessible or not. | | filter[asset.risks.has_privileged_access] | boolean | Filter whether the asset is publicly accessible or not. | | filter[asset.risks.has_access_to_sensitive_data] | boolean | Filter whether the asset has access to sensitive data or not. | | filter[asset.environments] | string | Filter by asset environments. | | filter[asset.teams] | string | Filter by asset teams. | | filter[asset.arch] | string | Filter by asset architecture. | | filter[asset.operating_system.name] | string | Filter by asset operating system name. | | filter[asset.operating_system.version] | string | Filter by asset operating system version. | ### Response {% tab title="200" %} OK {% tab title="Model" %} The expected response schema when listing vulnerabilities. | Parent field | Field | Type | Description | | -------------------- | ------------------------------------------ | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data [*required*] | [object] | List of vulnerabilities. | | data | attributes [*required*] | object | The JSON:API attributes of the vulnerability. | | attributes | advisory | object | Advisory associated with the vulnerability. | | advisory | id [*required*] | string | Vulnerability advisory ID. | | advisory | last_modification_date | string | Vulnerability advisory last modification date. | | advisory | publish_date | string | Vulnerability advisory publish date. | | attributes | advisory_id | string | Vulnerability advisory ID. | | attributes | code_location | object | Code vulnerability location. | | code_location | file_path | string | Vulnerability location file path. | | code_location | location [*required*] | string | Vulnerability extracted location. | | code_location | method | string | Vulnerability location method. | | attributes | cve_list [*required*] | [string] | Vulnerability CVE list. | | attributes | cvss [*required*] | object | Vulnerability severities. | | cvss | base [*required*] | object | Vulnerability severity. | | base | score [*required*] | double | Vulnerability severity score. | | base | severity [*required*] | enum | The vulnerability severity. Allowed enum values: `Unknown,None,Low,Medium,High,Critical` | | base | vector [*required*] | string | Vulnerability CVSS vector. | | cvss | datadog [*required*] | object | Vulnerability severity. | | datadog | score [*required*] | double | Vulnerability severity score. | | datadog | severity [*required*] | enum | The vulnerability severity. Allowed enum values: `Unknown,None,Low,Medium,High,Critical` | | datadog | vector [*required*] | string | Vulnerability CVSS vector. | | attributes | dependency_locations | object | Static library vulnerability location. | | dependency_locations | block [*required*] | object | Static library vulnerability location. | | block | column_end [*required*] | int64 | Location column end. | | block | column_start [*required*] | int64 | Location column start. | | block | file_name [*required*] | string | Location file name. | | block | line_end [*required*] | int64 | Location line end. | | block | line_start [*required*] | int64 | Location line start. | | dependency_locations | name | object | Static library vulnerability location. | | name | column_end [*required*] | int64 | Location column end. | | name | column_start [*required*] | int64 | Location column start. | | name | file_name [*required*] | string | Location file name. | | name | line_end [*required*] | int64 | Location line end. | | name | line_start [*required*] | int64 | Location line start. | | dependency_locations | version | object | Static library vulnerability location. | | version | column_end [*required*] | int64 | Location column end. | | version | column_start [*required*] | int64 | Location column start. | | version | file_name [*required*] | string | Location file name. | | version | line_end [*required*] | int64 | Location line end. | | version | line_start [*required*] | int64 | Location line start. | | attributes | description [*required*] | string | Vulnerability description. | | attributes | ecosystem | enum | The related vulnerability asset ecosystem. Allowed enum values: `PyPI,Maven,NuGet,Npm,RubyGems,Go,Packagist,Deb,Rpm,Apk` | | attributes | exposure_time [*required*] | int64 | Vulnerability exposure time in seconds. | | attributes | first_detection [*required*] | string | First detection of the vulnerability in [RFC 3339](https://datatracker.ietf.org/doc/html/rfc3339) format | | attributes | fix_available [*required*] | boolean | Whether the vulnerability has a remediation or not. | | attributes | language [*required*] | string | Vulnerability language. | | attributes | last_detection [*required*] | string | Last detection of the vulnerability in [RFC 3339](https://datatracker.ietf.org/doc/html/rfc3339) format | | attributes | library | object | Vulnerability library. | | library | additional_names | [string] | Related library or package names (such as child packages or affected binary paths). | | library | name [*required*] | string | Vulnerability library name. | | library | version | string | Vulnerability library version. | | attributes | origin [*required*] | [string] | Vulnerability origin. | | attributes | remediations [*required*] | [object] | List of remediations. | | remediations | auto_solvable [*required*] | boolean | Whether the vulnerability can be resolved when recompiling the package or not. | | remediations | avoided_advisories [*required*] | [object] | Avoided advisories. | | avoided_advisories | base_severity [*required*] | string | Advisory base severity. | | avoided_advisories | id [*required*] | string | Advisory id. | | avoided_advisories | severity | string | Advisory Datadog severity. | | remediations | fixed_advisories [*required*] | [object] | Remediation fixed advisories. | | fixed_advisories | base_severity [*required*] | string | Advisory base severity. | | fixed_advisories | id [*required*] | string | Advisory id. | | fixed_advisories | severity | string | Advisory Datadog severity. | | remediations | library_name [*required*] | string | Library name remediating the vulnerability. | | remediations | library_version [*required*] | string | Library version remediating the vulnerability. | | remediations | new_advisories [*required*] | [object] | New advisories. | | new_advisories | base_severity [*required*] | string | Advisory base severity. | | new_advisories | id [*required*] | string | Advisory id. | | new_advisories | severity | string | Advisory Datadog severity. | | remediations | remaining_advisories [*required*] | [object] | Remaining advisories. | | remaining_advisories | base_severity [*required*] | string | Advisory base severity. | | remaining_advisories | id [*required*] | string | Advisory id. | | remaining_advisories | severity | string | Advisory Datadog severity. | | remediations | type [*required*] | string | Remediation type. | | attributes | repo_digests | [string] | Vulnerability `repo_digest` list (when the vulnerability is related to `Image` asset). | | attributes | risks [*required*] | object | Vulnerability risks. | | risks | epss | object | Vulnerability EPSS severity. | | epss | score [*required*] | double | Vulnerability EPSS severity score. | | epss | severity [*required*] | enum | The vulnerability severity. Allowed enum values: `Unknown,None,Low,Medium,High,Critical` | | risks | exploit_available [*required*] | boolean | Vulnerability public exploit availability. | | risks | exploit_sources [*required*] | [string] | Vulnerability exploit sources. | | risks | exploitation_probability [*required*] | boolean | Vulnerability exploitation probability. | | risks | poc_exploit_available [*required*] | boolean | Vulnerability POC exploit availability. | | attributes | running_kernel | boolean | True if the vulnerability affects a package in the host's running kernel, false if it affects a non-running kernel, and omit if it is not kernel-related. | | attributes | status [*required*] | enum | The vulnerability status. Allowed enum values: `Open,Muted,Remediated,InProgress,AutoClosed` | | attributes | title [*required*] | string | Vulnerability title. | | attributes | tool [*required*] | enum | The vulnerability tool. Allowed enum values: `IAST,SCA,Infra,SAST` | | attributes | type [*required*] | enum | The vulnerability type. Allowed enum values: `AdminConsoleActive,CodeInjection,CommandInjection,ComponentWithKnownVulnerability,DangerousWorkflows,DefaultAppDeployed,DefaultHtmlEscapeInvalid,DirectoryListingLeak,EmailHtmlInjection,EndOfLife` | | data | id [*required*] | string | The unique ID for this vulnerability. | | data | relationships [*required*] | object | Related entities object. | | relationships | affects [*required*] | object | Relationship type. | | affects | data [*required*] | object | Asset affected by this vulnerability. | | data | id [*required*] | string | The unique ID for this related asset. | | data | type [*required*] | enum | The JSON:API type. Allowed enum values: `assets` | | data | type [*required*] | enum | The JSON:API type. Allowed enum values: `vulnerabilities` | | | links | object | The JSON:API links related to pagination. | | links | first [*required*] | string | First page link. | | links | last [*required*] | string | Last page link. | | links | next | string | Next page link. | | links | previous | string | Previous page link. | | links | self [*required*] | string | Request link. | | | meta | object | The metadata related to this request. | | meta | count [*required*] | int64 | Number of entities included in the response. | | meta | token [*required*] | string | The token that identifies the request. | | meta | total [*required*] | int64 | Total number of entities across all pages. | {% /tab %} {% tab title="Example" %} ```json { "data": [ { "attributes": { "advisory": { "id": "TRIVY-CVE-2023-0615", "last_modification_date": "2024-09-19T21:23:08.000Z", "publish_date": "2024-09-19T21:23:08.000Z" }, "advisory_id": "TRIVY-CVE-2023-0615", "code_location": { "file_path": "src/Class.java:100", "location": "com.example.Class:100", "method": "FooBar" }, "cve_list": [ "CVE-2023-0615" ], "cvss": { "base": { "score": 4.5, "severity": "Medium", "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, "datadog": { "score": 4.5, "severity": "Medium", "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" } }, "dependency_locations": { "block": { "column_end": 140, "column_start": 5, "file_name": "src/go.mod", "line_end": 10, "line_start": 1 }, "name": { "column_end": 140, "column_start": 5, "file_name": "src/go.mod", "line_end": 10, "line_start": 1 }, "version": { "column_end": 140, "column_start": 5, "file_name": "src/go.mod", "line_end": 10, "line_start": 1 } }, "description": "LDAP Injection is a security vulnerability that occurs when untrusted user input is improperly handled and directly incorporated into LDAP queries without appropriate sanitization or validation. This vulnerability enables attackers to manipulate LDAP queries and potentially gain unauthorized access, modify data, or extract sensitive information from the directory server. By exploiting the LDAP injection vulnerability, attackers can execute malicious commands, bypass authentication mechanisms, and perform unauthorized actions within the directory service.", "ecosystem": "string", "exposure_time": 5618604, "first_detection": "2024-09-19T21:23:08.000Z", "fix_available": false, "language": "ubuntu", "last_detection": "2024-09-01T21:23:08.000Z", "library": { "additional_names": [ "linux-tools-common" ], "name": "linux-aws-5.15", "version": "5.15.0" }, "origin": [ "agentless-scanner" ], "remediations": [ { "auto_solvable": false, "avoided_advisories": [ { "base_severity": "Critical", "id": "GHSA-4wrc-f8pq-fpqp", "severity": "Medium" } ], "fixed_advisories": [ { "base_severity": "Critical", "id": "GHSA-4wrc-f8pq-fpqp", "severity": "Medium" } ], "library_name": "stdlib", "library_version": "Upgrade to a version >= 1.20.0", "new_advisories": [ { "base_severity": "Critical", "id": "GHSA-4wrc-f8pq-fpqp", "severity": "Medium" } ], "remaining_advisories": [ { "base_severity": "Critical", "id": "GHSA-4wrc-f8pq-fpqp", "severity": "Medium" } ], "type": "text" } ], "repo_digests": [ "sha256:0ae7da091191787229d321e3638e39c319a97d6e20f927d465b519d699215bf7" ], "risks": { "epss": { "score": 0.2, "severity": "Medium" }, "exploit_available": false, "exploit_sources": [ "NIST" ], "exploitation_probability": false, "poc_exploit_available": false }, "running_kernel": true, "status": "Open", "title": "LDAP Injection", "tool": "SCA", "type": "WeakCipher" }, "id": "3ecdfea798f2ce8f6e964805a344945f", "relationships": { "affects": { "data": { "id": "Repository|github.com/DataDog/datadog-agent.git", "type": "assets" } } }, "type": "vulnerabilities" } ], "links": { "first": "https://api.datadoghq.com/api/v2/security/vulnerabilities?page%5Bnumber%5D=1\u0026page%5Btoken%5D=b82cef018aab81ed1d4bb4xb35xxfc065da7efa685fbcecdbd338f3015e3afabbbfa3a911b4984_721ee28a-zecb-4e45-9960-c42065b574f4", "last": "https://api.datadoghq.com/api/v2/security/vulnerabilities?page%5Bnumber%5D=15\u0026page%5Btoken%5D=b82cef018aab81ed1d4bb4xb35xxfc065da7efa685fbcecdbd338f3015e3afabbbfa3a911b4984_721ee28a-zecb-4e45-9960-c42065b574f4", "next": "https://api.datadoghq.com/api/v2/security/vulnerabilities?page%5Bnumber%5D=16\u0026page%5Btoken%5D=b82cef018aab81ed1d4bb4xb35xxfc065da7efa685fbcecdbd338f3015e3afabbbfa3a911b4984_721ee28a-zecb-4e45-9960-c42065b574f4", "previous": "https://api.datadoghq.com/api/v2/security/vulnerabilities?page%5Bnumber%5D=14\u0026page%5Btoken%5D=b82cef018aab81ed1d4bb4xb35xxfc065da7efa685fbcecdbd338f3015e3afabbbfa3a911b4984_721ee28a-zecb-4e45-9960-c42065b574f4", "self": "https://api.datadoghq.com/api/v2/security/vulnerabilities?filter%5Btool%5D=Infra" }, "meta": { "count": 150, "token": "b82cef018aab81ed1d4bb4xb35xxfc065da7efa685fbcecdbd338f3015e3afabbbfa3a911b4984_721ee28a-zecb-4e45-9960-c42065b574f4", "total": 152431 } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad request: The server cannot process the request due to invalid syntax in the request. {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Forbidden: Access denied {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not found: There is no request associated with the provided token. {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/vulnerabilities" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ List vulnerabilities returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.asset_type import AssetType from datadog_api_client.v2.model.vulnerability_severity import VulnerabilitySeverity from datadog_api_client.v2.model.vulnerability_tool import VulnerabilityTool configuration = Configuration() configuration.unstable_operations["list_vulnerabilities"] = True with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.list_vulnerabilities( filter_cvss_base_severity=VulnerabilitySeverity.HIGH, filter_tool=VulnerabilityTool.INFRA, filter_asset_type=AssetType.SERVICE, ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # List vulnerabilities returns "OK" response require "datadog_api_client" DatadogAPIClient.configure do |config| config.unstable_operations["v2.list_vulnerabilities".to_sym] = true end api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new opts = { filter_cvss_base_severity: VulnerabilitySeverity::HIGH, filter_asset_type: AssetType::SERVICE, filter_tool: VulnerabilityTool::INFRA, } p api_instance.list_vulnerabilities(opts) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // List vulnerabilities returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() configuration.SetUnstableOperationEnabled("v2.ListVulnerabilities", true) apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.ListVulnerabilities(ctx, *datadogV2.NewListVulnerabilitiesOptionalParameters().WithFilterCvssBaseSeverity(datadogV2.VULNERABILITYSEVERITY_HIGH).WithFilterAssetType(datadogV2.ASSETTYPE_SERVICE).WithFilterTool(datadogV2.VULNERABILITYTOOL_INFRA)) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListVulnerabilities`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListVulnerabilities`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // List vulnerabilities returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.api.SecurityMonitoringApi.ListVulnerabilitiesOptionalParameters; import com.datadog.api.client.v2.model.AssetType; import com.datadog.api.client.v2.model.ListVulnerabilitiesResponse; import com.datadog.api.client.v2.model.VulnerabilitySeverity; import com.datadog.api.client.v2.model.VulnerabilityTool; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); defaultClient.setUnstableOperationEnabled("v2.listVulnerabilities", true); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { ListVulnerabilitiesResponse result = apiInstance.listVulnerabilities( new ListVulnerabilitiesOptionalParameters() .filterCvssBaseSeverity(VulnerabilitySeverity.HIGH) .filterAssetType(AssetType.SERVICE) .filterTool(VulnerabilityTool.INFRA)); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#listVulnerabilities"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // List vulnerabilities returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::ListVulnerabilitiesOptionalParams; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::AssetType; use datadog_api_client::datadogV2::model::VulnerabilitySeverity; use datadog_api_client::datadogV2::model::VulnerabilityTool; #[tokio::main] async fn main() { let mut configuration = datadog::Configuration::new(); configuration.set_unstable_operation_enabled("v2.ListVulnerabilities", true); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .list_vulnerabilities( ListVulnerabilitiesOptionalParams::default() .filter_cvss_base_severity(VulnerabilitySeverity::HIGH) .filter_asset_type(AssetType::SERVICE) .filter_tool(VulnerabilityTool::INFRA), ) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * List vulnerabilities returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); configuration.unstableOperations["v2.listVulnerabilities"] = true; const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiListVulnerabilitiesRequest = { filterCvssBaseSeverity: "High", filterTool: "Infra", filterAssetType: "Service", }; apiInstance .listVulnerabilities(params) .then((data: v2.ListVulnerabilitiesResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" ## List vulnerable assets{% #list-vulnerable-assets %} {% tab title="v2" %} **Note**: This endpoint is a private preview. If you are interested in accessing this API, [fill out this form](https://forms.gle/kMYC1sDr6WDUBDsx9). | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/security/vulnerable-assets | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/security/vulnerable-assets | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/security/vulnerable-assets | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/security/vulnerable-assets | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/security/vulnerable-assets | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/security/vulnerable-assets | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/security/vulnerable-assets | ### Overview Get a list of vulnerable assets. ### Pagination{% #pagination %} Please review the Pagination section for the "List Vulnerabilities" endpoint. ### Filtering{% #filtering %} Please review the Filtering section for the "List Vulnerabilities" endpoint. ### Metadata{% #metadata %} Please review the Metadata section for the "List Vulnerabilities" endpoint. This endpoint requires the `appsec_vm_read` permission. ### Arguments #### Query Strings | Name | Type | Description | | ------------------------------------------ | ------- | ----------------------------------------------------------------------------------------------------------- | | page[token] | string | Its value must come from the `links` section of the response of the first request. Do not manually edit it. | | page[number] | integer | The page number to be retrieved. It should be equal or greater than `1` | | filter[name] | string | Filter by name. This field supports the usage of wildcards (*). | | filter[type] | enum | Filter by type.Allowed enum values: `Repository, Service, Host, HostImage, Image` | | filter[version.first] | string | Filter by the first version of the asset since it has been vulnerable. | | filter[version.last] | string | Filter by the last detected version of the asset. | | filter[repository_url] | string | Filter by the repository url associated to the asset. | | filter[risks.in_production] | boolean | Filter whether the asset is in production or not. | | filter[risks.under_attack] | boolean | Filter whether the asset (Service) is under attack or not. | | filter[risks.is_publicly_accessible] | boolean | Filter whether the asset (Host) is publicly accessible or not. | | filter[risks.has_privileged_access] | boolean | Filter whether the asset (Host) has privileged access or not. | | filter[risks.has_access_to_sensitive_data] | boolean | Filter whether the asset (Host) has access to sensitive data or not. | | filter[environments] | string | Filter by environment. | | filter[teams] | string | Filter by teams. | | filter[arch] | string | Filter by architecture. | | filter[operating_system.name] | string | Filter by operating system name. | | filter[operating_system.version] | string | Filter by operating system version. | ### Response {% tab title="200" %} OK {% tab title="Model" %} The expected response schema when listing vulnerable assets. | Parent field | Field | Type | Description | | ---------------- | ------------------------------- | -------- | ----------------------------------------------------------------------------- | | | data [*required*] | [object] | List of vulnerable assets. | | data | attributes [*required*] | object | The JSON:API attributes of the asset. | | attributes | arch | string | Asset architecture. | | attributes | environments [*required*] | [string] | List of environments where the asset is deployed. | | attributes | name [*required*] | string | Asset name. | | attributes | operating_system | object | Asset operating system. | | operating_system | description | string | Operating system version. | | operating_system | name [*required*] | string | Operating system name. | | attributes | risks [*required*] | object | Asset risks. | | risks | has_access_to_sensitive_data | boolean | Whether the asset has access to sensitive data or not. | | risks | has_privileged_access | boolean | Whether the asset has privileged access or not. | | risks | in_production [*required*] | boolean | Whether the asset is in production or not. | | risks | is_publicly_accessible | boolean | Whether the asset is publicly accessible or not. | | risks | under_attack | boolean | Whether the asset is under attack or not. | | attributes | teams | [string] | List of teams that own the asset. | | attributes | type [*required*] | enum | The asset type Allowed enum values: `Repository,Service,Host,HostImage,Image` | | attributes | version | object | Asset version. | | version | first | string | Asset first version. | | version | last | string | Asset last version. | | data | id [*required*] | string | The unique ID for this asset. | | data | type [*required*] | enum | The JSON:API type. Allowed enum values: `assets` | | | links | object | The JSON:API links related to pagination. | | links | first [*required*] | string | First page link. | | links | last [*required*] | string | Last page link. | | links | next | string | Next page link. | | links | previous | string | Previous page link. | | links | self [*required*] | string | Request link. | | | meta | object | The metadata related to this request. | | meta | count [*required*] | int64 | Number of entities included in the response. | | meta | token [*required*] | string | The token that identifies the request. | | meta | total [*required*] | int64 | Total number of entities across all pages. | {% /tab %} {% tab title="Example" %} ```json { "data": [ { "attributes": { "arch": "arm64", "environments": [ "staging" ], "name": "github.com/DataDog/datadog-agent.git", "operating_system": { "description": "24.04", "name": "ubuntu" }, "risks": { "has_access_to_sensitive_data": false, "has_privileged_access": false, "in_production": false, "is_publicly_accessible": false, "under_attack": false }, "teams": [ "compute" ], "type": "Repository", "version": { "first": "_latest", "last": "_latest" } }, "id": "Repository|github.com/DataDog/datadog-agent.git", "type": "assets" } ], "links": { "first": "https://api.datadoghq.com/api/v2/security/vulnerabilities?page%5Bnumber%5D=1\u0026page%5Btoken%5D=b82cef018aab81ed1d4bb4xb35xxfc065da7efa685fbcecdbd338f3015e3afabbbfa3a911b4984_721ee28a-zecb-4e45-9960-c42065b574f4", "last": "https://api.datadoghq.com/api/v2/security/vulnerabilities?page%5Bnumber%5D=15\u0026page%5Btoken%5D=b82cef018aab81ed1d4bb4xb35xxfc065da7efa685fbcecdbd338f3015e3afabbbfa3a911b4984_721ee28a-zecb-4e45-9960-c42065b574f4", "next": "https://api.datadoghq.com/api/v2/security/vulnerabilities?page%5Bnumber%5D=16\u0026page%5Btoken%5D=b82cef018aab81ed1d4bb4xb35xxfc065da7efa685fbcecdbd338f3015e3afabbbfa3a911b4984_721ee28a-zecb-4e45-9960-c42065b574f4", "previous": "https://api.datadoghq.com/api/v2/security/vulnerabilities?page%5Bnumber%5D=14\u0026page%5Btoken%5D=b82cef018aab81ed1d4bb4xb35xxfc065da7efa685fbcecdbd338f3015e3afabbbfa3a911b4984_721ee28a-zecb-4e45-9960-c42065b574f4", "self": "https://api.datadoghq.com/api/v2/security/vulnerabilities?filter%5Btool%5D=Infra" }, "meta": { "count": 150, "token": "b82cef018aab81ed1d4bb4xb35xxfc065da7efa685fbcecdbd338f3015e3afabbbfa3a911b4984_721ee28a-zecb-4e45-9960-c42065b574f4", "total": 152431 } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad request: The server cannot process the request due to invalid syntax in the request. {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Forbidden: Access denied {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not found: There is no request associated with the provided token. {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/vulnerable-assets" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ List vulnerable assets returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.asset_type import AssetType configuration = Configuration() configuration.unstable_operations["list_vulnerable_assets"] = True with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.list_vulnerable_assets( filter_type=AssetType.HOST, filter_repository_url="github.com/datadog/dd-go", filter_risks_in_production=True, ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # List vulnerable assets returns "OK" response require "datadog_api_client" DatadogAPIClient.configure do |config| config.unstable_operations["v2.list_vulnerable_assets".to_sym] = true end api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new opts = { filter_type: AssetType::HOST, filter_repository_url: "github.com/datadog/dd-go", filter_risks_in_production: true, } p api_instance.list_vulnerable_assets(opts) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // List vulnerable assets returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() configuration.SetUnstableOperationEnabled("v2.ListVulnerableAssets", true) apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.ListVulnerableAssets(ctx, *datadogV2.NewListVulnerableAssetsOptionalParameters().WithFilterType(datadogV2.ASSETTYPE_HOST).WithFilterRepositoryUrl("github.com/datadog/dd-go").WithFilterRisksInProduction(true)) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListVulnerableAssets`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListVulnerableAssets`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // List vulnerable assets returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.api.SecurityMonitoringApi.ListVulnerableAssetsOptionalParameters; import com.datadog.api.client.v2.model.AssetType; import com.datadog.api.client.v2.model.ListVulnerableAssetsResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); defaultClient.setUnstableOperationEnabled("v2.listVulnerableAssets", true); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { ListVulnerableAssetsResponse result = apiInstance.listVulnerableAssets( new ListVulnerableAssetsOptionalParameters() .filterType(AssetType.HOST) .filterRepositoryUrl("github.com/datadog/dd-go") .filterRisksInProduction(true)); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#listVulnerableAssets"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // List vulnerable assets returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::ListVulnerableAssetsOptionalParams; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::AssetType; #[tokio::main] async fn main() { let mut configuration = datadog::Configuration::new(); configuration.set_unstable_operation_enabled("v2.ListVulnerableAssets", true); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .list_vulnerable_assets( ListVulnerableAssetsOptionalParams::default() .filter_type(AssetType::HOST) .filter_repository_url("github.com/datadog/dd-go".to_string()) .filter_risks_in_production(true), ) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * List vulnerable assets returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); configuration.unstableOperations["v2.listVulnerableAssets"] = true; const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiListVulnerableAssetsRequest = { filterType: "Host", filterRepositoryUrl: "github.com/datadog/dd-go", filterRisksInProduction: true, }; apiInstance .listVulnerableAssets(params) .then((data: v2.ListVulnerableAssetsResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Get SBOM{% #get-sbom %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | -------------------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/security/sboms/{asset_type} | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/security/sboms/{asset_type} | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/security/sboms/{asset_type} | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/security/sboms/{asset_type} | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/security/sboms/{asset_type} | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/security/sboms/{asset_type} | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/security/sboms/{asset_type} | ### Overview Get a single SBOM related to an asset by its type and name. This endpoint requires the `appsec_vm_read` permission. ### Arguments #### Path Parameters | Name | Type | Description | | ---------------------------- | ------ | ------------------------------------------- | | asset_type [*required*] | string | The type of the asset for the SBOM request. | #### Query Strings | Name | Type | Description | | ------------------------------------ | ------ | --------------------------------------------------------------------------------------------------------------------------- | | filter[asset_name] [*required*] | string | The name of the asset for the SBOM request. | | filter[repo_digest] | string | The container image `repo_digest` for the SBOM request. When the requested asset type is 'Image', this filter is mandatory. | | ext:format | enum | The standard of the SBOM.Allowed enum values: `CycloneDX, SPDX` | ### Response {% tab title="200" %} OK {% tab title="Model" %} The expected response schema when getting an SBOM. | Parent field | Field | Type | Description | | ------------ | ------------------------------ | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data [*required*] | object | A single SBOM | | data | attributes | object | The JSON:API attributes of the SBOM. | | attributes | bomFormat [*required*] | string | Specifies the format of the BOM. This helps to identify the file as CycloneDX since BOM do not have a filename convention nor does JSON schema support namespaces. This value MUST be `CycloneDX`. | | attributes | components [*required*] | [object] | A list of software and hardware components. | | components | bom-ref | string | An optional identifier that can be used to reference the component elsewhere in the BOM. | | components | licenses | [object] | The software licenses of the SBOM component. | | licenses | license [*required*] | object | The software license of the component of the SBOM. | | license | name [*required*] | string | The name of the software license of the component of the SBOM. | | components | name [*required*] | string | The name of the component. This will often be a shortened, single name of the component. | | components | properties | [object] | The custom properties of the component of the SBOM. | | properties | name [*required*] | string | The name of the custom property of the component of the SBOM. | | properties | value [*required*] | string | The value of the custom property of the component of the SBOM. | | components | purl | string | Specifies the package-url (purl). The purl, if specified, MUST be valid and conform to the [specification](https://github.com/package-url/purl-spec). | | components | supplier [*required*] | object | The supplier of the component. | | supplier | name [*required*] | string | Identifier of the supplier of the component. | | components | type [*required*] | enum | The SBOM component type Allowed enum values: `application,container,data,device,device-driver,file,firmware,framework,library,machine-learning-model` | | components | version [*required*] | string | The component version. | | attributes | dependencies [*required*] | [object] | List of dependencies between components of the SBOM. | | dependencies | dependsOn | [string] | The components that are dependencies of the ref component. | | dependencies | ref | string | The identifier for the related component. | | attributes | metadata [*required*] | object | Provides additional information about a BOM. | | metadata | authors | [object] | List of authors of the SBOM. | | authors | name | string | The identifier of the Author of the SBOM. | | metadata | component | object | The component that the BOM describes. | | component | name | string | The name of the component. This will often be a shortened, single name of the component. | | component | type | string | Specifies the type of the component. | | metadata | timestamp | string | The timestamp of the SBOM creation. | | attributes | serialNumber [*required*] | string | Every BOM generated has a unique serial number, even if the contents of the BOM have not changed overt time. The serial number follows [RFC-4122](https://datatracker.ietf.org/doc/html/rfc4122) | | attributes | specVersion [*required*] | enum | The version of the CycloneDX specification a BOM conforms to. Allowed enum values: `1.0,1.1,1.2,1.3,1.4,1.5` | | attributes | version [*required*] | int64 | It increments when a BOM is modified. The default value is 1. | | data | id | string | The unique ID for this SBOM (it is equivalent to the `asset_name` or `asset_name@repo_digest` (Image) | | data | type | enum | The JSON:API type. Allowed enum values: `sboms` | {% /tab %} {% tab title="Example" %} ```json { "data": { "attributes": { "bomFormat": "CycloneDX", "components": [ { "bom-ref": "pkg:golang/google.golang.org/grpc@1.68.1", "licenses": [ { "license": { "name": "MIT" } } ], "name": "google.golang.org/grpc", "properties": [ { "name": "license_type", "value": "permissive" } ], "purl": "pkg:golang/google.golang.org/grpc@1.68.1", "supplier": { "name": "https://go.dev" }, "type": "application", "version": "1.68.1" } ], "dependencies": [ { "dependsOn": [ "pkg:golang/google.golang.org/grpc@1.68.1" ], "ref": "Repository|github.com/datadog/datadog-agent" } ], "metadata": { "authors": [ { "name": "Datadog, Inc." } ], "component": { "name": "github.com/datadog/datadog-agent", "type": "application" }, "timestamp": "2025-07-08T07:24:53Z" }, "serialNumber": "urn:uuid:f7119d2f-1vgh-24b5-91f0-12010db72da7", "specVersion": "1.5", "version": 1 }, "id": "github.com/datadog/datadog-agent", "type": "sboms" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad request: The server cannot process the request due to invalid syntax in the request. {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Forbidden: Access denied {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not found: asset not found {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Path parametersexport asset_type="Repository"\# Required query argumentsexport filter[asset_name]="github.com/datadog/datadog-agent"\# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/sboms/${asset_type}?filter[asset_name]=${filter[asset_name]}" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ Get SBOM returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.asset_type import AssetType configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.get_sbom( asset_type=AssetType.REPOSITORY, filter_asset_name="github.com/datadog/datadog-agent", ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Get SBOM returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new p api_instance.get_sbom(AssetType::REPOSITORY, "github.com/datadog/datadog-agent") ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // Get SBOM returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.GetSBOM(ctx, datadogV2.ASSETTYPE_REPOSITORY, "github.com/datadog/datadog-agent", *datadogV2.NewGetSBOMOptionalParameters()) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSBOM`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSBOM`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Get SBOM returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.AssetType; import com.datadog.api.client.v2.model.GetSBOMResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { GetSBOMResponse result = apiInstance.getSBOM(AssetType.REPOSITORY, "github.com/datadog/datadog-agent"); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#getSBOM"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // Get SBOM returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::GetSBOMOptionalParams; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::AssetType; #[tokio::main] async fn main() { let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .get_sbom( AssetType::REPOSITORY, "github.com/datadog/datadog-agent".to_string(), GetSBOMOptionalParams::default(), ) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Get SBOM returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiGetSBOMRequest = { assetType: "Repository", filterAssetName: "github.com/datadog/datadog-agent", }; apiInstance .getSBOM(params) .then((data: v2.GetSBOMResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## List assets SBOMs{% #list-assets-sboms %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/security/sboms | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/security/sboms | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/security/sboms | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/security/sboms | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/security/sboms | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/security/sboms | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/security/sboms | ### Overview Get a list of assets SBOMs for an organization. ### Pagination{% #pagination %} Please review the Pagination section for the "List Vulnerabilities" endpoint. ### Filtering{% #filtering %} Please review the Filtering section for the "List Vulnerabilities" endpoint. ### Metadata{% #metadata %} Please review the Metadata section for the "List Vulnerabilities" endpoint. This endpoint requires the `appsec_vm_read` permission. ### Arguments #### Query Strings | Name | Type | Description | | ----------------------- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | page[token] | string | Its value must come from the `links` section of the response of the first request. Do not manually edit it. | | page[number] | integer | The page number to be retrieved. It should be equal to or greater than 1. | | filter[asset_type] | enum | The type of the assets for the SBOM request.Allowed enum values: `Repository, Service, Host, HostImage, Image` | | filter[asset_name] | string | The name of the asset for the SBOM request. | | filter[package_name] | string | The name of the component that is a dependency of an asset. | | filter[package_version] | string | The version of the component that is a dependency of an asset. | | filter[license_name] | string | The software license name of the component that is a dependency of an asset. | | filter[license_type] | enum | The software license type of the component that is a dependency of an asset.Allowed enum values: `network_strong_copyleft, non_standard_copyleft, other_non_free, other_non_standard, permissive, public_domain, strong_copyleft, weak_copyleft` | ### Response {% tab title="200" %} OK {% tab title="Model" %} The expected response schema when listing assets SBOMs. | Parent field | Field | Type | Description | | ------------ | ------------------------------ | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data [*required*] | [object] | List of assets SBOMs. | | data | attributes | object | The JSON:API attributes of the SBOM. | | attributes | bomFormat [*required*] | string | Specifies the format of the BOM. This helps to identify the file as CycloneDX since BOM do not have a filename convention nor does JSON schema support namespaces. This value MUST be `CycloneDX`. | | attributes | components [*required*] | [object] | A list of software and hardware components. | | components | bom-ref | string | An optional identifier that can be used to reference the component elsewhere in the BOM. | | components | licenses | [object] | The software licenses of the SBOM component. | | licenses | license [*required*] | object | The software license of the component of the SBOM. | | license | name [*required*] | string | The name of the software license of the component of the SBOM. | | components | name [*required*] | string | The name of the component. This will often be a shortened, single name of the component. | | components | properties | [object] | The custom properties of the component of the SBOM. | | properties | name [*required*] | string | The name of the custom property of the component of the SBOM. | | properties | value [*required*] | string | The value of the custom property of the component of the SBOM. | | components | purl | string | Specifies the package-url (purl). The purl, if specified, MUST be valid and conform to the [specification](https://github.com/package-url/purl-spec). | | components | supplier [*required*] | object | The supplier of the component. | | supplier | name [*required*] | string | Identifier of the supplier of the component. | | components | type [*required*] | enum | The SBOM component type Allowed enum values: `application,container,data,device,device-driver,file,firmware,framework,library,machine-learning-model` | | components | version [*required*] | string | The component version. | | attributes | dependencies [*required*] | [object] | List of dependencies between components of the SBOM. | | dependencies | dependsOn | [string] | The components that are dependencies of the ref component. | | dependencies | ref | string | The identifier for the related component. | | attributes | metadata [*required*] | object | Provides additional information about a BOM. | | metadata | authors | [object] | List of authors of the SBOM. | | authors | name | string | The identifier of the Author of the SBOM. | | metadata | component | object | The component that the BOM describes. | | component | name | string | The name of the component. This will often be a shortened, single name of the component. | | component | type | string | Specifies the type of the component. | | metadata | timestamp | string | The timestamp of the SBOM creation. | | attributes | serialNumber [*required*] | string | Every BOM generated has a unique serial number, even if the contents of the BOM have not changed overt time. The serial number follows [RFC-4122](https://datatracker.ietf.org/doc/html/rfc4122) | | attributes | specVersion [*required*] | enum | The version of the CycloneDX specification a BOM conforms to. Allowed enum values: `1.0,1.1,1.2,1.3,1.4,1.5` | | attributes | version [*required*] | int64 | It increments when a BOM is modified. The default value is 1. | | data | id | string | The unique ID for this SBOM (it is equivalent to the `asset_name` or `asset_name@repo_digest` (Image) | | data | type | enum | The JSON:API type. Allowed enum values: `sboms` | | | links | object | The JSON:API links related to pagination. | | links | first [*required*] | string | First page link. | | links | last [*required*] | string | Last page link. | | links | next | string | Next page link. | | links | previous | string | Previous page link. | | links | self [*required*] | string | Request link. | | | meta | object | The metadata related to this request. | | meta | count [*required*] | int64 | Number of entities included in the response. | | meta | token [*required*] | string | The token that identifies the request. | | meta | total [*required*] | int64 | Total number of entities across all pages. | {% /tab %} {% tab title="Example" %} ```json { "data": [ { "attributes": { "bomFormat": "CycloneDX", "components": [ { "bom-ref": "pkg:golang/google.golang.org/grpc@1.68.1", "licenses": [ { "license": { "name": "MIT" } } ], "name": "google.golang.org/grpc", "properties": [ { "name": "license_type", "value": "permissive" } ], "purl": "pkg:golang/google.golang.org/grpc@1.68.1", "supplier": { "name": "https://go.dev" }, "type": "application", "version": "1.68.1" } ], "dependencies": [ { "dependsOn": [ "pkg:golang/google.golang.org/grpc@1.68.1" ], "ref": "Repository|github.com/datadog/datadog-agent" } ], "metadata": { "authors": [ { "name": "Datadog, Inc." } ], "component": { "name": "github.com/datadog/datadog-agent", "type": "application" }, "timestamp": "2025-07-08T07:24:53Z" }, "serialNumber": "urn:uuid:f7119d2f-1vgh-24b5-91f0-12010db72da7", "specVersion": "1.5", "version": 1 }, "id": "github.com/datadog/datadog-agent", "type": "sboms" } ], "links": { "first": "https://api.datadoghq.com/api/v2/security/vulnerabilities?page%5Bnumber%5D=1\u0026page%5Btoken%5D=b82cef018aab81ed1d4bb4xb35xxfc065da7efa685fbcecdbd338f3015e3afabbbfa3a911b4984_721ee28a-zecb-4e45-9960-c42065b574f4", "last": "https://api.datadoghq.com/api/v2/security/vulnerabilities?page%5Bnumber%5D=15\u0026page%5Btoken%5D=b82cef018aab81ed1d4bb4xb35xxfc065da7efa685fbcecdbd338f3015e3afabbbfa3a911b4984_721ee28a-zecb-4e45-9960-c42065b574f4", "next": "https://api.datadoghq.com/api/v2/security/vulnerabilities?page%5Bnumber%5D=16\u0026page%5Btoken%5D=b82cef018aab81ed1d4bb4xb35xxfc065da7efa685fbcecdbd338f3015e3afabbbfa3a911b4984_721ee28a-zecb-4e45-9960-c42065b574f4", "previous": "https://api.datadoghq.com/api/v2/security/vulnerabilities?page%5Bnumber%5D=14\u0026page%5Btoken%5D=b82cef018aab81ed1d4bb4xb35xxfc065da7efa685fbcecdbd338f3015e3afabbbfa3a911b4984_721ee28a-zecb-4e45-9960-c42065b574f4", "self": "https://api.datadoghq.com/api/v2/security/vulnerabilities?filter%5Btool%5D=Infra" }, "meta": { "count": 150, "token": "b82cef018aab81ed1d4bb4xb35xxfc065da7efa685fbcecdbd338f3015e3afabbbfa3a911b4984_721ee28a-zecb-4e45-9960-c42065b574f4", "total": 152431 } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad request: The server cannot process the request due to invalid syntax in the request. {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Forbidden: Access denied {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not found: asset not found {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/sboms" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ List assets SBOMs returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.asset_type import AssetType configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.list_assets_sbo_ms( filter_asset_type=AssetType.SERVICE, filter_package_name="pandas", ) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # List assets SBOMs returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new opts = { filter_package_name: "pandas", filter_asset_type: AssetType::SERVICE, } p api_instance.list_assets_sbo_ms(opts) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // List assets SBOMs returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.ListAssetsSBOMs(ctx, *datadogV2.NewListAssetsSBOMsOptionalParameters().WithFilterPackageName("pandas").WithFilterAssetType(datadogV2.ASSETTYPE_SERVICE)) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListAssetsSBOMs`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListAssetsSBOMs`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // List assets SBOMs returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.api.SecurityMonitoringApi.ListAssetsSBOMsOptionalParameters; import com.datadog.api.client.v2.model.AssetType; import com.datadog.api.client.v2.model.ListAssetsSBOMsResponse; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { ListAssetsSBOMsResponse result = apiInstance.listAssetsSBOMs( new ListAssetsSBOMsOptionalParameters() .filterPackageName("pandas") .filterAssetType(AssetType.SERVICE)); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#listAssetsSBOMs"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // List assets SBOMs returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::ListAssetsSBOMsOptionalParams; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::AssetType; #[tokio::main] async fn main() { let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .list_assets_sbo_ms( ListAssetsSBOMsOptionalParams::default() .filter_package_name("pandas".to_string()) .filter_asset_type(AssetType::SERVICE), ) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * List assets SBOMs returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiListAssetsSBOMsRequest = { filterAssetType: "Service", filterPackageName: "pandas", }; apiInstance .listAssetsSBOMs(params) .then((data: v2.ListAssetsSBOMsResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## List scanned assets metadata{% #list-scanned-assets-metadata %} {% tab title="v2" %} **Note**: This endpoint is a private preview. If you are interested in accessing this API, [fill out this form](https://forms.gle/kMYC1sDr6WDUBDsx9). | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------- | | ap1.datadoghq.com | GET https://api.ap1.datadoghq.com/api/v2/security/scanned-assets-metadata | | ap2.datadoghq.com | GET https://api.ap2.datadoghq.com/api/v2/security/scanned-assets-metadata | | app.datadoghq.eu | GET https://api.datadoghq.eu/api/v2/security/scanned-assets-metadata | | app.ddog-gov.com | GET https://api.ddog-gov.com/api/v2/security/scanned-assets-metadata | | app.datadoghq.com | GET https://api.datadoghq.com/api/v2/security/scanned-assets-metadata | | us3.datadoghq.com | GET https://api.us3.datadoghq.com/api/v2/security/scanned-assets-metadata | | us5.datadoghq.com | GET https://api.us5.datadoghq.com/api/v2/security/scanned-assets-metadata | ### Overview Get a list of security scanned assets metadata for an organization. ### Pagination{% #pagination %} For the "List Vulnerabilities" endpoint, see the Pagination section. ### Filtering{% #filtering %} For the "List Vulnerabilities" endpoint, see the Filtering section. ### Metadata{% #metadata %} For the "List Vulnerabilities" endpoint, see the Metadata section. ### Related endpoints{% #related-endpoints %} This endpoint returns additional metadata for cloud resources that is not available from the standard resource endpoints. To access a richer dataset, call this endpoint together with the relevant resource endpoint(s) and merge (join) their results using the resource identifier. **Hosts** To enrich host data, join the response from the [Hosts](https://docs.datadoghq.com/api/latest/hosts/) endpoint with the response from the scanned-assets-metadata endpoint on the following key fields: | ENDPOINT | JOIN KEY | TYPE | | ------------------------------------------------------------- | -------------------------- | ------ | | [/api/v1/hosts](https://docs.datadoghq.com/api/latest/hosts/) | host_list.host_name | string | | /api/v2/security/scanned-assets-metadata | data.attributes.asset.name | string | **Host Images** To enrich host image data, join the response from the [Hosts](https://docs.datadoghq.com/api/latest/hosts/) endpoint with the response from the scanned-assets-metadata endpoint on the following key fields: | ENDPOINT | JOIN KEY | TYPE | | ------------------------------------------------------------- | -------------------------------------------------------- | ------ | | [/api/v1/hosts](https://docs.datadoghq.com/api/latest/hosts/) | host_list.tags_by_source["Amazon Web Services"]["image"] | string | | /api/v2/security/scanned-assets-metadata | data.attributes.asset.name | string | **Container Images** To enrich container image data, join the response from the [Container Images](https://docs.datadoghq.com/api/latest/container-images/) endpoint with the response from the scanned-assets-metadata endpoint on the following key fields: | ENDPOINT | JOIN KEY | TYPE | | ----------------------------------------------------------------------------------- | ---------------------------------------------------- | ------ | | [/api/v2/container_images](https://docs.datadoghq.com/api/latest/container-images/) | `data.attributes.name`@`data.attributes.repo_digest` | string | | /api/v2/security/scanned-assets-metadata | data.attributes.asset.name | string | This endpoint requires the `appsec_vm_read` permission. ### Arguments #### Query Strings | Name | Type | Description | | --------------------------- | ------- | ----------------------------------------------------------------------------------------------------------- | | page[token] | string | Its value must come from the `links` section of the response of the first request. Do not manually edit it. | | page[number] | integer | The page number to be retrieved. It should be equal to or greater than 1. | | filter[asset.type] | enum | The type of the scanned asset.Allowed enum values: `Host, HostImage, Image` | | filter[asset.name] | string | The name of the scanned asset. | | filter[last_success.origin] | string | The origin of last success scan. | | filter[last_success.env] | string | The environment of last success scan. | ### Response {% tab title="200" %} OK {% tab title="Model" %} The expected response schema when listing scanned assets metadata. | Parent field | Field | Type | Description | | ------------ | ----------------------------------------- | -------- | -------------------------------------------------------------------------- | | | data [*required*] | [object] | List of scanned assets metadata. | | data | attributes [*required*] | object | The attributes of a scanned asset metadata. | | attributes | asset [*required*] | object | The asset of a scanned asset metadata. | | asset | name [*required*] | string | The name of the asset. | | asset | type [*required*] | enum | The cloud asset type Allowed enum values: `Host,HostImage,Image` | | attributes | first_success_timestamp [*required*] | string | The timestamp when the scan of the asset was performed for the first time. | | attributes | last_success [*required*] | object | Metadata for the last successful scan of an asset. | | last_success | env | string | The environment of the last success scan of the asset. | | last_success | origin | [string] | The list of origins of the last success scan of the asset. | | last_success | timestamp [*required*] | string | The timestamp of the last success scan of the asset. | | data | id [*required*] | string | The ID of the scanned asset metadata. | | | links | object | The JSON:API links related to pagination. | | links | first [*required*] | string | First page link. | | links | last [*required*] | string | Last page link. | | links | next | string | Next page link. | | links | previous | string | Previous page link. | | links | self [*required*] | string | Request link. | | | meta | object | The metadata related to this request. | | meta | count [*required*] | int64 | Number of entities included in the response. | | meta | token [*required*] | string | The token that identifies the request. | | meta | total [*required*] | int64 | Total number of entities across all pages. | {% /tab %} {% tab title="Example" %} ```json { "data": [ { "attributes": { "asset": { "name": "i-0fc7edef1ab26d7ef", "type": "Host" }, "first_success_timestamp": "2025-07-08T07:24:53Z", "last_success": { "env": "prod", "origin": [ "production" ], "timestamp": "2025-07-08T07:24:53Z" } }, "id": "Host|i-0fc7edef1ab26d7ef" } ], "links": { "first": "https://api.datadoghq.com/api/v2/security/vulnerabilities?page%5Bnumber%5D=1\u0026page%5Btoken%5D=b82cef018aab81ed1d4bb4xb35xxfc065da7efa685fbcecdbd338f3015e3afabbbfa3a911b4984_721ee28a-zecb-4e45-9960-c42065b574f4", "last": "https://api.datadoghq.com/api/v2/security/vulnerabilities?page%5Bnumber%5D=15\u0026page%5Btoken%5D=b82cef018aab81ed1d4bb4xb35xxfc065da7efa685fbcecdbd338f3015e3afabbbfa3a911b4984_721ee28a-zecb-4e45-9960-c42065b574f4", "next": "https://api.datadoghq.com/api/v2/security/vulnerabilities?page%5Bnumber%5D=16\u0026page%5Btoken%5D=b82cef018aab81ed1d4bb4xb35xxfc065da7efa685fbcecdbd338f3015e3afabbbfa3a911b4984_721ee28a-zecb-4e45-9960-c42065b574f4", "previous": "https://api.datadoghq.com/api/v2/security/vulnerabilities?page%5Bnumber%5D=14\u0026page%5Btoken%5D=b82cef018aab81ed1d4bb4xb35xxfc065da7efa685fbcecdbd338f3015e3afabbbfa3a911b4984_721ee28a-zecb-4e45-9960-c42065b574f4", "self": "https://api.datadoghq.com/api/v2/security/vulnerabilities?filter%5Btool%5D=Infra" }, "meta": { "count": 150, "token": "b82cef018aab81ed1d4bb4xb35xxfc065da7efa685fbcecdbd338f3015e3afabbbfa3a911b4984_721ee28a-zecb-4e45-9960-c42065b574f4", "total": 152431 } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad request: The server cannot process the request due to invalid syntax in the request. {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Forbidden: Access denied {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not found: asset not found {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/scanned-assets-metadata" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" ##### ```python """ List scanned assets metadata returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi configuration = Configuration() configuration.unstable_operations["list_scanned_assets_metadata"] = True with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.list_scanned_assets_metadata() print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # List scanned assets metadata returns "OK" response require "datadog_api_client" DatadogAPIClient.configure do |config| config.unstable_operations["v2.list_scanned_assets_metadata".to_sym] = true end api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new p api_instance.list_scanned_assets_metadata() ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```go // List scanned assets metadata returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() configuration.SetUnstableOperationEnabled("v2.ListScannedAssetsMetadata", true) apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.ListScannedAssetsMetadata(ctx, *datadogV2.NewListScannedAssetsMetadataOptionalParameters()) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListScannedAssetsMetadata`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListScannedAssetsMetadata`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // List scanned assets metadata returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.ScannedAssetsMetadata; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); defaultClient.setUnstableOperationEnabled("v2.listScannedAssetsMetadata", true); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); try { ScannedAssetsMetadata result = apiInstance.listScannedAssetsMetadata(); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#listScannedAssetsMetadata"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```rust // List scanned assets metadata returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::ListScannedAssetsMetadataOptionalParams; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; #[tokio::main] async fn main() { let mut configuration = datadog::Configuration::new(); configuration.set_unstable_operation_enabled("v2.ListScannedAssetsMetadata", true); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api .list_scanned_assets_metadata(ListScannedAssetsMetadataOptionalParams::default()) .await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * List scanned assets metadata returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); configuration.unstableOperations["v2.listScannedAssetsMetadata"] = true; const apiInstance = new v2.SecurityMonitoringApi(configuration); apiInstance .listScannedAssetsMetadata() .then((data: v2.ScannedAssetsMetadata) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest/?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %} ## Bulk update triage state of security signals{% #bulk-update-triage-state-of-security-signals %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | --------------------------------------------------------------------------------- | | ap1.datadoghq.com | PATCH https://api.ap1.datadoghq.com/api/v2/security_monitoring/signals/bulk/state | | ap2.datadoghq.com | PATCH https://api.ap2.datadoghq.com/api/v2/security_monitoring/signals/bulk/state | | app.datadoghq.eu | PATCH https://api.datadoghq.eu/api/v2/security_monitoring/signals/bulk/state | | app.ddog-gov.com | PATCH https://api.ddog-gov.com/api/v2/security_monitoring/signals/bulk/state | | app.datadoghq.com | PATCH https://api.datadoghq.com/api/v2/security_monitoring/signals/bulk/state | | us3.datadoghq.com | PATCH https://api.us3.datadoghq.com/api/v2/security_monitoring/signals/bulk/state | | us5.datadoghq.com | PATCH https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/bulk/state | ### Overview Change the triage states of multiple security signals at once. The maximum number of signals that can be updated in a single request is 199. This endpoint requires the `security_monitoring_signals_write` permission. ### Request #### Body Data (required) Attributes describing the signal state updates. {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------ | ---------------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | data [*required*] | [object] | An array of signal state updates. | | data | attributes [*required*] | object | Attributes describing the change of state of a security signal. | | attributes | archive_comment | string | Optional comment to display on archived signals. | | attributes | archive_reason | enum | Reason a signal is archived. Allowed enum values: `none,false_positive,testing_or_maintenance,remediated,investigated_case_opened,true_positive_benign,true_positive_malicious,other` | | attributes | state [*required*] | enum | The new triage state of the signal. Allowed enum values: `open,archived,under_review` | | attributes | version | int64 | Version of the updated signal. If server side version is higher, update will be rejected. | | data | id [*required*] | string | The unique ID of the security signal. | | data | type | enum | The type of event. Allowed enum values: `signal` | {% /tab %} {% tab title="Example" %} ```json { "data": [ { "attributes": { "archive_comment": "string", "archive_reason": "string", "state": "open", "version": "integer" }, "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA", "type": "signal" } ] } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} Response for a bulk triage update of security signals. | Parent field | Field | Type | Description | | -------------------- | ------------------------------ | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | result [*required*] | object | The result payload of a bulk signal triage update. | | result | count [*required*] | int64 | The number of signals updated. | | result | events [*required*] | [object] | The list of updated signals. | | events | event [*required*] | object | Triage attributes of a security signal returned in a bulk update response. | | event | archive_comment | string | Optional comment to display on archived signals. | | event | archive_comment_timestamp | int64 | Timestamp of the last edit to the archive comment. | | event | archive_comment_user | object | Object representing a given user entity. | | archive_comment_user | handle | string | The handle for this user account. | | archive_comment_user | icon | string | Gravatar icon associated to the user. | | archive_comment_user | id | int64 | Numerical ID assigned by Datadog to this user account. | | archive_comment_user | name | string | The name for this user account. | | archive_comment_user | uuid [*required*] | string | UUID assigned by Datadog to this user account. | | event | archive_reason | enum | Reason a signal is archived. Allowed enum values: `none,false_positive,testing_or_maintenance,remediated,investigated_case_opened,true_positive_benign,true_positive_malicious,other` | | event | assignee [*required*] | object | Object representing a given user entity. | | assignee | handle | string | The handle for this user account. | | assignee | icon | string | Gravatar icon associated to the user. | | assignee | id | int64 | Numerical ID assigned by Datadog to this user account. | | assignee | name | string | The name for this user account. | | assignee | uuid [*required*] | string | UUID assigned by Datadog to this user account. | | event | id [*required*] | string | The unique ID of the security signal. | | event | incident_ids [*required*] | [integer] | Array of incidents that are associated with this signal. | | event | state [*required*] | enum | The new triage state of the signal. Allowed enum values: `open,archived,under_review` | | event | state_update_timestamp | int64 | Timestamp of the last state update. | | event | state_update_user | object | Object representing a given user entity. | | state_update_user | handle | string | The handle for this user account. | | state_update_user | icon | string | Gravatar icon associated to the user. | | state_update_user | id | int64 | Numerical ID assigned by Datadog to this user account. | | state_update_user | name | string | The name for this user account. | | state_update_user | uuid [*required*] | string | UUID assigned by Datadog to this user account. | | events | id [*required*] | string | The unique ID of the security signal. | | | status [*required*] | string | The status of the bulk operation. | | | type [*required*] | string | The type of the response. | {% /tab %} {% tab title="Example" %} ```json { "result": { "count": 2, "events": [ { "event": { "archive_comment": "string", "archive_comment_timestamp": "integer", "archive_comment_user": { "handle": "string", "icon": "/path/to/matching/gravatar/icon", "id": "integer", "name": "string", "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940" }, "archive_reason": "string", "assignee": { "handle": "string", "icon": "/path/to/matching/gravatar/icon", "id": "integer", "name": "string", "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940" }, "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA", "incident_ids": [ 2066 ], "state": "open", "state_update_timestamp": "integer", "state_update_user": { "handle": "string", "icon": "/path/to/matching/gravatar/icon", "id": "integer", "name": "string", "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940" } }, "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA" } ] }, "status": "done", "type": "status" } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Forbidden {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/bulk/state" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": [ { "attributes": { "state": "open" }, "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA" } ] } EOF {% /tab %} ## Bulk update triage assignee of security signals{% #bulk-update-triage-assignee-of-security-signals %} {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------------------ | | ap1.datadoghq.com | PATCH https://api.ap1.datadoghq.com/api/v2/security_monitoring/signals/bulk/assignee | | ap2.datadoghq.com | PATCH https://api.ap2.datadoghq.com/api/v2/security_monitoring/signals/bulk/assignee | | app.datadoghq.eu | PATCH https://api.datadoghq.eu/api/v2/security_monitoring/signals/bulk/assignee | | app.ddog-gov.com | PATCH https://api.ddog-gov.com/api/v2/security_monitoring/signals/bulk/assignee | | app.datadoghq.com | PATCH https://api.datadoghq.com/api/v2/security_monitoring/signals/bulk/assignee | | us3.datadoghq.com | PATCH https://api.us3.datadoghq.com/api/v2/security_monitoring/signals/bulk/assignee | | us5.datadoghq.com | PATCH https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/bulk/assignee | ### Overview Change the triage assignees of multiple security signals at once. The maximum number of signals that can be updated in a single request is 199. This endpoint requires the `security_monitoring_signals_write` permission. ### Request #### Body Data (required) Attributes describing the signal assignee updates. {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------ | ---------------------------- | -------- | ----------------------------------------------------------------------------------------- | | | data [*required*] | [object] | An array of signal assignee updates. | | data | attributes [*required*] | object | Attributes describing the new assignees for a bulk signal update. | | attributes | assignee [*required*] | string | UUID of the user to assign to the signal. Use an empty string to unassign. | | attributes | version | int64 | Version of the updated signal. If server side version is higher, update will be rejected. | | data | id [*required*] | string | The unique ID of the security signal. | | data | type | enum | The type of event. Allowed enum values: `signal` | {% /tab %} {% tab title="Example" %} ```json { "data": [ { "attributes": { "assignee": "773b045d-ccf8-4808-bd3b-955ef6a8c940", "version": "integer" }, "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA", "type": "signal" } ] } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} Response for a bulk triage update of security signals. | Parent field | Field | Type | Description | | -------------------- | ------------------------------ | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | result [*required*] | object | The result payload of a bulk signal triage update. | | result | count [*required*] | int64 | The number of signals updated. | | result | events [*required*] | [object] | The list of updated signals. | | events | event [*required*] | object | Triage attributes of a security signal returned in a bulk update response. | | event | archive_comment | string | Optional comment to display on archived signals. | | event | archive_comment_timestamp | int64 | Timestamp of the last edit to the archive comment. | | event | archive_comment_user | object | Object representing a given user entity. | | archive_comment_user | handle | string | The handle for this user account. | | archive_comment_user | icon | string | Gravatar icon associated to the user. | | archive_comment_user | id | int64 | Numerical ID assigned by Datadog to this user account. | | archive_comment_user | name | string | The name for this user account. | | archive_comment_user | uuid [*required*] | string | UUID assigned by Datadog to this user account. | | event | archive_reason | enum | Reason a signal is archived. Allowed enum values: `none,false_positive,testing_or_maintenance,remediated,investigated_case_opened,true_positive_benign,true_positive_malicious,other` | | event | assignee [*required*] | object | Object representing a given user entity. | | assignee | handle | string | The handle for this user account. | | assignee | icon | string | Gravatar icon associated to the user. | | assignee | id | int64 | Numerical ID assigned by Datadog to this user account. | | assignee | name | string | The name for this user account. | | assignee | uuid [*required*] | string | UUID assigned by Datadog to this user account. | | event | id [*required*] | string | The unique ID of the security signal. | | event | incident_ids [*required*] | [integer] | Array of incidents that are associated with this signal. | | event | state [*required*] | enum | The new triage state of the signal. Allowed enum values: `open,archived,under_review` | | event | state_update_timestamp | int64 | Timestamp of the last state update. | | event | state_update_user | object | Object representing a given user entity. | | state_update_user | handle | string | The handle for this user account. | | state_update_user | icon | string | Gravatar icon associated to the user. | | state_update_user | id | int64 | Numerical ID assigned by Datadog to this user account. | | state_update_user | name | string | The name for this user account. | | state_update_user | uuid [*required*] | string | UUID assigned by Datadog to this user account. | | events | id [*required*] | string | The unique ID of the security signal. | | | status [*required*] | string | The status of the bulk operation. | | | type [*required*] | string | The type of the response. | {% /tab %} {% tab title="Example" %} ```json { "result": { "count": 2, "events": [ { "event": { "archive_comment": "string", "archive_comment_timestamp": "integer", "archive_comment_user": { "handle": "string", "icon": "/path/to/matching/gravatar/icon", "id": "integer", "name": "string", "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940" }, "archive_reason": "string", "assignee": { "handle": "string", "icon": "/path/to/matching/gravatar/icon", "id": "integer", "name": "string", "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940" }, "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA", "incident_ids": [ 2066 ], "state": "open", "state_update_timestamp": "integer", "state_update_user": { "handle": "string", "icon": "/path/to/matching/gravatar/icon", "id": "integer", "name": "string", "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940" } }, "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA" } ] }, "status": "done", "type": "status" } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Forbidden {% tab title="Model" %} API error response. | Parent field | Field | Type | Description | | ------------ | ------------------------ | -------- | ------------------------------------------------------------------------------- | | | errors [*required*] | [object] | A list of errors. | | errors | detail | string | A human-readable explanation specific to this occurrence of the error. | | errors | meta | object | Non-standard meta-information about the error | | errors | source | object | References to the source of the error. | | source | header | string | A string indicating the name of a single request header which caused the error. | | source | parameter | string | A string indicating which URI query parameter caused the error. | | source | pointer | string | A JSON pointer to the value in the request document that caused the error. | | errors | status | string | Status code of the response. | | errors | title | string | Short human-readable summary of the error. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ { "detail": "Missing required attribute in body", "meta": {}, "source": { "header": "Authorization", "parameter": "limit", "pointer": "/data/attributes/title" }, "status": "400", "title": "Bad Request" } ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \# Curl commandcurl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/bulk/assignee" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": [ { "attributes": { "assignee": "773b045d-ccf8-4808-bd3b-955ef6a8c940" }, "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA" } ] } EOF {% /tab %}