Security Monitoring

Create a security filter

v2 (latest)

POST https://api.datadoghq.eu/api/v2/security_monitoring/configuration/security_filtershttps://api.ddog-gov.com/api/v2/security_monitoring/configuration/security_filtershttps://api.datadoghq.com/api/v2/security_monitoring/configuration/security_filtershttps://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/security_filtershttps://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters

Overview

Create a security filter.

See the security filter guide for more examples.

Request

Body Data (required)

The definition of the new security filter.

Expand All

Field

Type

Description

data [required]

object

Object for a single security filter.

{
  "data": {
    "attributes": {
      "exclusion_filters": [
        {
          "name": "Exclude staging",
          "query": "source:staging"
        }
      ],
      "filtered_data_type": "logs",
      "is_enabled": true,
      "name": "Custom security filter",
      "query": "service:api"
    },
    "type": "security_filters"
  }
}

Response

Response object which includes a single security filter.

Expand All

Field

Type

Description

data

object

The security filter's properties.

meta

object

Optional metadata associated to the response.

{
  "data": {
    "attributes": {
      "exclusion_filters": [
        {
          "name": "Exclude staging",
          "query": "source:staging"
        }
      ],
      "filtered_data_type": "logs",
      "is_builtin": false,
      "is_enabled": false,
      "name": "Custom security filter",
      "query": "service:api",
      "version": 1
    },
    "id": "3dd-0uc-h1s",
    "type": "security_filters"
  },
  "meta": {
    "warning": "All the security filters are disabled. As a result, no logs are being analyzed."
  }
}

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Conflict

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

# Curl command
curl -X POST "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "exclusion_filters": [
        {
          "name": "Exclude staging",
          "query": "source:staging"
        }
      ],
      "filtered_data_type": "logs",
      "is_enabled": true,
      "name": "Custom security filter",
      "query": "service:api"
    },
    "type": "security_filters"
  }
}
EOF



           

package main

import (
    "context"
    "encoding/json"
    "fmt"
    "os"
    datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)

func main() {
    ctx := datadog.NewDefaultContext(context.Background())

    body := *datadog.NewSecurityFilterCreateRequest(*datadog.NewSecurityFilterCreateData(*datadog.NewSecurityFilterCreateAttributes([]datadog.SecurityFilterExclusionFilter{*datadog.NewSecurityFilterExclusionFilter("Exclude staging", "source:staging")}, datadog.SecurityFilterFilteredDataType("logs"), true, "Custom security filter", "service:api"), datadog.SecurityFilterType("security_filters"))) // SecurityFilterCreateRequest | The definition of the new security filter.

    configuration := datadog.NewConfiguration()

    apiClient := datadog.NewAPIClient(configuration)
    resp, r, err := apiClient.SecurityMonitoringApi.CreateSecurityFilter(ctx, body)
    if err != nil {
        fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityFilter`: %v\n", err)
        fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
    }
    // response from `CreateSecurityFilter`: SecurityFilterResponse
    responseContent, _ := json.MarshalIndent(resp, "", "  ")
    fmt.Fprintf(os.Stdout, "Response from SecurityMonitoringApi.CreateSecurityFilter:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
go run "main.go"

import os
from dateutil.parser import parse as dateutil_parser
from datadog_api_client.v2 import ApiClient, ApiException, Configuration
from datadog_api_client.v2.api import security_monitoring_api
from datadog_api_client.v2.models import *
from pprint import pprint
# See configuration.py for a list of all supported configuration parameters.
configuration = Configuration()

# Enter a context with an instance of the API client
with ApiClient(configuration) as api_client:
    # Create an instance of the API class
    api_instance = security_monitoring_api.SecurityMonitoringApi(api_client)
    body = SecurityFilterCreateRequest(
        data=SecurityFilterCreateData(
            attributes=SecurityFilterCreateAttributes(
                exclusion_filters=[
                    SecurityFilterExclusionFilter(
                        name="Exclude staging",
                        query="source:staging",
                    ),
                ],
                filtered_data_type=SecurityFilterFilteredDataType("logs"),
                is_enabled=True,
                name="Custom security filter",
                query="service:api",
            ),
            type=SecurityFilterType("security_filters"),
        ),
    )  # SecurityFilterCreateRequest | The definition of the new security filter.

    # example passing only required values which don't have defaults set
    try:
        # Create a security filter
        api_response = api_instance.create_security_filter(body)
        pprint(api_response)
    except ApiException as e:
        print("Exception when calling SecurityMonitoringApi->create_security_filter: %s\n" % e)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
python3 "example.py"

require 'datadog_api_client'
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
body = DatadogAPIClient::V2::SecurityFilterCreateRequest.new({data: DatadogAPIClient::V2::SecurityFilterCreateData.new({attributes: DatadogAPIClient::V2::SecurityFilterCreateAttributes.new({exclusion_filters: [DatadogAPIClient::V2::SecurityFilterExclusionFilter.new({name: 'Exclude staging', query: 'source:staging'})], filtered_data_type: DatadogAPIClient::V2::SecurityFilterFilteredDataType::LOGS, is_enabled: true, name: 'Custom security filter', query: 'service:api'}), type: DatadogAPIClient::V2::SecurityFilterType::SECURITY_FILTERS})}) # SecurityFilterCreateRequest | The definition of the new security filter.

begin
  # Create a security filter
  result = api_instance.create_security_filter(body)
  p result
rescue DatadogAPIClient::V2::APIError => e
  puts "Error when calling SecurityMonitoringAPI->create_security_filter: #{e}"
end

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
rb "example.rb"

import { v2 } from "@datadog/datadog-api-client";
import * as fs from "fs";

const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

let params: v2.SecurityMonitoringApiCreateSecurityFilterRequest = {
  // SecurityFilterCreateRequest | The definition of the new security filter.
  body: {
    data: {
      attributes: {
        exclusionFilters: [
          {
            name: "Exclude staging",
            query: "source:staging",
          },
        ],
        filteredDataType: "logs",
        isEnabled: true,
        name: "Custom security filter",
        query: "service:api",
      },
      type: "security_filters",
    },
  },
};

apiInstance
  .createSecurityFilter(params)
  .then((data: any) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
tsc "example.ts"

import java.util.*;
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.model.*;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;

public class Example {
    public static void main(String[] args) {
        ApiClient defaultClient = Configuration.getDefaultApiClient();

        SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
        SecurityFilterCreateRequest body = new SecurityFilterCreateRequest(); // SecurityFilterCreateRequest | The definition of the new security filter.
        try {
            SecurityFilterResponse result = apiInstance.createSecurityFilter(body);
            System.out.println(result);
        } catch (ApiException e) {
            System.err.println("Exception when calling SecurityMonitoringApi#createSecurityFilter");
            System.err.println("Status code: " + e.getCode());
            System.err.println("Reason: " + e.getResponseBody());
            System.err.println("Response headers: " + e.getResponseHeaders());
            e.printStackTrace();
        }
    }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
java "Example.java"

Delete a security filter

v2 (latest)

DELETE https://api.datadoghq.eu/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.ddog-gov.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}

Overview

Delete a specific security filter.

Arguments

Path Parameters

Name

Type

Description

security_filter_id [required]

string

The ID of the security filter.

Response

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

# Path parameters
export security_filter_id="CHANGE_ME"
# Curl command
curl -X DELETE "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/${security_filter_id}" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"



           

package main

import (
    "context"
    "fmt"
    "os"
    datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)

func main() {
    ctx := datadog.NewDefaultContext(context.Background())

    securityFilterId := "securityFilterId_example" // string | The ID of the security filter.

    configuration := datadog.NewConfiguration()

    apiClient := datadog.NewAPIClient(configuration)
    r, err := apiClient.SecurityMonitoringApi.DeleteSecurityFilter(ctx, securityFilterId)
    if err != nil {
        fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.DeleteSecurityFilter`: %v\n", err)
        fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
    }
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
go run "main.go"

import os
from dateutil.parser import parse as dateutil_parser
from datadog_api_client.v2 import ApiClient, ApiException, Configuration
from datadog_api_client.v2.api import security_monitoring_api
from datadog_api_client.v2.models import *
from pprint import pprint
# See configuration.py for a list of all supported configuration parameters.
configuration = Configuration()

# Enter a context with an instance of the API client
with ApiClient(configuration) as api_client:
    # Create an instance of the API class
    api_instance = security_monitoring_api.SecurityMonitoringApi(api_client)
    security_filter_id = "security_filter_id_example"  # str | The ID of the security filter.

    # example passing only required values which don't have defaults set
    try:
        # Delete a security filter
        api_instance.delete_security_filter(security_filter_id)
    except ApiException as e:
        print("Exception when calling SecurityMonitoringApi->delete_security_filter: %s\n" % e)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
python3 "example.py"

require 'datadog_api_client'
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
security_filter_id = 'security_filter_id_example' # String | The ID of the security filter.

begin
  # Delete a security filter
  api_instance.delete_security_filter(security_filter_id)
rescue DatadogAPIClient::V2::APIError => e
  puts "Error when calling SecurityMonitoringAPI->delete_security_filter: #{e}"
end

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
rb "example.rb"

import { v2 } from "@datadog/datadog-api-client";
import * as fs from "fs";

const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

let params: v2.SecurityMonitoringApiDeleteSecurityFilterRequest = {
  // string | The ID of the security filter.
  securityFilterId: "security_filter_id_example",
};

apiInstance
  .deleteSecurityFilter(params)
  .then((data: any) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
tsc "example.ts"

import java.util.*;
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.model.*;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;

public class Example {
    public static void main(String[] args) {
        ApiClient defaultClient = Configuration.getDefaultApiClient();

        SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
        String securityFilterId = "securityFilterId_example"; // String | The ID of the security filter.
        try {
            apiInstance.deleteSecurityFilter(securityFilterId);
        } catch (ApiException e) {
            System.err.println("Exception when calling SecurityMonitoringApi#deleteSecurityFilter");
            System.err.println("Status code: " + e.getCode());
            System.err.println("Reason: " + e.getResponseBody());
            System.err.println("Response headers: " + e.getResponseHeaders());
            e.printStackTrace();
        }
    }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
java "Example.java"

Update a security filter

v2 (latest)

PATCH https://api.datadoghq.eu/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.ddog-gov.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}

Overview

Update a specific security filter. Returns the security filter object when the request is successful.

Arguments

Path Parameters

Name

Type

Description

security_filter_id [required]

string

The ID of the security filter.

Request

Body Data (required)

New definition of the security filter.

Expand All

Field

Type

Description

data [required]

object

The new security filter properties.

{
  "data": {
    "attributes": {
      "exclusion_filters": [
        {
          "name": "Exclude staging",
          "query": "source:staging"
        }
      ],
      "filtered_data_type": "logs",
      "is_enabled": true,
      "name": "Custom security filter",
      "query": "service:api",
      "version": 1
    },
    "type": "security_filters"
  }
}

Response

Response object which includes a single security filter.

Expand All

Field

Type

Description

data

object

The security filter's properties.

meta

object

Optional metadata associated to the response.

{
  "data": {
    "attributes": {
      "exclusion_filters": [
        {
          "name": "Exclude staging",
          "query": "source:staging"
        }
      ],
      "filtered_data_type": "logs",
      "is_builtin": false,
      "is_enabled": false,
      "name": "Custom security filter",
      "query": "service:api",
      "version": 1
    },
    "id": "3dd-0uc-h1s",
    "type": "security_filters"
  },
  "meta": {
    "warning": "All the security filters are disabled. As a result, no logs are being analyzed."
  }
}

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Concurrent Modification

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

# Path parameters
export security_filter_id="CHANGE_ME"
# Curl command
curl -X PATCH "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/${security_filter_id}" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "exclusion_filters": [
        {
          "name": "Exclude staging",
          "query": "source:staging"
        }
      ]
    },
    "type": "security_filters"
  }
}
EOF



           

package main

import (
    "context"
    "encoding/json"
    "fmt"
    "os"
    datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)

func main() {
    ctx := datadog.NewDefaultContext(context.Background())

    securityFilterId := "securityFilterId_example" // string | The ID of the security filter.
    body := *datadog.NewSecurityFilterUpdateRequest(*datadog.NewSecurityFilterUpdateData(*datadog.NewSecurityFilterUpdateAttributes(), datadog.SecurityFilterType("security_filters"))) // SecurityFilterUpdateRequest | New definition of the security filter.

    configuration := datadog.NewConfiguration()

    apiClient := datadog.NewAPIClient(configuration)
    resp, r, err := apiClient.SecurityMonitoringApi.UpdateSecurityFilter(ctx, securityFilterId, body)
    if err != nil {
        fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.UpdateSecurityFilter`: %v\n", err)
        fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
    }
    // response from `UpdateSecurityFilter`: SecurityFilterResponse
    responseContent, _ := json.MarshalIndent(resp, "", "  ")
    fmt.Fprintf(os.Stdout, "Response from SecurityMonitoringApi.UpdateSecurityFilter:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
go run "main.go"

import os
from dateutil.parser import parse as dateutil_parser
from datadog_api_client.v2 import ApiClient, ApiException, Configuration
from datadog_api_client.v2.api import security_monitoring_api
from datadog_api_client.v2.models import *
from pprint import pprint
# See configuration.py for a list of all supported configuration parameters.
configuration = Configuration()

# Enter a context with an instance of the API client
with ApiClient(configuration) as api_client:
    # Create an instance of the API class
    api_instance = security_monitoring_api.SecurityMonitoringApi(api_client)
    security_filter_id = "security_filter_id_example"  # str | The ID of the security filter.
    body = SecurityFilterUpdateRequest(
        data=SecurityFilterUpdateData(
            attributes=SecurityFilterUpdateAttributes(
                exclusion_filters=[
                    SecurityFilterExclusionFilter(
                        name="Exclude staging",
                        query="source:staging",
                    ),
                ],
                filtered_data_type=SecurityFilterFilteredDataType("logs"),
                is_enabled=True,
                name="Custom security filter",
                query="service:api",
                version=1,
            ),
            type=SecurityFilterType("security_filters"),
        ),
    )  # SecurityFilterUpdateRequest | New definition of the security filter.

    # example passing only required values which don't have defaults set
    try:
        # Update a security filter
        api_response = api_instance.update_security_filter(security_filter_id, body)
        pprint(api_response)
    except ApiException as e:
        print("Exception when calling SecurityMonitoringApi->update_security_filter: %s\n" % e)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
python3 "example.py"

require 'datadog_api_client'
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
security_filter_id = 'security_filter_id_example' # String | The ID of the security filter.
body = DatadogAPIClient::V2::SecurityFilterUpdateRequest.new({data: DatadogAPIClient::V2::SecurityFilterUpdateData.new({attributes: DatadogAPIClient::V2::SecurityFilterUpdateAttributes.new, type: DatadogAPIClient::V2::SecurityFilterType::SECURITY_FILTERS})}) # SecurityFilterUpdateRequest | New definition of the security filter.

begin
  # Update a security filter
  result = api_instance.update_security_filter(security_filter_id, body)
  p result
rescue DatadogAPIClient::V2::APIError => e
  puts "Error when calling SecurityMonitoringAPI->update_security_filter: #{e}"
end

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
rb "example.rb"

import { v2 } from "@datadog/datadog-api-client";
import * as fs from "fs";

const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

let params: v2.SecurityMonitoringApiUpdateSecurityFilterRequest = {
  // string | The ID of the security filter.
  securityFilterId: "security_filter_id_example",
  // SecurityFilterUpdateRequest | New definition of the security filter.
  body: {
    data: {
      attributes: {
        exclusionFilters: [],
        filteredDataType: "logs",
        isEnabled: true,
        name: "Custom security filter",
        query: "service:api",
        version: 1,
      },
      type: "security_filters",
    },
  },
};

apiInstance
  .updateSecurityFilter(params)
  .then((data: any) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
tsc "example.ts"

import java.util.*;
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.model.*;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;

public class Example {
    public static void main(String[] args) {
        ApiClient defaultClient = Configuration.getDefaultApiClient();

        SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
        String securityFilterId = "securityFilterId_example"; // String | The ID of the security filter.
        SecurityFilterUpdateRequest body = new SecurityFilterUpdateRequest(); // SecurityFilterUpdateRequest | New definition of the security filter.
        try {
            SecurityFilterResponse result = apiInstance.updateSecurityFilter(securityFilterId, body);
            System.out.println(result);
        } catch (ApiException e) {
            System.err.println("Exception when calling SecurityMonitoringApi#updateSecurityFilter");
            System.err.println("Status code: " + e.getCode());
            System.err.println("Reason: " + e.getResponseBody());
            System.err.println("Response headers: " + e.getResponseHeaders());
            e.printStackTrace();
        }
    }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
java "Example.java"

Get a security filter

v2 (latest)

GET https://api.datadoghq.eu/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.ddog-gov.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}

Overview

Get the details of a specific security filter.

See the security filter guide for more examples.

Arguments

Path Parameters

Name

Type

Description

security_filter_id [required]

string

The ID of the security filter.

Response

Response object which includes a single security filter.

Expand All

Field

Type

Description

data

object

The security filter's properties.

meta

object

Optional metadata associated to the response.

{
  "data": {
    "attributes": {
      "exclusion_filters": [
        {
          "name": "Exclude staging",
          "query": "source:staging"
        }
      ],
      "filtered_data_type": "logs",
      "is_builtin": false,
      "is_enabled": false,
      "name": "Custom security filter",
      "query": "service:api",
      "version": 1
    },
    "id": "3dd-0uc-h1s",
    "type": "security_filters"
  },
  "meta": {
    "warning": "All the security filters are disabled. As a result, no logs are being analyzed."
  }
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

# Path parameters
export security_filter_id="CHANGE_ME"
# Curl command
curl -X GET "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/${security_filter_id}" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"



           

package main

import (
    "context"
    "encoding/json"
    "fmt"
    "os"
    datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)

func main() {
    ctx := datadog.NewDefaultContext(context.Background())

    securityFilterId := "securityFilterId_example" // string | The ID of the security filter.

    configuration := datadog.NewConfiguration()

    apiClient := datadog.NewAPIClient(configuration)
    resp, r, err := apiClient.SecurityMonitoringApi.GetSecurityFilter(ctx, securityFilterId)
    if err != nil {
        fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSecurityFilter`: %v\n", err)
        fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
    }
    // response from `GetSecurityFilter`: SecurityFilterResponse
    responseContent, _ := json.MarshalIndent(resp, "", "  ")
    fmt.Fprintf(os.Stdout, "Response from SecurityMonitoringApi.GetSecurityFilter:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
go run "main.go"

import os
from dateutil.parser import parse as dateutil_parser
from datadog_api_client.v2 import ApiClient, ApiException, Configuration
from datadog_api_client.v2.api import security_monitoring_api
from datadog_api_client.v2.models import *
from pprint import pprint
# See configuration.py for a list of all supported configuration parameters.
configuration = Configuration()

# Enter a context with an instance of the API client
with ApiClient(configuration) as api_client:
    # Create an instance of the API class
    api_instance = security_monitoring_api.SecurityMonitoringApi(api_client)
    security_filter_id = "security_filter_id_example"  # str | The ID of the security filter.

    # example passing only required values which don't have defaults set
    try:
        # Get a security filter
        api_response = api_instance.get_security_filter(security_filter_id)
        pprint(api_response)
    except ApiException as e:
        print("Exception when calling SecurityMonitoringApi->get_security_filter: %s\n" % e)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
python3 "example.py"

require 'datadog_api_client'
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
security_filter_id = 'security_filter_id_example' # String | The ID of the security filter.

begin
  # Get a security filter
  result = api_instance.get_security_filter(security_filter_id)
  p result
rescue DatadogAPIClient::V2::APIError => e
  puts "Error when calling SecurityMonitoringAPI->get_security_filter: #{e}"
end

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
rb "example.rb"

import { v2 } from "@datadog/datadog-api-client";
import * as fs from "fs";

const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

let params: v2.SecurityMonitoringApiGetSecurityFilterRequest = {
  // string | The ID of the security filter.
  securityFilterId: "security_filter_id_example",
};

apiInstance
  .getSecurityFilter(params)
  .then((data: any) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
tsc "example.ts"

import java.util.*;
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.model.*;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;

public class Example {
    public static void main(String[] args) {
        ApiClient defaultClient = Configuration.getDefaultApiClient();

        SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
        String securityFilterId = "securityFilterId_example"; // String | The ID of the security filter.
        try {
            SecurityFilterResponse result = apiInstance.getSecurityFilter(securityFilterId);
            System.out.println(result);
        } catch (ApiException e) {
            System.err.println("Exception when calling SecurityMonitoringApi#getSecurityFilter");
            System.err.println("Status code: " + e.getCode());
            System.err.println("Reason: " + e.getResponseBody());
            System.err.println("Response headers: " + e.getResponseHeaders());
            e.printStackTrace();
        }
    }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
java "Example.java"

Get all security filters

v2 (latest)

GET https://api.datadoghq.eu/api/v2/security_monitoring/configuration/security_filtershttps://api.ddog-gov.com/api/v2/security_monitoring/configuration/security_filtershttps://api.datadoghq.com/api/v2/security_monitoring/configuration/security_filtershttps://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/security_filtershttps://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters

Overview

Get the list of configured security filters with their definitions.

Response

All the available security filters objects.

Expand All

Field

Type

Description

data

[object]

A list of security filters objects.

meta

object

Optional metadata associated to the response.

{
  "data": [
    {
      "attributes": {
        "exclusion_filters": [
          {
            "name": "Exclude staging",
            "query": "source:staging"
          }
        ],
        "filtered_data_type": "logs",
        "is_builtin": false,
        "is_enabled": false,
        "name": "Custom security filter",
        "query": "service:api",
        "version": 1
      },
      "id": "3dd-0uc-h1s",
      "type": "security_filters"
    }
  ],
  "meta": {
    "warning": "All the security filters are disabled. As a result, no logs are being analyzed."
  }
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

# Curl command
curl -X GET "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

package main

import (
    "context"
    "encoding/json"
    "fmt"
    "os"
    datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)

func main() {
    ctx := datadog.NewDefaultContext(context.Background())


    configuration := datadog.NewConfiguration()

    apiClient := datadog.NewAPIClient(configuration)
    resp, r, err := apiClient.SecurityMonitoringApi.ListSecurityFilters(ctx)
    if err != nil {
        fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListSecurityFilters`: %v\n", err)
        fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
    }
    // response from `ListSecurityFilters`: SecurityFiltersResponse
    responseContent, _ := json.MarshalIndent(resp, "", "  ")
    fmt.Fprintf(os.Stdout, "Response from SecurityMonitoringApi.ListSecurityFilters:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
go run "main.go"

import os
from dateutil.parser import parse as dateutil_parser
from datadog_api_client.v2 import ApiClient, ApiException, Configuration
from datadog_api_client.v2.api import security_monitoring_api
from datadog_api_client.v2.models import *
from pprint import pprint
# See configuration.py for a list of all supported configuration parameters.
configuration = Configuration()

# Enter a context with an instance of the API client
with ApiClient(configuration) as api_client:
    # Create an instance of the API class
    api_instance = security_monitoring_api.SecurityMonitoringApi(api_client)

    # example, this endpoint has no required or optional parameters
    try:
        # Get all security filters
        api_response = api_instance.list_security_filters()
        pprint(api_response)
    except ApiException as e:
        print("Exception when calling SecurityMonitoringApi->list_security_filters: %s\n" % e)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
python3 "example.py"

require 'datadog_api_client'
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

begin
  # Get all security filters
  result = api_instance.list_security_filters
  p result
rescue DatadogAPIClient::V2::APIError => e
  puts "Error when calling SecurityMonitoringAPI->list_security_filters: #{e}"
end

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
rb "example.rb"

import { v2 } from "@datadog/datadog-api-client";
import * as fs from "fs";

const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

apiInstance
  .listSecurityFilters()
  .then((data: any) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
tsc "example.ts"

import java.util.*;
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.model.*;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;

public class Example {
    public static void main(String[] args) {
        ApiClient defaultClient = Configuration.getDefaultApiClient();

        SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
        try {
            SecurityFiltersResponse result = apiInstance.listSecurityFilters();
            System.out.println(result);
        } catch (ApiException e) {
            System.err.println("Exception when calling SecurityMonitoringApi#listSecurityFilters");
            System.err.println("Status code: " + e.getCode());
            System.err.println("Reason: " + e.getResponseBody());
            System.err.println("Response headers: " + e.getResponseHeaders());
            e.printStackTrace();
        }
    }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
java "Example.java"

List rules

v2 (latest)

GET https://api.datadoghq.eu/api/v2/security_monitoring/ruleshttps://api.ddog-gov.com/api/v2/security_monitoring/ruleshttps://api.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.us3.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.us5.datadoghq.com/api/v2/security_monitoring/rules

Overview

List rules.

Arguments

Query Strings

Name

Type

Description

page[size]

integer

Size for a given page.

page[number]

integer

Specific page number to return.

Response

List of rules.

Expand All

Field

Type

Description

data

[]

Array containing the list of rules.

meta

object

Object describing meta attributes of response.

{
  "data": [
    {
      "cases": [
        {
          "condition": "string",
          "name": "string",
          "notifications": [],
          "status": "critical"
        }
      ],
      "createdAt": "integer",
      "creationAuthorId": "integer",
      "filters": [
        {
          "action": "string",
          "query": "string"
        }
      ],
      "hasExtendedTitle": false,
      "id": "string",
      "isDefault": false,
      "isDeleted": false,
      "isEnabled": false,
      "message": "string",
      "name": "string",
      "options": {
        "detectionMethod": "string",
        "evaluationWindow": "integer",
        "keepAlive": "integer",
        "maxSignalDuration": "integer",
        "newValueOptions": {
          "forgetAfter": "integer",
          "learningDuration": "integer"
        }
      },
      "queries": [
        {
          "agentRule": {
            "agentRuleId": "etc_shadow",
            "expression": "string"
          },
          "aggregation": "string",
          "distinctFields": [],
          "groupByFields": [],
          "metric": "string",
          "name": "string",
          "query": "string"
        }
      ],
      "tags": [],
      "type": "string",
      "updateAuthorId": "integer",
      "version": "integer"
    }
  ],
  "meta": {
    "page": {
      "total_count": "integer",
      "total_filtered_count": "integer"
    }
  }
}

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

# Curl command
curl -X GET "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

package main

import (
    "context"
    "encoding/json"
    "fmt"
    "os"
    datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)

func main() {
    ctx := datadog.NewDefaultContext(context.Background())

    pageSize := int64(10) // int64 | Size for a given page. (optional) (default to 10)
    pageNumber := int64(0) // int64 | Specific page number to return. (optional) (default to 0)
    optionalParams := datadog.ListSecurityMonitoringRulesOptionalParameters{
        PageSize: &pageSize,
        PageNumber: &pageNumber,
    }

    configuration := datadog.NewConfiguration()

    apiClient := datadog.NewAPIClient(configuration)
    resp, r, err := apiClient.SecurityMonitoringApi.ListSecurityMonitoringRules(ctx, optionalParams)
    if err != nil {
        fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListSecurityMonitoringRules`: %v\n", err)
        fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
    }
    // response from `ListSecurityMonitoringRules`: SecurityMonitoringListRulesResponse
    responseContent, _ := json.MarshalIndent(resp, "", "  ")
    fmt.Fprintf(os.Stdout, "Response from SecurityMonitoringApi.ListSecurityMonitoringRules:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
go run "main.go"

import os
from dateutil.parser import parse as dateutil_parser
from datadog_api_client.v2 import ApiClient, ApiException, Configuration
from datadog_api_client.v2.api import security_monitoring_api
from datadog_api_client.v2.models import *
from pprint import pprint
# See configuration.py for a list of all supported configuration parameters.
configuration = Configuration()

# Enter a context with an instance of the API client
with ApiClient(configuration) as api_client:
    # Create an instance of the API class
    api_instance = security_monitoring_api.SecurityMonitoringApi(api_client)
    page_size = 10  # int | Size for a given page. (optional) if omitted the server will use the default value of 10
    page_number = 0  # int | Specific page number to return. (optional) if omitted the server will use the default value of 0

    # example passing only required values which don't have defaults set
    # and optional values
    try:
        # List rules
        api_response = api_instance.list_security_monitoring_rules(page_size=page_size, page_number=page_number)
        pprint(api_response)
    except ApiException as e:
        print("Exception when calling SecurityMonitoringApi->list_security_monitoring_rules: %s\n" % e)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
python3 "example.py"

require 'datadog_api_client'
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
opts = {
  page_size: 10, # Integer | Size for a given page.
  page_number: 0 # Integer | Specific page number to return.
}

begin
  # List rules
  result = api_instance.list_security_monitoring_rules(opts)
  p result
rescue DatadogAPIClient::V2::APIError => e
  puts "Error when calling SecurityMonitoringAPI->list_security_monitoring_rules: #{e}"
end

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
rb "example.rb"

import { v2 } from "@datadog/datadog-api-client";
import * as fs from "fs";

const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

let params: v2.SecurityMonitoringApiListSecurityMonitoringRulesRequest = {
  // number | Size for a given page. (optional)
  pageSize: 10,
  // number | Specific page number to return. (optional)
  pageNumber: 0,
};

apiInstance
  .listSecurityMonitoringRules(params)
  .then((data: any) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
tsc "example.ts"

import java.util.*;
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.model.*;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;

public class Example {
    public static void main(String[] args) {
        ApiClient defaultClient = Configuration.getDefaultApiClient();

        SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
        Long pageSize = 10L; // Long | Size for a given page.
        Long pageNumber = 0L; // Long | Specific page number to return.
        try {
            SecurityMonitoringListRulesResponse result = apiInstance.listSecurityMonitoringRules(new SecurityMonitoringApi.ListSecurityMonitoringRulesOptionalParameters()
                .pageSize(pageSize)
                .pageNumber(pageNumber));
            System.out.println(result);
        } catch (ApiException e) {
            System.err.println("Exception when calling SecurityMonitoringApi#listSecurityMonitoringRules");
            System.err.println("Status code: " + e.getCode());
            System.err.println("Reason: " + e.getResponseBody());
            System.err.println("Response headers: " + e.getResponseHeaders());
            e.printStackTrace();
        }
    }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
java "Example.java"

Create a detection rule

v2 (latest)

POST https://api.datadoghq.eu/api/v2/security_monitoring/ruleshttps://api.ddog-gov.com/api/v2/security_monitoring/ruleshttps://api.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.us3.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.us5.datadoghq.com/api/v2/security_monitoring/rules

Overview

Create a detection rule.

Request

Body Data (required)

Expand All

Field

Type

Description

cases [required]

[object]

Cases for generating signals.

filters

[object]

Additional queries to filter matched events before they are processed.

hasExtendedTitle

boolean

Whether the notifications include the triggering group-by values in their title.

isEnabled [required]

boolean

Whether the rule is enabled.

message [required]

string

Message for generated signals.

name [required]

string

The name of the rule.

options [required]

object

Options on rules.

queries [required]

[object]

Queries for selecting logs which are part of the rule.

tags

[string]

Tags for generated signals.

type

enum

The rule type. Allowed enum values: log_detection,workload_security

{
  "cases": [
    {
      "condition": "string",
      "name": "string",
      "notifications": [],
      "status": "critical"
    }
  ],
  "filters": [
    {
      "action": "string",
      "query": "string"
    }
  ],
  "hasExtendedTitle": true,
  "isEnabled": true,
  "message": "",
  "name": "My security monitoring rule.",
  "options": {
    "detectionMethod": "string",
    "evaluationWindow": "integer",
    "keepAlive": "integer",
    "maxSignalDuration": "integer",
    "newValueOptions": {
      "forgetAfter": "integer",
      "learningDuration": "integer"
    }
  },
  "queries": [
    {
      "agentRule": {
        "agentRuleId": "etc_shadow",
        "expression": "string"
      },
      "aggregation": "string",
      "distinctFields": [],
      "groupByFields": [],
      "metric": "string",
      "name": "string",
      "query": "a > 3"
    }
  ],
  "tags": [
    "env:prod",
    "team:security"
  ],
  "type": "string"
}

Response

Rule.

Expand All

Field

Type

Description

cases

[object]

Cases for generating signals.

createdAt

int64

When the rule was created, timestamp in milliseconds.

creationAuthorId

int64

User ID of the user who created the rule.

filters

[object]

Additional queries to filter matched events before they are processed.

hasExtendedTitle

boolean

Whether the notifications include the triggering group-by values in their title.

string

The ID of the rule.

isDefault

boolean

Whether the rule is included by default.

isDeleted

boolean

Whether the rule has been deleted.

isEnabled

boolean

Whether the rule is enabled.

message

string

Message for generated signals.

name

string

The name of the rule.

options

object

Options on rules.

queries

[object]

Queries for selecting logs which are part of the rule.

tags

[string]

Tags for generated signals.

type

enum

The rule type. Allowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration

updateAuthorId

int64

User ID of the user who updated the rule.

version

int64

The version of the rule.

{
  "cases": [
    {
      "condition": "string",
      "name": "string",
      "notifications": [],
      "status": "critical"
    }
  ],
  "createdAt": "integer",
  "creationAuthorId": "integer",
  "filters": [
    {
      "action": "string",
      "query": "string"
    }
  ],
  "hasExtendedTitle": false,
  "id": "string",
  "isDefault": false,
  "isDeleted": false,
  "isEnabled": false,
  "message": "string",
  "name": "string",
  "options": {
    "detectionMethod": "string",
    "evaluationWindow": "integer",
    "keepAlive": "integer",
    "maxSignalDuration": "integer",
    "newValueOptions": {
      "forgetAfter": "integer",
      "learningDuration": "integer"
    }
  },
  "queries": [
    {
      "agentRule": {
        "agentRuleId": "etc_shadow",
        "expression": "string"
      },
      "aggregation": "string",
      "distinctFields": [],
      "groupByFields": [],
      "metric": "string",
      "name": "string",
      "query": "string"
    }
  ],
  "tags": [],
  "type": "string",
  "updateAuthorId": "integer",
  "version": "integer"
}

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

# Curl command
curl -X POST "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "cases": [
    {
      "status": "critical"
    }
  ],
  "isEnabled": true,
  "message": "",
  "name": "My security monitoring rule.",
  "options": {},
  "queries": [
    {
      "query": "a > 3"
    }
  ]
}
EOF



           

package main

import (
    "context"
    "encoding/json"
    "fmt"
    "os"
    datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)

func main() {
    ctx := datadog.NewDefaultContext(context.Background())

    body := *datadog.NewSecurityMonitoringRuleCreatePayload([]datadog.SecurityMonitoringRuleCaseCreate{*datadog.NewSecurityMonitoringRuleCaseCreate(datadog.SecurityMonitoringRuleSeverity("info"))}, true, "Message_example", "My security monitoring rule.", *datadog.NewSecurityMonitoringRuleOptions(), []datadog.SecurityMonitoringRuleQueryCreate{*datadog.NewSecurityMonitoringRuleQueryCreate("a > 3")}) // SecurityMonitoringRuleCreatePayload | 

    configuration := datadog.NewConfiguration()

    apiClient := datadog.NewAPIClient(configuration)
    resp, r, err := apiClient.SecurityMonitoringApi.CreateSecurityMonitoringRule(ctx, body)
    if err != nil {
        fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringRule`: %v\n", err)
        fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
    }
    // response from `CreateSecurityMonitoringRule`: SecurityMonitoringRuleResponse
    responseContent, _ := json.MarshalIndent(resp, "", "  ")
    fmt.Fprintf(os.Stdout, "Response from SecurityMonitoringApi.CreateSecurityMonitoringRule:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
go run "main.go"

import os
from dateutil.parser import parse as dateutil_parser
from datadog_api_client.v2 import ApiClient, ApiException, Configuration
from datadog_api_client.v2.api import security_monitoring_api
from datadog_api_client.v2.models import *
from pprint import pprint
# See configuration.py for a list of all supported configuration parameters.
configuration = Configuration()

# Enter a context with an instance of the API client
with ApiClient(configuration) as api_client:
    # Create an instance of the API class
    api_instance = security_monitoring_api.SecurityMonitoringApi(api_client)
    body = SecurityMonitoringRuleCreatePayload(
        cases=[
            SecurityMonitoringRuleCaseCreate(
                condition="condition_example",
                name="name_example",
                notifications=[
                    "notifications_example",
                ],
                status=SecurityMonitoringRuleSeverity("critical"),
            ),
        ],
        filters=[
            SecurityMonitoringFilter(
                action=SecurityMonitoringFilterAction("require"),
                query="query_example",
            ),
        ],
        has_extended_title=True,
        is_enabled=True,
        message="",
        name="My security monitoring rule.",
        options=SecurityMonitoringRuleOptions(
            detection_method=SecurityMonitoringRuleDetectionMethod("threshold"),
            evaluation_window=SecurityMonitoringRuleEvaluationWindow(0),
            keep_alive=SecurityMonitoringRuleKeepAlive(0),
            max_signal_duration=SecurityMonitoringRuleMaxSignalDuration(0),
            new_value_options=SecurityMonitoringRuleNewValueOptions(
                forget_after=SecurityMonitoringRuleNewValueOptionsForgetAfter(1),
                learning_duration=SecurityMonitoringRuleNewValueOptionsLearningDuration(0),
            ),
        ),
        queries=[
            SecurityMonitoringRuleQueryCreate(
                agent_rule=SecurityMonitoringRuntimeAgentRule(
                    agent_rule_id="etc_shadow",
                    expression="expression_example",
                ),
                aggregation=SecurityMonitoringRuleQueryAggregation("count"),
                distinct_fields=[
                    "distinct_fields_example",
                ],
                group_by_fields=[
                    "group_by_fields_example",
                ],
                metric="metric_example",
                name="name_example",
                query="a > 3",
            ),
        ],
        tags=["env:prod","team:security"],
        type=SecurityMonitoringRuleTypeCreate("log_detection"),
    )  # SecurityMonitoringRuleCreatePayload |

    # example passing only required values which don't have defaults set
    try:
        # Create a detection rule
        api_response = api_instance.create_security_monitoring_rule(body)
        pprint(api_response)
    except ApiException as e:
        print("Exception when calling SecurityMonitoringApi->create_security_monitoring_rule: %s\n" % e)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
python3 "example.py"

require 'datadog_api_client'
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
body = DatadogAPIClient::V2::SecurityMonitoringRuleCreatePayload.new({cases: [DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO})], is_enabled: true, message: 'message_example', name: 'My security monitoring rule.', options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new, queries: [DatadogAPIClient::V2::SecurityMonitoringRuleQueryCreate.new({query: 'a > 3'})]}) # SecurityMonitoringRuleCreatePayload |

begin
  # Create a detection rule
  result = api_instance.create_security_monitoring_rule(body)
  p result
rescue DatadogAPIClient::V2::APIError => e
  puts "Error when calling SecurityMonitoringAPI->create_security_monitoring_rule: #{e}"
end

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
rb "example.rb"

import { v2 } from "@datadog/datadog-api-client";
import * as fs from "fs";

const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

let params: v2.SecurityMonitoringApiCreateSecurityMonitoringRuleRequest = {
  // SecurityMonitoringRuleCreatePayload
  body: {
    cases: [],
    filters: [
      {
        action: "require",
        query: "query_example",
      },
    ],
    hasExtendedTitle: true,
    isEnabled: true,
    message: "",
    name: "My security monitoring rule.",
    options: {
      detectionMethod: "threshold",
      evaluationWindow: 0,
      keepAlive: 0,
      maxSignalDuration: 0,
      newValueOptions: {
        forgetAfter: 1,
        learningDuration: 0,
      },
    },
    queries: [],
    tags: ["env:prod", "team:security"],
    type: "log_detection",
  },
};

apiInstance
  .createSecurityMonitoringRule(params)
  .then((data: any) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
tsc "example.ts"

import java.util.*;
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.model.*;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;

public class Example {
    public static void main(String[] args) {
        ApiClient defaultClient = Configuration.getDefaultApiClient();

        SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
        SecurityMonitoringRuleCreatePayload body = new SecurityMonitoringRuleCreatePayload(); // SecurityMonitoringRuleCreatePayload |
        try {
            SecurityMonitoringRuleResponse result = apiInstance.createSecurityMonitoringRule(body);
            System.out.println(result);
        } catch (ApiException e) {
            System.err.println("Exception when calling SecurityMonitoringApi#createSecurityMonitoringRule");
            System.err.println("Status code: " + e.getCode());
            System.err.println("Reason: " + e.getResponseBody());
            System.err.println("Response headers: " + e.getResponseHeaders());
            e.printStackTrace();
        }
    }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
java "Example.java"

Get a rule's details

v2 (latest)

GET https://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}https://api.ddog-gov.com/api/v2/security_monitoring/rules/{rule_id}https://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}

Overview

Get a rule’s details.

Arguments

Path Parameters

Name

Type

Description

rule_id [required]

string

The ID of the rule.

Response

Rule.

Expand All

Field

Type

Description

cases

[object]

Cases for generating signals.

createdAt

int64

When the rule was created, timestamp in milliseconds.

creationAuthorId

int64

User ID of the user who created the rule.

filters

[object]

Additional queries to filter matched events before they are processed.

hasExtendedTitle

boolean

Whether the notifications include the triggering group-by values in their title.

string

The ID of the rule.

isDefault

boolean

Whether the rule is included by default.

isDeleted

boolean

Whether the rule has been deleted.

isEnabled

boolean

Whether the rule is enabled.

message

string

Message for generated signals.

name

string

The name of the rule.

options

object

Options on rules.

queries

[object]

Queries for selecting logs which are part of the rule.

tags

[string]

Tags for generated signals.

type

enum

The rule type. Allowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration

updateAuthorId

int64

User ID of the user who updated the rule.

version

int64

The version of the rule.

{
  "cases": [
    {
      "condition": "string",
      "name": "string",
      "notifications": [],
      "status": "critical"
    }
  ],
  "createdAt": "integer",
  "creationAuthorId": "integer",
  "filters": [
    {
      "action": "string",
      "query": "string"
    }
  ],
  "hasExtendedTitle": false,
  "id": "string",
  "isDefault": false,
  "isDeleted": false,
  "isEnabled": false,
  "message": "string",
  "name": "string",
  "options": {
    "detectionMethod": "string",
    "evaluationWindow": "integer",
    "keepAlive": "integer",
    "maxSignalDuration": "integer",
    "newValueOptions": {
      "forgetAfter": "integer",
      "learningDuration": "integer"
    }
  },
  "queries": [
    {
      "agentRule": {
        "agentRuleId": "etc_shadow",
        "expression": "string"
      },
      "aggregation": "string",
      "distinctFields": [],
      "groupByFields": [],
      "metric": "string",
      "name": "string",
      "query": "string"
    }
  ],
  "tags": [],
  "type": "string",
  "updateAuthorId": "integer",
  "version": "integer"
}

Not Found

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

# Path parameters
export rule_id="CHANGE_ME"
# Curl command
curl -X GET "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"



           

package main

import (
    "context"
    "encoding/json"
    "fmt"
    "os"
    datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)

func main() {
    ctx := datadog.NewDefaultContext(context.Background())

    ruleId := "ruleId_example" // string | The ID of the rule.

    configuration := datadog.NewConfiguration()

    apiClient := datadog.NewAPIClient(configuration)
    resp, r, err := apiClient.SecurityMonitoringApi.GetSecurityMonitoringRule(ctx, ruleId)
    if err != nil {
        fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSecurityMonitoringRule`: %v\n", err)
        fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
    }
    // response from `GetSecurityMonitoringRule`: SecurityMonitoringRuleResponse
    responseContent, _ := json.MarshalIndent(resp, "", "  ")
    fmt.Fprintf(os.Stdout, "Response from SecurityMonitoringApi.GetSecurityMonitoringRule:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
go run "main.go"

import os
from dateutil.parser import parse as dateutil_parser
from datadog_api_client.v2 import ApiClient, ApiException, Configuration
from datadog_api_client.v2.api import security_monitoring_api
from datadog_api_client.v2.models import *
from pprint import pprint
# See configuration.py for a list of all supported configuration parameters.
configuration = Configuration()

# Enter a context with an instance of the API client
with ApiClient(configuration) as api_client:
    # Create an instance of the API class
    api_instance = security_monitoring_api.SecurityMonitoringApi(api_client)
    rule_id = "rule_id_example"  # str | The ID of the rule.

    # example passing only required values which don't have defaults set
    try:
        # Get a rule's details
        api_response = api_instance.get_security_monitoring_rule(rule_id)
        pprint(api_response)
    except ApiException as e:
        print("Exception when calling SecurityMonitoringApi->get_security_monitoring_rule: %s\n" % e)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
python3 "example.py"

require 'datadog_api_client'
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
rule_id = 'rule_id_example' # String | The ID of the rule.

begin
  # Get a rule's details
  result = api_instance.get_security_monitoring_rule(rule_id)
  p result
rescue DatadogAPIClient::V2::APIError => e
  puts "Error when calling SecurityMonitoringAPI->get_security_monitoring_rule: #{e}"
end

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
rb "example.rb"

import { v2 } from "@datadog/datadog-api-client";
import * as fs from "fs";

const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

let params: v2.SecurityMonitoringApiGetSecurityMonitoringRuleRequest = {
  // string | The ID of the rule.
  ruleId: "rule_id_example",
};

apiInstance
  .getSecurityMonitoringRule(params)
  .then((data: any) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
tsc "example.ts"

import java.util.*;
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.model.*;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;

public class Example {
    public static void main(String[] args) {
        ApiClient defaultClient = Configuration.getDefaultApiClient();

        SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
        String ruleId = "ruleId_example"; // String | The ID of the rule.
        try {
            SecurityMonitoringRuleResponse result = apiInstance.getSecurityMonitoringRule(ruleId);
            System.out.println(result);
        } catch (ApiException e) {
            System.err.println("Exception when calling SecurityMonitoringApi#getSecurityMonitoringRule");
            System.err.println("Status code: " + e.getCode());
            System.err.println("Reason: " + e.getResponseBody());
            System.err.println("Response headers: " + e.getResponseHeaders());
            e.printStackTrace();
        }
    }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
java "Example.java"

Update an existing rule

v2 (latest)

PUT https://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}https://api.ddog-gov.com/api/v2/security_monitoring/rules/{rule_id}https://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}

Overview

Update an existing rule. When updating cases, queries or options, the whole field must be included. For example, when modifying a query all queries must be included. Default rules can only be updated to be enabled and to change notifications.

Arguments

Path Parameters

Name

Type

Description

rule_id [required]

string

The ID of the rule.

Request

Body Data (required)

Expand All

Field

Type

Description

cases

[object]

Cases for generating signals.

filters

[object]

Additional queries to filter matched events before they are processed.

hasExtendedTitle

boolean

Whether the notifications include the triggering group-by values in their title.

isEnabled

boolean

Whether the rule is enabled.

message

string

Message for generated signals.

name

string

Name of the rule.

options

object

Options on rules.

queries

[object]

Queries for selecting logs which are part of the rule.

tags

[string]

Tags for generated signals.

version

int32

The version of the rule being updated.

{
  "cases": [
    {
      "condition": "string",
      "name": "string",
      "notifications": [],
      "status": "critical"
    }
  ],
  "filters": [
    {
      "action": "string",
      "query": "string"
    }
  ],
  "hasExtendedTitle": true,
  "isEnabled": false,
  "message": "string",
  "name": "string",
  "options": {
    "detectionMethod": "string",
    "evaluationWindow": "integer",
    "keepAlive": "integer",
    "maxSignalDuration": "integer",
    "newValueOptions": {
      "forgetAfter": "integer",
      "learningDuration": "integer"
    }
  },
  "queries": [
    {
      "agentRule": {
        "agentRuleId": "etc_shadow",
        "expression": "string"
      },
      "aggregation": "string",
      "distinctFields": [],
      "groupByFields": [],
      "metric": "string",
      "name": "string",
      "query": "string"
    }
  ],
  "tags": [],
  "version": 1
}

Response

Rule.

Expand All

Field

Type

Description

cases

[object]

Cases for generating signals.

createdAt

int64

When the rule was created, timestamp in milliseconds.

creationAuthorId

int64

User ID of the user who created the rule.

filters

[object]

Additional queries to filter matched events before they are processed.

hasExtendedTitle

boolean

Whether the notifications include the triggering group-by values in their title.

string

The ID of the rule.

isDefault

boolean

Whether the rule is included by default.

isDeleted

boolean

Whether the rule has been deleted.

isEnabled

boolean

Whether the rule is enabled.

message

string

Message for generated signals.

name

string

The name of the rule.

options

object

Options on rules.

queries

[object]

Queries for selecting logs which are part of the rule.

tags

[string]

Tags for generated signals.

type

enum

The rule type. Allowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration

updateAuthorId

int64

User ID of the user who updated the rule.

version

int64

The version of the rule.

{
  "cases": [
    {
      "condition": "string",
      "name": "string",
      "notifications": [],
      "status": "critical"
    }
  ],
  "createdAt": "integer",
  "creationAuthorId": "integer",
  "filters": [
    {
      "action": "string",
      "query": "string"
    }
  ],
  "hasExtendedTitle": false,
  "id": "string",
  "isDefault": false,
  "isDeleted": false,
  "isEnabled": false,
  "message": "string",
  "name": "string",
  "options": {
    "detectionMethod": "string",
    "evaluationWindow": "integer",
    "keepAlive": "integer",
    "maxSignalDuration": "integer",
    "newValueOptions": {
      "forgetAfter": "integer",
      "learningDuration": "integer"
    }
  },
  "queries": [
    {
      "agentRule": {
        "agentRuleId": "etc_shadow",
        "expression": "string"
      },
      "aggregation": "string",
      "distinctFields": [],
      "groupByFields": [],
      "metric": "string",
      "name": "string",
      "query": "string"
    }
  ],
  "tags": [],
  "type": "string",
  "updateAuthorId": "integer",
  "version": "integer"
}

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Concurrent Modification

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

# Path parameters
export rule_id="CHANGE_ME"
# Curl command
curl -X PUT "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{}
EOF



           

package main

import (
    "context"
    "encoding/json"
    "fmt"
    "os"
    datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)

func main() {
    ctx := datadog.NewDefaultContext(context.Background())

    ruleId := "ruleId_example" // string | The ID of the rule.
    body := *datadog.NewSecurityMonitoringRuleUpdatePayload() // SecurityMonitoringRuleUpdatePayload | 

    configuration := datadog.NewConfiguration()

    apiClient := datadog.NewAPIClient(configuration)
    resp, r, err := apiClient.SecurityMonitoringApi.UpdateSecurityMonitoringRule(ctx, ruleId, body)
    if err != nil {
        fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.UpdateSecurityMonitoringRule`: %v\n", err)
        fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
    }
    // response from `UpdateSecurityMonitoringRule`: SecurityMonitoringRuleResponse
    responseContent, _ := json.MarshalIndent(resp, "", "  ")
    fmt.Fprintf(os.Stdout, "Response from SecurityMonitoringApi.UpdateSecurityMonitoringRule:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
go run "main.go"

import os
from dateutil.parser import parse as dateutil_parser
from datadog_api_client.v2 import ApiClient, ApiException, Configuration
from datadog_api_client.v2.api import security_monitoring_api
from datadog_api_client.v2.models import *
from pprint import pprint
# See configuration.py for a list of all supported configuration parameters.
configuration = Configuration()

# Enter a context with an instance of the API client
with ApiClient(configuration) as api_client:
    # Create an instance of the API class
    api_instance = security_monitoring_api.SecurityMonitoringApi(api_client)
    rule_id = "rule_id_example"  # str | The ID of the rule.
    body = SecurityMonitoringRuleUpdatePayload(
        cases=[
            SecurityMonitoringRuleCase(
                condition="condition_example",
                name="name_example",
                notifications=[
                    "notifications_example",
                ],
                status=SecurityMonitoringRuleSeverity("critical"),
            ),
        ],
        filters=[
            SecurityMonitoringFilter(
                action=SecurityMonitoringFilterAction("require"),
                query="query_example",
            ),
        ],
        has_extended_title=True,
        is_enabled=True,
        message="message_example",
        name="name_example",
        options=SecurityMonitoringRuleOptions(
            detection_method=SecurityMonitoringRuleDetectionMethod("threshold"),
            evaluation_window=SecurityMonitoringRuleEvaluationWindow(0),
            keep_alive=SecurityMonitoringRuleKeepAlive(0),
            max_signal_duration=SecurityMonitoringRuleMaxSignalDuration(0),
            new_value_options=SecurityMonitoringRuleNewValueOptions(
                forget_after=SecurityMonitoringRuleNewValueOptionsForgetAfter(1),
                learning_duration=SecurityMonitoringRuleNewValueOptionsLearningDuration(0),
            ),
        ),
        queries=[
            SecurityMonitoringRuleQuery(
                agent_rule=SecurityMonitoringRuntimeAgentRule(
                    agent_rule_id="etc_shadow",
                    expression="expression_example",
                ),
                aggregation=SecurityMonitoringRuleQueryAggregation("count"),
                distinct_fields=[
                    "distinct_fields_example",
                ],
                group_by_fields=[
                    "group_by_fields_example",
                ],
                metric="metric_example",
                name="name_example",
                query="query_example",
            ),
        ],
        tags=[
            "tags_example",
        ],
        version=1,
    )  # SecurityMonitoringRuleUpdatePayload |

    # example passing only required values which don't have defaults set
    try:
        # Update an existing rule
        api_response = api_instance.update_security_monitoring_rule(rule_id, body)
        pprint(api_response)
    except ApiException as e:
        print("Exception when calling SecurityMonitoringApi->update_security_monitoring_rule: %s\n" % e)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
python3 "example.py"

require 'datadog_api_client'
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
rule_id = 'rule_id_example' # String | The ID of the rule.
body = DatadogAPIClient::V2::SecurityMonitoringRuleUpdatePayload.new # SecurityMonitoringRuleUpdatePayload |

begin
  # Update an existing rule
  result = api_instance.update_security_monitoring_rule(rule_id, body)
  p result
rescue DatadogAPIClient::V2::APIError => e
  puts "Error when calling SecurityMonitoringAPI->update_security_monitoring_rule: #{e}"
end

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
rb "example.rb"

import { v2 } from "@datadog/datadog-api-client";
import * as fs from "fs";

const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

let params: v2.SecurityMonitoringApiUpdateSecurityMonitoringRuleRequest = {
  // string | The ID of the rule.
  ruleId: "rule_id_example",
  // SecurityMonitoringRuleUpdatePayload
  body: {
    cases: [
      {
        condition: "condition_example",
        name: "name_example",
        notifications: ["notifications_example"],
        status: "critical",
      },
    ],
    filters: [
      {
        action: "require",
        query: "query_example",
      },
    ],
    hasExtendedTitle: true,
    isEnabled: true,
    message: "message_example",
    name: "name_example",
    options: {
      detectionMethod: "threshold",
      evaluationWindow: 0,
      keepAlive: 0,
      maxSignalDuration: 0,
      newValueOptions: {
        forgetAfter: 1,
        learningDuration: 0,
      },
    },
    queries: [
      {
        agentRule: {
          agentRuleId: "etc_shadow",
          expression: "expression_example",
        },
        aggregation: "count",
        distinctFields: ["distinctFields_example"],
        groupByFields: ["groupByFields_example"],
        metric: "metric_example",
        name: "name_example",
        query: "query_example",
      },
    ],
    tags: ["tags_example"],
    version: 1,
  },
};

apiInstance
  .updateSecurityMonitoringRule(params)
  .then((data: any) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
tsc "example.ts"

import java.util.*;
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.model.*;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;

public class Example {
    public static void main(String[] args) {
        ApiClient defaultClient = Configuration.getDefaultApiClient();

        SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
        String ruleId = "ruleId_example"; // String | The ID of the rule.
        SecurityMonitoringRuleUpdatePayload body = new SecurityMonitoringRuleUpdatePayload(); // SecurityMonitoringRuleUpdatePayload |
        try {
            SecurityMonitoringRuleResponse result = apiInstance.updateSecurityMonitoringRule(ruleId, body);
            System.out.println(result);
        } catch (ApiException e) {
            System.err.println("Exception when calling SecurityMonitoringApi#updateSecurityMonitoringRule");
            System.err.println("Status code: " + e.getCode());
            System.err.println("Reason: " + e.getResponseBody());
            System.err.println("Response headers: " + e.getResponseHeaders());
            e.printStackTrace();
        }
    }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
java "Example.java"

Delete an existing rule

v2 (latest)

DELETE https://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}https://api.ddog-gov.com/api/v2/security_monitoring/rules/{rule_id}https://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}

Overview

Delete an existing rule. Default rules cannot be deleted.

Arguments

Path Parameters

Name

Type

Description

rule_id [required]

string

The ID of the rule.

Response

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

# Path parameters
export rule_id="CHANGE_ME"
# Curl command
curl -X DELETE "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"



           

package main

import (
    "context"
    "fmt"
    "os"
    datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)

func main() {
    ctx := datadog.NewDefaultContext(context.Background())

    ruleId := "ruleId_example" // string | The ID of the rule.

    configuration := datadog.NewConfiguration()

    apiClient := datadog.NewAPIClient(configuration)
    r, err := apiClient.SecurityMonitoringApi.DeleteSecurityMonitoringRule(ctx, ruleId)
    if err != nil {
        fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.DeleteSecurityMonitoringRule`: %v\n", err)
        fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
    }
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
go run "main.go"

import os
from dateutil.parser import parse as dateutil_parser
from datadog_api_client.v2 import ApiClient, ApiException, Configuration
from datadog_api_client.v2.api import security_monitoring_api
from datadog_api_client.v2.models import *
from pprint import pprint
# See configuration.py for a list of all supported configuration parameters.
configuration = Configuration()

# Enter a context with an instance of the API client
with ApiClient(configuration) as api_client:
    # Create an instance of the API class
    api_instance = security_monitoring_api.SecurityMonitoringApi(api_client)
    rule_id = "rule_id_example"  # str | The ID of the rule.

    # example passing only required values which don't have defaults set
    try:
        # Delete an existing rule
        api_instance.delete_security_monitoring_rule(rule_id)
    except ApiException as e:
        print("Exception when calling SecurityMonitoringApi->delete_security_monitoring_rule: %s\n" % e)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
python3 "example.py"

require 'datadog_api_client'
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
rule_id = 'rule_id_example' # String | The ID of the rule.

begin
  # Delete an existing rule
  api_instance.delete_security_monitoring_rule(rule_id)
rescue DatadogAPIClient::V2::APIError => e
  puts "Error when calling SecurityMonitoringAPI->delete_security_monitoring_rule: #{e}"
end

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
rb "example.rb"

import { v2 } from "@datadog/datadog-api-client";
import * as fs from "fs";

const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

let params: v2.SecurityMonitoringApiDeleteSecurityMonitoringRuleRequest = {
  // string | The ID of the rule.
  ruleId: "rule_id_example",
};

apiInstance
  .deleteSecurityMonitoringRule(params)
  .then((data: any) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
tsc "example.ts"

import java.util.*;
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.model.*;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;

public class Example {
    public static void main(String[] args) {
        ApiClient defaultClient = Configuration.getDefaultApiClient();

        SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
        String ruleId = "ruleId_example"; // String | The ID of the rule.
        try {
            apiInstance.deleteSecurityMonitoringRule(ruleId);
        } catch (ApiException e) {
            System.err.println("Exception when calling SecurityMonitoringApi#deleteSecurityMonitoringRule");
            System.err.println("Status code: " + e.getCode());
            System.err.println("Reason: " + e.getResponseBody());
            System.err.println("Response headers: " + e.getResponseHeaders());
            e.printStackTrace();
        }
    }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
java "Example.java"

Get a list of security signals

v2 (latest)

Note: This endpoint is in public beta. If you have any feedback, contact Datadog support.

POST https://api.datadoghq.eu/api/v2/security_monitoring/signals/searchhttps://api.ddog-gov.com/api/v2/security_monitoring/signals/searchhttps://api.datadoghq.com/api/v2/security_monitoring/signals/searchhttps://api.us3.datadoghq.com/api/v2/security_monitoring/signals/searchhttps://api.us5.datadoghq.com/api/v2/security_monitoring/signals/search

Overview

Returns security signals that match a search query. Both this endpoint and the GET endpoint can be used interchangeably for listing security signals.

Request

Body Data

Expand All

Field

Type

Description

filter

object

Search filters for listing security signals.

page

object

The paging attributes for listing security signals.

sort

enum

The sort parameters used for querying security signals. Allowed enum values: timestamp,-timestamp

{
  "filter": {
    "from": "2019-01-02T09:42:36.320Z",
    "query": "security:attack status:high",
    "to": "2019-01-03T09:42:36.320Z"
  },
  "page": {
    "cursor": "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==",
    "limit": 25
  },
  "sort": "string"
}

Response

The response object with all security signals matching the request and pagination information.

Expand All

Field

Type

Description

data

[object]

An array of security signals matching the request.

links

object

Links attributes.

meta

object

Meta attributes.

{
  "data": [
    {
      "attributes": {
        "attributes": {
          "workflow": {
            "first_seen": "2020-06-23T14:46:01.000Z",
            "last_seen": "2020-06-23T14:46:49.000Z",
            "rule": {
              "id": "0f5-e0c-805",
              "name": "Brute Force Attack Grouped By User ",
              "version": 12
            }
          }
        },
        "message": "Detect Account Take Over (ATO) through brute force attempts",
        "tags": [
          "security:attack",
          "technique:T1110-brute-force"
        ],
        "timestamp": "2019-01-02T09:42:36.320Z"
      },
      "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA",
      "type": "signal"
    }
  ],
  "links": {
    "next": "https://app.datadoghq.com/api/v2/security_monitoring/signals?filter[query]=foo\u0026page[cursor]=eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="
  },
  "meta": {
    "page": {
      "after": "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="
    }
  }
}

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

# Curl command
curl -X POST "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/search" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{}
EOF



           

package main

import (
    "context"
    "encoding/json"
    "fmt"
    "os"
    datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)

func main() {
    ctx := datadog.NewDefaultContext(context.Background())

    body := *datadog.NewSecurityMonitoringSignalListRequest() // SecurityMonitoringSignalListRequest |  (optional)
    optionalParams := datadog.SearchSecurityMonitoringSignalsOptionalParameters{
        Body: &body,
    }

    configuration := datadog.NewConfiguration()
    configuration.SetUnstableOperationEnabled("SearchSecurityMonitoringSignals", true)

    apiClient := datadog.NewAPIClient(configuration)
    resp, r, err := apiClient.SecurityMonitoringApi.SearchSecurityMonitoringSignals(ctx, optionalParams)
    if err != nil {
        fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.SearchSecurityMonitoringSignals`: %v\n", err)
        fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
    }
    // response from `SearchSecurityMonitoringSignals`: SecurityMonitoringSignalsListResponse
    responseContent, _ := json.MarshalIndent(resp, "", "  ")
    fmt.Fprintf(os.Stdout, "Response from SecurityMonitoringApi.SearchSecurityMonitoringSignals:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
go run "main.go"

import os
from dateutil.parser import parse as dateutil_parser
from datadog_api_client.v2 import ApiClient, ApiException, Configuration
from datadog_api_client.v2.api import security_monitoring_api
from datadog_api_client.v2.models import *
from pprint import pprint
# See configuration.py for a list of all supported configuration parameters.
configuration = Configuration()
configuration.unstable_operations["search_security_monitoring_signals"] = True

# Enter a context with an instance of the API client
with ApiClient(configuration) as api_client:
    # Create an instance of the API class
    api_instance = security_monitoring_api.SecurityMonitoringApi(api_client)
    body = SecurityMonitoringSignalListRequest(
        filter=SecurityMonitoringSignalListRequestFilter(
            _from=dateutil_parser('2019-01-02T09:42:36.32Z'),
            query="security:attack status:high",
            to=dateutil_parser('2019-01-03T09:42:36.32Z'),
        ),
        page=SecurityMonitoringSignalListRequestPage(
            cursor="eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==",
            limit=25,
        ),
        sort=SecurityMonitoringSignalsSort("timestamp"),
    )  # SecurityMonitoringSignalListRequest |  (optional)

    # example passing only required values which don't have defaults set
    # and optional values
    try:
        # Get a list of security signals
        api_response = api_instance.search_security_monitoring_signals(body=body)
        pprint(api_response)
    except ApiException as e:
        print("Exception when calling SecurityMonitoringApi->search_security_monitoring_signals: %s\n" % e)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
python3 "example.py"

require 'datadog_api_client'

DatadogAPIClient::V2.configure do |config|
  config.unstable_operations[:search_security_monitoring_signals] = true
end

api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
opts = {
  body: DatadogAPIClient::V2::SecurityMonitoringSignalListRequest.new # SecurityMonitoringSignalListRequest |
}

begin
  # Get a list of security signals
  result = api_instance.search_security_monitoring_signals(opts)
  p result
rescue DatadogAPIClient::V2::APIError => e
  puts "Error when calling SecurityMonitoringAPI->search_security_monitoring_signals: #{e}"
end

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
rb "example.rb"

import { v2 } from "@datadog/datadog-api-client";
import * as fs from "fs";

const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

let params: v2.SecurityMonitoringApiSearchSecurityMonitoringSignalsRequest = {
  // SecurityMonitoringSignalListRequest (optional)
  body: {
    filter: {
      from: new Date("2019-01-02T09:42:36.32Z"),
      query: "security:attack status:high",
      to: new Date("2019-01-03T09:42:36.32Z"),
    },
    page: {
      cursor:
        "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==",
      limit: 25,
    },
    sort: "timestamp",
  },
};

apiInstance
  .searchSecurityMonitoringSignals(params)
  .then((data: any) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
tsc "example.ts"

import java.util.*;
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.model.*;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;

public class Example {
    public static void main(String[] args) {
        ApiClient defaultClient = Configuration.getDefaultApiClient();

        SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
        SecurityMonitoringSignalListRequest body = new SecurityMonitoringSignalListRequest(); // SecurityMonitoringSignalListRequest |
        try {
            SecurityMonitoringSignalsListResponse result = apiInstance.searchSecurityMonitoringSignals(new SecurityMonitoringApi.SearchSecurityMonitoringSignalsOptionalParameters()
                .body(body));
            System.out.println(result);
        } catch (ApiException e) {
            System.err.println("Exception when calling SecurityMonitoringApi#searchSecurityMonitoringSignals");
            System.err.println("Status code: " + e.getCode());
            System.err.println("Reason: " + e.getResponseBody());
            System.err.println("Response headers: " + e.getResponseHeaders());
            e.printStackTrace();
        }
    }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
java "Example.java"

Get a quick list of security signals

v2 (latest)

Note: This endpoint is in public beta. If you have any feedback, contact Datadog support.

GET https://api.datadoghq.eu/api/v2/security_monitoring/signalshttps://api.ddog-gov.com/api/v2/security_monitoring/signalshttps://api.datadoghq.com/api/v2/security_monitoring/signalshttps://api.us3.datadoghq.com/api/v2/security_monitoring/signalshttps://api.us5.datadoghq.com/api/v2/security_monitoring/signals

Overview

The list endpoint returns security signals that match a search query. Both this endpoint and the POST endpoint can be used interchangeably when listing security signals.

Arguments

Query Strings

Name

Type

Description

filter[query]

string

The search query for security signals.

filter[from]

string

The minimum timestamp for requested security signals.

filter[to]

string

The maximum timestamp for requested security signals.

sort

string

The order of the security signals in results.

page[cursor]

string

A list of results using the cursor provided in the previous query.

page[limit]

integer

The maximum number of security signals in the response.

Response

The response object with all security signals matching the request and pagination information.

Expand All

Field

Type

Description

data

[object]

An array of security signals matching the request.

links

object

Links attributes.

meta

object

Meta attributes.

{
  "data": [
    {
      "attributes": {
        "attributes": {
          "workflow": {
            "first_seen": "2020-06-23T14:46:01.000Z",
            "last_seen": "2020-06-23T14:46:49.000Z",
            "rule": {
              "id": "0f5-e0c-805",
              "name": "Brute Force Attack Grouped By User ",
              "version": 12
            }
          }
        },
        "message": "Detect Account Take Over (ATO) through brute force attempts",
        "tags": [
          "security:attack",
          "technique:T1110-brute-force"
        ],
        "timestamp": "2019-01-02T09:42:36.320Z"
      },
      "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA",
      "type": "signal"
    }
  ],
  "links": {
    "next": "https://app.datadoghq.com/api/v2/security_monitoring/signals?filter[query]=foo\u0026page[cursor]=eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="
  },
  "meta": {
    "page": {
      "after": "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="
    }
  }
}

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

# Curl command
curl -X GET "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/signals" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

package main

import (
    "context"
    "encoding/json"
    "fmt"
    "os"
    "time"
    datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)

func main() {
    ctx := datadog.NewDefaultContext(context.Background())

    filterQuery := "security:attack status:high" // string | The search query for security signals. (optional)
    filterFrom := time.Now() // time.Time | The minimum timestamp for requested security signals. (optional)
    filterTo := time.Now() // time.Time | The maximum timestamp for requested security signals. (optional)
    sort := datadog.SecurityMonitoringSignalsSort("timestamp") // SecurityMonitoringSignalsSort | The order of the security signals in results. (optional)
    pageCursor := "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==" // string | A list of results using the cursor provided in the previous query. (optional)
    pageLimit := int32(25) // int32 | The maximum number of security signals in the response. (optional) (default to 10)
    optionalParams := datadog.ListSecurityMonitoringSignalsOptionalParameters{
        FilterQuery: &filterQuery,
        FilterFrom: &filterFrom,
        FilterTo: &filterTo,
        Sort: &sort,
        PageCursor: &pageCursor,
        PageLimit: &pageLimit,
    }

    configuration := datadog.NewConfiguration()
    configuration.SetUnstableOperationEnabled("ListSecurityMonitoringSignals", true)

    apiClient := datadog.NewAPIClient(configuration)
    resp, r, err := apiClient.SecurityMonitoringApi.ListSecurityMonitoringSignals(ctx, optionalParams)
    if err != nil {
        fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListSecurityMonitoringSignals`: %v\n", err)
        fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
    }
    // response from `ListSecurityMonitoringSignals`: SecurityMonitoringSignalsListResponse
    responseContent, _ := json.MarshalIndent(resp, "", "  ")
    fmt.Fprintf(os.Stdout, "Response from SecurityMonitoringApi.ListSecurityMonitoringSignals:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
go run "main.go"

import os
from dateutil.parser import parse as dateutil_parser
from datadog_api_client.v2 import ApiClient, ApiException, Configuration
from datadog_api_client.v2.api import security_monitoring_api
from datadog_api_client.v2.models import *
from pprint import pprint
# See configuration.py for a list of all supported configuration parameters.
configuration = Configuration()
configuration.unstable_operations["list_security_monitoring_signals"] = True

# Enter a context with an instance of the API client
with ApiClient(configuration) as api_client:
    # Create an instance of the API class
    api_instance = security_monitoring_api.SecurityMonitoringApi(api_client)
    filter_query = "security:attack status:high"  # str | The search query for security signals. (optional)
    filter_from = dateutil_parser('2019-01-02T09:42:36.320Z')  # datetime | The minimum timestamp for requested security signals. (optional)
    filter_to = dateutil_parser('2019-01-03T09:42:36.320Z')  # datetime | The maximum timestamp for requested security signals. (optional)
    sort = SecurityMonitoringSignalsSort("timestamp")  # SecurityMonitoringSignalsSort | The order of the security signals in results. (optional)
    page_cursor = "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="  # str | A list of results using the cursor provided in the previous query. (optional)
    page_limit = 25  # int | The maximum number of security signals in the response. (optional) if omitted the server will use the default value of 10

    # example passing only required values which don't have defaults set
    # and optional values
    try:
        # Get a quick list of security signals
        api_response = api_instance.list_security_monitoring_signals(filter_query=filter_query, filter_from=filter_from, filter_to=filter_to, sort=sort, page_cursor=page_cursor, page_limit=page_limit)
        pprint(api_response)
    except ApiException as e:
        print("Exception when calling SecurityMonitoringApi->list_security_monitoring_signals: %s\n" % e)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
python3 "example.py"

require 'datadog_api_client'

DatadogAPIClient::V2.configure do |config|
  config.unstable_operations[:list_security_monitoring_signals] = true
end

api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
opts = {
  filter_query: 'security:attack status:high', # String | The search query for security signals.
  filter_from: Time.parse('2019-01-02T09:42:36.320Z'), # Time | The minimum timestamp for requested security signals.
  filter_to: Time.parse('2019-01-03T09:42:36.320Z'), # Time | The maximum timestamp for requested security signals.
  sort: DatadogAPIClient::V2::SecurityMonitoringSignalsSort::TIMESTAMP_ASCENDING, # SecurityMonitoringSignalsSort | The order of the security signals in results.
  page_cursor: 'eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==', # String | A list of results using the cursor provided in the previous query.
  page_limit: 25 # Integer | The maximum number of security signals in the response.
}

begin
  # Get a quick list of security signals
  result = api_instance.list_security_monitoring_signals(opts)
  p result
rescue DatadogAPIClient::V2::APIError => e
  puts "Error when calling SecurityMonitoringAPI->list_security_monitoring_signals: #{e}"
end

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
rb "example.rb"

import { v2 } from "@datadog/datadog-api-client";
import * as fs from "fs";

const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

let params: v2.SecurityMonitoringApiListSecurityMonitoringSignalsRequest = {
  // string | The search query for security signals. (optional)
  filterQuery: "security:attack status:high",
  // Date | The minimum timestamp for requested security signals. (optional)
  filterFrom: new Date("2019-01-02T09:42:36.320Z"),
  // Date | The maximum timestamp for requested security signals. (optional)
  filterTo: new Date("2019-01-03T09:42:36.320Z"),
  // SecurityMonitoringSignalsSort | The order of the security signals in results. (optional)
  sort: "timestamp",
  // string | A list of results using the cursor provided in the previous query. (optional)
  pageCursor:
    "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==",
  // number | The maximum number of security signals in the response. (optional)
  pageLimit: 25,
};

apiInstance
  .listSecurityMonitoringSignals(params)
  .then((data: any) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
tsc "example.ts"

import java.time.OffsetDateTime;
import java.util.*;
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.model.*;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;

public class Example {
    public static void main(String[] args) {
        ApiClient defaultClient = Configuration.getDefaultApiClient();

        SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
        String filterQuery = "security:attack status:high"; // String | The search query for security signals.
        OffsetDateTime filterFrom = OffsetDateTime.parse("2019-01-02T09:42:36.320Z"); // OffsetDateTime | The minimum timestamp for requested security signals.
        OffsetDateTime filterTo = OffsetDateTime.parse("2019-01-03T09:42:36.320Z"); // OffsetDateTime | The maximum timestamp for requested security signals.
        SecurityMonitoringSignalsSort sort = SecurityMonitoringSignalsSort.fromValue("timestamp"); // SecurityMonitoringSignalsSort | The order of the security signals in results.
        String pageCursor = "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="; // String | A list of results using the cursor provided in the previous query.
        Integer pageLimit = 10; // Integer | The maximum number of security signals in the response.
        try {
            SecurityMonitoringSignalsListResponse result = apiInstance.listSecurityMonitoringSignals(new SecurityMonitoringApi.ListSecurityMonitoringSignalsOptionalParameters()
                .filterQuery(filterQuery)
                .filterFrom(filterFrom)
                .filterTo(filterTo)
                .sort(sort)
                .pageCursor(pageCursor)
                .pageLimit(pageLimit));
            System.out.println(result);
        } catch (ApiException e) {
            System.err.println("Exception when calling SecurityMonitoringApi#listSecurityMonitoringSignals");
            System.err.println("Status code: " + e.getCode());
            System.err.println("Reason: " + e.getResponseBody());
            System.err.println("Response headers: " + e.getResponseHeaders());
            e.printStackTrace();
        }
    }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

              export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>"
java "Example.java"