Language

English Français 日本語

Site

Site help
US US3 US5 EU US1-FED

Security Monitoring

Detection rules for generating signals and listing of generated signals.

Create a security filter

POST https://api.datadoghq.eu/api/v2/security_monitoring/configuration/security_filtershttps://api.ddog-gov.com/api/v2/security_monitoring/configuration/security_filtershttps://api.datadoghq.com/api/v2/security_monitoring/configuration/security_filtershttps://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/security_filtershttps://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters

Overview

Create a security filter.

See the security filter guide for more examples.

This endpoint requires the security_monitoring_filters_write authorization scope.

Request

Body Data (required)

The definition of the new security filter.

Expand All

Field

Type

Description

data [required]

object

Object for a single security filter.

attributes [required]

object

Object containing the attributes of the security filter to be created.

exclusion_filters [required]

[object]

Exclusion filters to exclude some logs from the security filter.

name [required]

string

Exclusion filter name.

query [required]

string

Exclusion filter query. Logs that match this query are excluded from the security filter.

filtered_data_type [required]

enum

The filtered data type. Allowed enum values: logs

is_enabled [required]

boolean

Whether the security filter is enabled.

name [required]

string

The name of the security filter.

query [required]

string

The query of the security filter.

type [required]

enum

The type of the resource. The value should always be security_filters. Allowed enum values: security_filters

{
  "data": {
    "attributes": {
      "exclusion_filters": [
        {
          "name": "Exclude staging",
          "query": "source:staging"
        }
      ],
      "filtered_data_type": "logs",
      "is_enabled": true,
      "name": "Example-Create_a_security_filter_returns_OK_response",
      "query": "service:ExampleCreateasecurityfilterreturnsOKresponse"
    },
    "type": "security_filters"
  }
}

Response

OK

Response object which includes a single security filter.

Expand All

Field

Type

Description

data

object

The security filter's properties.

attributes

object

The object describing a security filter.

exclusion_filters

[object]

The list of exclusion filters applied in this security filter.

name

string

The exclusion filter name.

query

string

The exclusion filter query.

filtered_data_type

enum

The filtered data type. Allowed enum values: logs

is_builtin

boolean

Whether the security filter is the built-in filter.

is_enabled

boolean

Whether the security filter is enabled.

name

string

The security filter name.

query

string

The security filter query. Logs accepted by this query will be accepted by this filter.

version

int32

The version of the security filter.

id

string

The ID of the security filter.

type

enum

The type of the resource. The value should always be security_filters. Allowed enum values: security_filters

meta

object

Optional metadata associated to the response.

warning

string

A warning message.

{
  "data": {
    "attributes": {
      "exclusion_filters": [
        {
          "name": "Exclude staging",
          "query": "source:staging"
        }
      ],
      "filtered_data_type": "logs",
      "is_builtin": false,
      "is_enabled": false,
      "name": "Custom security filter",
      "query": "service:api",
      "version": 1
    },
    "id": "3dd-0uc-h1s",
    "type": "security_filters"
  },
  "meta": {
    "warning": "All the security filters are disabled. As a result, no logs are being analyzed."
  }
}

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Conflict

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example


# Curl command
curl -X POST "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "exclusion_filters": [
        {
          "name": "Exclude staging",
          "query": "source:staging"
        }
      ],
      "filtered_data_type": "logs",
      "is_enabled": true,
      "name": "Custom security filter",
      "query": "service:api"
    },
    "type": "security_filters"
  }
}
EOF



           
"""
Create a security filter returns "OK" response
"""

from datadog_api_client.v2 import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_filter_create_attributes import SecurityFilterCreateAttributes
from datadog_api_client.v2.model.security_filter_create_data import SecurityFilterCreateData
from datadog_api_client.v2.model.security_filter_create_request import SecurityFilterCreateRequest
from datadog_api_client.v2.model.security_filter_exclusion_filter import SecurityFilterExclusionFilter
from datadog_api_client.v2.model.security_filter_filtered_data_type import SecurityFilterFilteredDataType
from datadog_api_client.v2.model.security_filter_type import SecurityFilterType

body = SecurityFilterCreateRequest(
    data=SecurityFilterCreateData(
        attributes=SecurityFilterCreateAttributes(
            exclusion_filters=[
                SecurityFilterExclusionFilter(
                    name="Exclude staging",
                    query="source:staging",
                ),
            ],
            filtered_data_type=SecurityFilterFilteredDataType("logs"),
            is_enabled=True,
            name="Example-Create_a_security_filter_returns_OK_response",
            query="service:ExampleCreateasecurityfilterreturnsOKresponse",
        ),
        type=SecurityFilterType("security_filters"),
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.create_security_filter(body=body)

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Create a security filter returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityFilterCreateRequest.new({
  data: DatadogAPIClient::V2::SecurityFilterCreateData.new({
    attributes: DatadogAPIClient::V2::SecurityFilterCreateAttributes.new({
      exclusion_filters: [
        DatadogAPIClient::V2::SecurityFilterExclusionFilter.new({
          name: "Exclude staging",
          query: "source:staging",
        }),
      ],
      filtered_data_type: DatadogAPIClient::V2::SecurityFilterFilteredDataType::LOGS,
      is_enabled: true,
      name: "Example-Create_a_security_filter_returns_OK_response",
      query: "service:ExampleCreateasecurityfilterreturnsOKresponse",
    }),
    type: DatadogAPIClient::V2::SecurityFilterType::SECURITY_FILTERS,
  }),
})
p api_instance.create_security_filter(body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
/**
 * Create a security filter returns "OK" response
 */

import { v2 } from "@datadog/datadog-api-client";

const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiCreateSecurityFilterRequest = {
  body: {
    data: {
      attributes: {
        exclusionFilters: [
          {
            name: "Exclude staging",
            query: "source:staging",
          },
        ],
        filteredDataType: "logs",
        isEnabled: true,
        name: "Example-Create_a_security_filter_returns_OK_response",
        query: "service:ExampleCreateasecurityfilterreturnsOKresponse",
      },
      type: "security_filters",
    },
  },
};

apiInstance
  .createSecurityFilter(params)
  .then((data: v2.SecurityFilterResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
// Create a security filter returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)

func main() {
	body := datadog.SecurityFilterCreateRequest{
		Data: datadog.SecurityFilterCreateData{
			Attributes: datadog.SecurityFilterCreateAttributes{
				ExclusionFilters: []datadog.SecurityFilterExclusionFilter{
					{
						Name:  "Exclude staging",
						Query: "source:staging",
					},
				},
				FilteredDataType: datadog.SECURITYFILTERFILTEREDDATATYPE_LOGS,
				IsEnabled:        true,
				Name:             "Example-Create_a_security_filter_returns_OK_response",
				Query:            "service:ExampleCreateasecurityfilterreturnsOKresponse",
			},
			Type: datadog.SECURITYFILTERTYPE_SECURITY_FILTERS,
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	resp, r, err := apiClient.SecurityMonitoringApi.CreateSecurityFilter(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityFilter`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityFilter`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Create a security filter returns "OK" response

import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;
import com.datadog.api.v2.client.model.SecurityFilterCreateAttributes;
import com.datadog.api.v2.client.model.SecurityFilterCreateData;
import com.datadog.api.v2.client.model.SecurityFilterCreateRequest;
import com.datadog.api.v2.client.model.SecurityFilterExclusionFilter;
import com.datadog.api.v2.client.model.SecurityFilterFilteredDataType;
import com.datadog.api.v2.client.model.SecurityFilterResponse;
import com.datadog.api.v2.client.model.SecurityFilterType;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = Configuration.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityFilterCreateRequest body =
        new SecurityFilterCreateRequest()
            .data(
                new SecurityFilterCreateData()
                    .attributes(
                        new SecurityFilterCreateAttributes()
                            .exclusionFilters(
                                Collections.singletonList(
                                    new SecurityFilterExclusionFilter()
                                        .name("Exclude staging")
                                        .query("source:staging")))
                            .filteredDataType(SecurityFilterFilteredDataType.LOGS)
                            .isEnabled(true)
                            .name("Example-Create_a_security_filter_returns_OK_response")
                            .query("service:ExampleCreateasecurityfilterreturnsOKresponse"))
                    .type(SecurityFilterType.SECURITY_FILTERS));

    try {
      SecurityFilterResponse result = apiInstance.createSecurityFilter(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#createSecurityFilter");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

Delete a security filter

DELETE https://api.datadoghq.eu/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.ddog-gov.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}

Overview

Delete a specific security filter. This endpoint requires the security_monitoring_filters_write authorization scope.

Arguments

Path Parameters

Name

Type

Description

security_filter_id [required]

string

The ID of the security filter.

Response

OK

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example


# Path parameters
export security_filter_id="CHANGE_ME"
# Curl command
curl -X DELETE "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/${security_filter_id}" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"



           
"""
Delete a security filter returns "OK" response
"""

from datadog_api_client.v2 import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    api_instance.delete_security_filter(
        security_filter_id="security_filter_id",
    )

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Delete a security filter returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
api_instance.delete_security_filter("security_filter_id")

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
/**
 * Delete a security filter returns "OK" response
 */

import { v2 } from "@datadog/datadog-api-client";

const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiDeleteSecurityFilterRequest = {
  securityFilterId: "security_filter_id",
};

apiInstance
  .deleteSecurityFilter(params)
  .then((data: any) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
// Delete a security filter returns "OK" response

package main

import (
	"context"
	"fmt"
	"os"

	datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	r, err := apiClient.SecurityMonitoringApi.DeleteSecurityFilter(ctx, "security_filter_id")

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.DeleteSecurityFilter`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Delete a security filter returns "OK" response

import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = Configuration.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    try {
      apiInstance.deleteSecurityFilter("security_filter_id");
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#deleteSecurityFilter");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

Update a security filter

PATCH https://api.datadoghq.eu/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.ddog-gov.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}

Overview

Update a specific security filter. Returns the security filter object when the request is successful. This endpoint requires the security_monitoring_filters_write authorization scope.

Arguments

Path Parameters

Name

Type

Description

security_filter_id [required]

string

The ID of the security filter.

Request

Body Data (required)

New definition of the security filter.

Expand All

Field

Type

Description

data [required]

object

The new security filter properties.

attributes [required]

object

The security filters properties to be updated.

exclusion_filters

[object]

Exclusion filters to exclude some logs from the security filter.

name [required]

string

Exclusion filter name.

query [required]

string

Exclusion filter query. Logs that match this query are excluded from the security filter.

filtered_data_type

enum

The filtered data type. Allowed enum values: logs

is_enabled

boolean

Whether the security filter is enabled.

name

string

The name of the security filter.

query

string

The query of the security filter.

version

int32

The version of the security filter to update.

type [required]

enum

The type of the resource. The value should always be security_filters. Allowed enum values: security_filters

{
  "data": {
    "attributes": {
      "exclusion_filters": [],
      "filtered_data_type": "logs",
      "is_enabled": true,
      "name": "Example-Update_a_security_filter_returns_OK_response",
      "query": "service:ExampleUpdateasecurityfilterreturnsOKresponse",
      "version": 1
    },
    "type": "security_filters"
  }
}

Response

OK

Response object which includes a single security filter.

Expand All

Field

Type

Description

data

object

The security filter's properties.

attributes

object

The object describing a security filter.

exclusion_filters

[object]

The list of exclusion filters applied in this security filter.

name

string

The exclusion filter name.

query

string

The exclusion filter query.

filtered_data_type

enum

The filtered data type. Allowed enum values: logs

is_builtin

boolean

Whether the security filter is the built-in filter.

is_enabled

boolean

Whether the security filter is enabled.

name

string

The security filter name.

query

string

The security filter query. Logs accepted by this query will be accepted by this filter.

version

int32

The version of the security filter.

id

string

The ID of the security filter.

type

enum

The type of the resource. The value should always be security_filters. Allowed enum values: security_filters

meta

object

Optional metadata associated to the response.

warning

string

A warning message.

{
  "data": {
    "attributes": {
      "exclusion_filters": [
        {
          "name": "Exclude staging",
          "query": "source:staging"
        }
      ],
      "filtered_data_type": "logs",
      "is_builtin": false,
      "is_enabled": false,
      "name": "Custom security filter",
      "query": "service:api",
      "version": 1
    },
    "id": "3dd-0uc-h1s",
    "type": "security_filters"
  },
  "meta": {
    "warning": "All the security filters are disabled. As a result, no logs are being analyzed."
  }
}

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Concurrent Modification

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example


# Path parameters
export security_filter_id="CHANGE_ME"
# Curl command
curl -X PATCH "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/${security_filter_id}" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "exclusion_filters": [
        {
          "name": "Exclude staging",
          "query": "source:staging"
        }
      ]
    },
    "type": "security_filters"
  }
}
EOF



           
"""
Update a security filter returns "OK" response
"""

from os import environ
from datadog_api_client.v2 import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_filter_filtered_data_type import SecurityFilterFilteredDataType
from datadog_api_client.v2.model.security_filter_type import SecurityFilterType
from datadog_api_client.v2.model.security_filter_update_attributes import SecurityFilterUpdateAttributes
from datadog_api_client.v2.model.security_filter_update_data import SecurityFilterUpdateData
from datadog_api_client.v2.model.security_filter_update_request import SecurityFilterUpdateRequest

# there is a valid "security_filter" in the system
SECURITY_FILTER_DATA_ID = environ["SECURITY_FILTER_DATA_ID"]

body = SecurityFilterUpdateRequest(
    data=SecurityFilterUpdateData(
        attributes=SecurityFilterUpdateAttributes(
            exclusion_filters=[],
            filtered_data_type=SecurityFilterFilteredDataType("logs"),
            is_enabled=True,
            name="Example-Update_a_security_filter_returns_OK_response",
            query="service:ExampleUpdateasecurityfilterreturnsOKresponse",
            version=1,
        ),
        type=SecurityFilterType("security_filters"),
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.update_security_filter(security_filter_id=SECURITY_FILTER_DATA_ID, body=body)

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Update a security filter returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

# there is a valid "security_filter" in the system
SECURITY_FILTER_DATA_ID = ENV["SECURITY_FILTER_DATA_ID"]

body = DatadogAPIClient::V2::SecurityFilterUpdateRequest.new({
  data: DatadogAPIClient::V2::SecurityFilterUpdateData.new({
    attributes: DatadogAPIClient::V2::SecurityFilterUpdateAttributes.new({
      exclusion_filters: [],
      filtered_data_type: DatadogAPIClient::V2::SecurityFilterFilteredDataType::LOGS,
      is_enabled: true,
      name: "Example-Update_a_security_filter_returns_OK_response",
      query: "service:ExampleUpdateasecurityfilterreturnsOKresponse",
      version: 1,
    }),
    type: DatadogAPIClient::V2::SecurityFilterType::SECURITY_FILTERS,
  }),
})
p api_instance.update_security_filter(SECURITY_FILTER_DATA_ID, body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
/**
 * Update a security filter returns "OK" response
 */

import { v2 } from "@datadog/datadog-api-client";

const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

// there is a valid "security_filter" in the system
const SECURITY_FILTER_DATA_ID = process.env.SECURITY_FILTER_DATA_ID as string;

const params: v2.SecurityMonitoringApiUpdateSecurityFilterRequest = {
  body: {
    data: {
      attributes: {
        exclusionFilters: [],
        filteredDataType: "logs",
        isEnabled: true,
        name: "Example-Update_a_security_filter_returns_OK_response",
        query: "service:ExampleUpdateasecurityfilterreturnsOKresponse",
        version: 1,
      },
      type: "security_filters",
    },
  },
  securityFilterId: SECURITY_FILTER_DATA_ID,
};

apiInstance
  .updateSecurityFilter(params)
  .then((data: v2.SecurityFilterResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
// Update a security filter returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)

func main() {
	// there is a valid "security_filter" in the system
	SecurityFilterDataID := os.Getenv("SECURITY_FILTER_DATA_ID")

	body := datadog.SecurityFilterUpdateRequest{
		Data: datadog.SecurityFilterUpdateData{
			Attributes: datadog.SecurityFilterUpdateAttributes{
				ExclusionFilters: []datadog.SecurityFilterExclusionFilter{},
				FilteredDataType: datadog.SECURITYFILTERFILTEREDDATATYPE_LOGS.Ptr(),
				IsEnabled:        datadog.PtrBool(true),
				Name:             datadog.PtrString("Example-Update_a_security_filter_returns_OK_response"),
				Query:            datadog.PtrString("service:ExampleUpdateasecurityfilterreturnsOKresponse"),
				Version:          datadog.PtrInt32(1),
			},
			Type: datadog.SECURITYFILTERTYPE_SECURITY_FILTERS,
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	resp, r, err := apiClient.SecurityMonitoringApi.UpdateSecurityFilter(ctx, SecurityFilterDataID, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.UpdateSecurityFilter`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.UpdateSecurityFilter`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Update a security filter returns "OK" response

import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;
import com.datadog.api.v2.client.model.SecurityFilterFilteredDataType;
import com.datadog.api.v2.client.model.SecurityFilterResponse;
import com.datadog.api.v2.client.model.SecurityFilterType;
import com.datadog.api.v2.client.model.SecurityFilterUpdateAttributes;
import com.datadog.api.v2.client.model.SecurityFilterUpdateData;
import com.datadog.api.v2.client.model.SecurityFilterUpdateRequest;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = Configuration.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    // there is a valid "security_filter" in the system
    String SECURITY_FILTER_DATA_ID = System.getenv("SECURITY_FILTER_DATA_ID");

    SecurityFilterUpdateRequest body =
        new SecurityFilterUpdateRequest()
            .data(
                new SecurityFilterUpdateData()
                    .attributes(
                        new SecurityFilterUpdateAttributes()
                            .filteredDataType(SecurityFilterFilteredDataType.LOGS)
                            .isEnabled(true)
                            .name("Example-Update_a_security_filter_returns_OK_response")
                            .query("service:ExampleUpdateasecurityfilterreturnsOKresponse")
                            .version(1))
                    .type(SecurityFilterType.SECURITY_FILTERS));

    try {
      SecurityFilterResponse result =
          apiInstance.updateSecurityFilter(SECURITY_FILTER_DATA_ID, body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#updateSecurityFilter");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

Get a security filter

GET https://api.datadoghq.eu/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.ddog-gov.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}

Overview

Get the details of a specific security filter.

See the security filter guide for more examples.

This endpoint requires the security_monitoring_filters_read authorization scope.

Arguments

Path Parameters

Name

Type

Description

security_filter_id [required]

string

The ID of the security filter.

Response

OK

Response object which includes a single security filter.

Expand All

Field

Type

Description

data

object

The security filter's properties.

attributes

object

The object describing a security filter.

exclusion_filters

[object]

The list of exclusion filters applied in this security filter.

name

string

The exclusion filter name.

query

string

The exclusion filter query.

filtered_data_type

enum

The filtered data type. Allowed enum values: logs

is_builtin

boolean

Whether the security filter is the built-in filter.

is_enabled

boolean

Whether the security filter is enabled.

name

string

The security filter name.

query

string

The security filter query. Logs accepted by this query will be accepted by this filter.

version

int32

The version of the security filter.

id

string

The ID of the security filter.

type

enum

The type of the resource. The value should always be security_filters. Allowed enum values: security_filters

meta

object

Optional metadata associated to the response.

warning

string

A warning message.

{
  "data": {
    "attributes": {
      "exclusion_filters": [
        {
          "name": "Exclude staging",
          "query": "source:staging"
        }
      ],
      "filtered_data_type": "logs",
      "is_builtin": false,
      "is_enabled": false,
      "name": "Custom security filter",
      "query": "service:api",
      "version": 1
    },
    "id": "3dd-0uc-h1s",
    "type": "security_filters"
  },
  "meta": {
    "warning": "All the security filters are disabled. As a result, no logs are being analyzed."
  }
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example


# Path parameters
export security_filter_id="CHANGE_ME"
# Curl command
curl -X GET "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/${security_filter_id}" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"



           
"""
Get a security filter returns "OK" response
"""

from os import environ
from datadog_api_client.v2 import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

# there is a valid "security_filter" in the system
SECURITY_FILTER_DATA_ID = environ["SECURITY_FILTER_DATA_ID"]

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.get_security_filter(
        security_filter_id=SECURITY_FILTER_DATA_ID,
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Get a security filter returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

# there is a valid "security_filter" in the system
SECURITY_FILTER_DATA_ID = ENV["SECURITY_FILTER_DATA_ID"]
p api_instance.get_security_filter(SECURITY_FILTER_DATA_ID)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
/**
 * Get a security filter returns "OK" response
 */

import { v2 } from "@datadog/datadog-api-client";

const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

// there is a valid "security_filter" in the system
const SECURITY_FILTER_DATA_ID = process.env.SECURITY_FILTER_DATA_ID as string;

const params: v2.SecurityMonitoringApiGetSecurityFilterRequest = {
  securityFilterId: SECURITY_FILTER_DATA_ID,
};

apiInstance
  .getSecurityFilter(params)
  .then((data: v2.SecurityFilterResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
// Get a security filter returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)

func main() {
	// there is a valid "security_filter" in the system
	SecurityFilterDataID := os.Getenv("SECURITY_FILTER_DATA_ID")

	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	resp, r, err := apiClient.SecurityMonitoringApi.GetSecurityFilter(ctx, SecurityFilterDataID)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSecurityFilter`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSecurityFilter`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Get a security filter returns "OK" response

import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;
import com.datadog.api.v2.client.model.SecurityFilterResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = Configuration.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    // there is a valid "security_filter" in the system
    String SECURITY_FILTER_DATA_ID = System.getenv("SECURITY_FILTER_DATA_ID");

    try {
      SecurityFilterResponse result = apiInstance.getSecurityFilter(SECURITY_FILTER_DATA_ID);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#getSecurityFilter");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

Get all security filters

GET https://api.datadoghq.eu/api/v2/security_monitoring/configuration/security_filtershttps://api.ddog-gov.com/api/v2/security_monitoring/configuration/security_filtershttps://api.datadoghq.com/api/v2/security_monitoring/configuration/security_filtershttps://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/security_filtershttps://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters

Overview

Get the list of configured security filters with their definitions. This endpoint requires the security_monitoring_filters_read authorization scope.

Response

OK

All the available security filters objects.

Expand All

Field

Type

Description

data

[object]

A list of security filters objects.

attributes

object

The object describing a security filter.

exclusion_filters

[object]

The list of exclusion filters applied in this security filter.

name

string

The exclusion filter name.

query

string

The exclusion filter query.

filtered_data_type

enum

The filtered data type. Allowed enum values: logs

is_builtin

boolean

Whether the security filter is the built-in filter.

is_enabled

boolean

Whether the security filter is enabled.

name

string

The security filter name.

query

string

The security filter query. Logs accepted by this query will be accepted by this filter.

version

int32

The version of the security filter.

id

string

The ID of the security filter.

type

enum

The type of the resource. The value should always be security_filters. Allowed enum values: security_filters

meta

object

Optional metadata associated to the response.

warning

string

A warning message.

{
  "data": [
    {
      "attributes": {
        "exclusion_filters": [
          {
            "name": "Exclude staging",
            "query": "source:staging"
          }
        ],
        "filtered_data_type": "logs",
        "is_builtin": false,
        "is_enabled": false,
        "name": "Custom security filter",
        "query": "service:api",
        "version": 1
      },
      "id": "3dd-0uc-h1s",
      "type": "security_filters"
    }
  ],
  "meta": {
    "warning": "All the security filters are disabled. As a result, no logs are being analyzed."
  }
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example


# Curl command
curl -X GET "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"



           
"""
Get all security filters returns "OK" response
"""

from datadog_api_client.v2 import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.list_security_filters()

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Get all security filters returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.list_security_filters()

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
/**
 * Get all security filters returns "OK" response
 */

import { v2 } from "@datadog/datadog-api-client";

const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

apiInstance
  .listSecurityFilters()
  .then((data: v2.SecurityFiltersResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
// Get all security filters returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	resp, r, err := apiClient.SecurityMonitoringApi.ListSecurityFilters(ctx)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListSecurityFilters`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListSecurityFilters`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Get all security filters returns "OK" response

import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;
import com.datadog.api.v2.client.model.SecurityFiltersResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = Configuration.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    try {
      SecurityFiltersResponse result = apiInstance.listSecurityFilters();
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#listSecurityFilters");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

List rules

GET https://api.datadoghq.eu/api/v2/security_monitoring/ruleshttps://api.ddog-gov.com/api/v2/security_monitoring/ruleshttps://api.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.us3.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.us5.datadoghq.com/api/v2/security_monitoring/rules

Overview

List rules. This endpoint requires the security_monitoring_rules_read authorization scope.

Arguments

Query Strings

Name

Type

Description

page[size]

integer

Size for a given page.

page[number]

integer

Specific page number to return.

Response

OK

List of rules.

Expand All

Field

Type

Description

data

[]

Array containing the list of rules.

cases

[object]

Cases for generating signals.

condition

string

A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

name

string

Name of the case.

notifications

[string]

Notification targets for each rule case.

status

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

createdAt

int64

When the rule was created, timestamp in milliseconds.

creationAuthorId

int64

User ID of the user who created the rule.

filters

[object]

Additional queries to filter matched events before they are processed.

action

enum

The type of filtering action. Allowed enum values: require,suppress

query

string

Query for selecting logs to apply the filtering action.

hasExtendedTitle

boolean

Whether the notifications include the triggering group-by values in their title.

id

string

The ID of the rule.

isDefault

boolean

Whether the rule is included by default.

isDeleted

boolean

Whether the rule has been deleted.

isEnabled

boolean

Whether the rule is enabled.

message

string

Message for generated signals.

name

string

The name of the rule.

options

object

Options on rules.

detectionMethod

enum

The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded

evaluationWindow

enum

A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Allowed enum values: 0,60,300,600,900,1800,3600,7200

hardcodedEvaluatorType

enum

Hardcoded evaluator type. Allowed enum values: log4shell

impossibleTravelOptions

object

Options on impossible travel rules.

baselineUserLocations

boolean

If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

keepAlive

enum

Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600

maxSignalDuration

enum

A signal will “close” regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

newValueOptions

object

Options on new value rules.

forgetAfter

enum

The duration in days after which a learned value is forgotten. Allowed enum values: 1,2,7,14,21,28

learningDuration

enum

The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: 0,1,7

queries

[object]

Queries for selecting logs which are part of the rule.

aggregation

enum

The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data

distinctFields

[string]

Field for which the cardinality is measured. Sent as an array.

groupByFields

[string]

Fields to group by.

metric

string

The target field to aggregate over when using the sum or max aggregations.

name

string

Name of the query.

query

string

Query to run on logs.

tags

[string]

Tags for generated signals.

type

enum

The rule type. Allowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration

updateAuthorId

int64

User ID of the user who updated the rule.

version

int64

The version of the rule.

meta

object

Object describing meta attributes of response.

page

object

Pagination object.

total_count

int64

Total count.

total_filtered_count

int64

Total count of elements matched by the filter.

{
  "data": [
    {
      "cases": [
        {
          "condition": "string",
          "name": "string",
          "notifications": [],
          "status": "critical"
        }
      ],
      "createdAt": "integer",
      "creationAuthorId": "integer",
      "filters": [
        {
          "action": "string",
          "query": "string"
        }
      ],
      "hasExtendedTitle": false,
      "id": "string",
      "isDefault": false,
      "isDeleted": false,
      "isEnabled": false,
      "message": "string",
      "name": "string",
      "options": {
        "detectionMethod": "string",
        "evaluationWindow": "integer",
        "hardcodedEvaluatorType": "string",
        "impossibleTravelOptions": {
          "baselineUserLocations": true
        },
        "keepAlive": "integer",
        "maxSignalDuration": "integer",
        "newValueOptions": {
          "forgetAfter": "integer",
          "learningDuration": "integer"
        }
      },
      "queries": [
        {
          "aggregation": "string",
          "distinctFields": [],
          "groupByFields": [],
          "metric": "string",
          "name": "string",
          "query": "string"
        }
      ],
      "tags": [],
      "type": "string",
      "updateAuthorId": "integer",
      "version": "integer"
    }
  ],
  "meta": {
    "page": {
      "total_count": "integer",
      "total_filtered_count": "integer"
    }
  }
}

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example


# Curl command
curl -X GET "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"



           
"""
List rules returns "OK" response
"""

from datadog_api_client.v2 import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.list_security_monitoring_rules()

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# List rules returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.list_security_monitoring_rules()

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
/**
 * List rules returns "OK" response
 */

import { v2 } from "@datadog/datadog-api-client";

const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

apiInstance
  .listSecurityMonitoringRules()
  .then((data: v2.SecurityMonitoringListRulesResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
// List rules returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	resp, r, err := apiClient.SecurityMonitoringApi.ListSecurityMonitoringRules(ctx, *datadog.NewListSecurityMonitoringRulesOptionalParameters())

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListSecurityMonitoringRules`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListSecurityMonitoringRules`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// List rules returns "OK" response

import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;
import com.datadog.api.v2.client.model.SecurityMonitoringListRulesResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = Configuration.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    try {
      SecurityMonitoringListRulesResponse result = apiInstance.listSecurityMonitoringRules();
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#listSecurityMonitoringRules");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

Create a detection rule

POST https://api.datadoghq.eu/api/v2/security_monitoring/ruleshttps://api.ddog-gov.com/api/v2/security_monitoring/ruleshttps://api.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.us3.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.us5.datadoghq.com/api/v2/security_monitoring/rules

Overview

Create a detection rule. This endpoint requires the security_monitoring_rules_write authorization scope.

Request

Body Data (required)

Expand All

Field

Type

Description

cases [required]

[object]

Cases for generating signals.

condition

string

A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

name

string

Name of the case.

notifications

[string]

Notification targets for each rule case.

status [required]

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

filters

[object]

Additional queries to filter matched events before they are processed.

action

enum

The type of filtering action. Allowed enum values: require,suppress

query

string

Query for selecting logs to apply the filtering action.

hasExtendedTitle

boolean

Whether the notifications include the triggering group-by values in their title.

isEnabled [required]

boolean

Whether the rule is enabled.

message [required]

string

Message for generated signals.

name [required]

string

The name of the rule.

options [required]

object

Options on rules.

detectionMethod

enum

The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded

evaluationWindow

enum

A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Allowed enum values: 0,60,300,600,900,1800,3600,7200

hardcodedEvaluatorType

enum

Hardcoded evaluator type. Allowed enum values: log4shell

impossibleTravelOptions

object

Options on impossible travel rules.

baselineUserLocations

boolean

If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

keepAlive

enum

Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600

maxSignalDuration

enum

A signal will “close” regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

newValueOptions

object

Options on new value rules.

forgetAfter

enum

The duration in days after which a learned value is forgotten. Allowed enum values: 1,2,7,14,21,28

learningDuration

enum

The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: 0,1,7

queries [required]

[object]

Queries for selecting logs which are part of the rule.

aggregation

enum

The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data

distinctFields

[string]

Field for which the cardinality is measured. Sent as an array.

groupByFields

[string]

Fields to group by.

metric

string

The target field to aggregate over when using the sum or max aggregations.

name

string

Name of the query.

query [required]

string

Query to run on logs.

tags

[string]

Tags for generated signals.

type

enum

The rule type. Allowed enum values: log_detection,workload_security

{
  "name": "Example-Create_a_detection_rule_returns_OK_response",
  "queries": [
    {
      "query": "@test:true",
      "aggregation": "count",
      "groupByFields": [],
      "distinctFields": [],
      "metric": ""
    }
  ],
  "filters": [],
  "cases": [
    {
      "name": "",
      "status": "info",
      "condition": "a > 0",
      "notifications": []
    }
  ],
  "options": {
    "evaluationWindow": 900,
    "keepAlive": 3600,
    "maxSignalDuration": 86400
  },
  "message": "Test rule",
  "tags": [],
  "isEnabled": true
}

Response

OK

Rule.

Expand All

Field

Type

Description

cases

[object]

Cases for generating signals.

condition

string

A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

name

string

Name of the case.

notifications

[string]

Notification targets for each rule case.

status

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

createdAt

int64

When the rule was created, timestamp in milliseconds.

creationAuthorId

int64

User ID of the user who created the rule.

filters

[object]

Additional queries to filter matched events before they are processed.

action

enum

The type of filtering action. Allowed enum values: require,suppress

query

string

Query for selecting logs to apply the filtering action.

hasExtendedTitle

boolean

Whether the notifications include the triggering group-by values in their title.

id

string

The ID of the rule.

isDefault

boolean

Whether the rule is included by default.

isDeleted

boolean

Whether the rule has been deleted.

isEnabled

boolean

Whether the rule is enabled.

message

string

Message for generated signals.

name

string

The name of the rule.

options

object

Options on rules.

detectionMethod

enum

The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded

evaluationWindow

enum

A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Allowed enum values: 0,60,300,600,900,1800,3600,7200

hardcodedEvaluatorType

enum

Hardcoded evaluator type. Allowed enum values: log4shell

impossibleTravelOptions

object

Options on impossible travel rules.

baselineUserLocations

boolean

If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

keepAlive

enum

Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600

maxSignalDuration

enum

A signal will “close” regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

newValueOptions

object

Options on new value rules.

forgetAfter

enum

The duration in days after which a learned value is forgotten. Allowed enum values: 1,2,7,14,21,28

learningDuration

enum

The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: 0,1,7

queries

[object]

Queries for selecting logs which are part of the rule.

aggregation

enum

The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data

distinctFields

[string]

Field for which the cardinality is measured. Sent as an array.

groupByFields

[string]

Fields to group by.

metric

string

The target field to aggregate over when using the sum or max aggregations.

name

string

Name of the query.

query

string

Query to run on logs.

tags

[string]

Tags for generated signals.

type

enum

The rule type. Allowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration

updateAuthorId

int64

User ID of the user who updated the rule.

version

int64

The version of the rule.

{
  "cases": [
    {
      "condition": "string",
      "name": "string",
      "notifications": [],
      "status": "critical"
    }
  ],
  "createdAt": "integer",
  "creationAuthorId": "integer",
  "filters": [
    {
      "action": "string",
      "query": "string"
    }
  ],
  "hasExtendedTitle": false,
  "id": "string",
  "isDefault": false,
  "isDeleted": false,
  "isEnabled": false,
  "message": "string",
  "name": "string",
  "options": {
    "detectionMethod": "string",
    "evaluationWindow": "integer",
    "hardcodedEvaluatorType": "string",
    "impossibleTravelOptions": {
      "baselineUserLocations": true
    },
    "keepAlive": "integer",
    "maxSignalDuration": "integer",
    "newValueOptions": {
      "forgetAfter": "integer",
      "learningDuration": "integer"
    }
  },
  "queries": [
    {
      "aggregation": "string",
      "distinctFields": [],
      "groupByFields": [],
      "metric": "string",
      "name": "string",
      "query": "string"
    }
  ],
  "tags": [],
  "type": "string",
  "updateAuthorId": "integer",
  "version": "integer"
}

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example


# Curl command
curl -X POST "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "cases": [
    {
      "status": "critical"
    }
  ],
  "isEnabled": true,
  "message": "",
  "name": "My security monitoring rule.",
  "options": {},
  "queries": [
    {
      "query": "a > 3"
    }
  ]
}
EOF



           
"""
Create a detection rule returns "OK" response
"""

from datadog_api_client.v2 import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
from datadog_api_client.v2.model.security_monitoring_rule_create_payload import SecurityMonitoringRuleCreatePayload
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
    SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
    SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
    SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_query_create import SecurityMonitoringRuleQueryCreate
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity

body = SecurityMonitoringRuleCreatePayload(
    name="Example-Create_a_detection_rule_returns_OK_response",
    queries=[
        SecurityMonitoringRuleQueryCreate(
            query="@test:true",
            aggregation=SecurityMonitoringRuleQueryAggregation("count"),
            group_by_fields=[],
            distinct_fields=[],
            metric="",
        ),
    ],
    filters=[],
    cases=[
        SecurityMonitoringRuleCaseCreate(
            name="",
            status=SecurityMonitoringRuleSeverity("info"),
            condition="a > 0",
            notifications=[],
        ),
    ],
    options=SecurityMonitoringRuleOptions(
        evaluation_window=SecurityMonitoringRuleEvaluationWindow(900),
        keep_alive=SecurityMonitoringRuleKeepAlive(3600),
        max_signal_duration=SecurityMonitoringRuleMaxSignalDuration(86400),
    ),
    message="Test rule",
    tags=[],
    is_enabled=True,
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.create_security_monitoring_rule(body=body)

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Create a detection rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringRuleCreatePayload.new({
  name: "Example-Create_a_detection_rule_returns_OK_response",
  queries: [
    DatadogAPIClient::V2::SecurityMonitoringRuleQueryCreate.new({
      query: "@test:true",
      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
      group_by_fields: [],
      distinct_fields: [],
      metric: "",
    }),
  ],
  filters: [],
  cases: [
    DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
      name: "",
      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
      condition: "a > 0",
      notifications: [],
    }),
  ],
  options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
    evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
    keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ONE_HOUR,
    max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ONE_DAY,
  }),
  message: "Test rule",
  tags: [],
  is_enabled: true,
})
p api_instance.create_security_monitoring_rule(body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
/**
 * Create a detection rule returns "OK" response
 */

import { v2 } from "@datadog/datadog-api-client";

const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiCreateSecurityMonitoringRuleRequest = {
  body: {
    name: "Example-Create_a_detection_rule_returns_OK_response",
    queries: [
      {
        query: "@test:true",
        aggregation: "count",
        groupByFields: [],
        distinctFields: [],
        metric: "",
      },
    ],
    filters: [],
    cases: [
      {
        name: "",
        status: "info",
        condition: "a > 0",
        notifications: [],
      },
    ],
    options: {
      evaluationWindow: 900,
      keepAlive: 3600,
      maxSignalDuration: 86400,
    },
    message: "Test rule",
    tags: [],
    isEnabled: true,
  },
};

apiInstance
  .createSecurityMonitoringRule(params)
  .then((data: v2.SecurityMonitoringRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
// Create a detection rule returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)

func main() {
	body := datadog.SecurityMonitoringRuleCreatePayload{
		Name: "Example-Create_a_detection_rule_returns_OK_response",
		Queries: []datadog.SecurityMonitoringRuleQueryCreate{
			{
				Query:          "@test:true",
				Aggregation:    datadog.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),
				GroupByFields:  []string{},
				DistinctFields: []string{},
				Metric:         datadog.PtrString(""),
			},
		},
		Filters: []datadog.SecurityMonitoringFilter{},
		Cases: []datadog.SecurityMonitoringRuleCaseCreate{
			{
				Name:          datadog.PtrString(""),
				Status:        datadog.SECURITYMONITORINGRULESEVERITY_INFO,
				Condition:     datadog.PtrString("a > 0"),
				Notifications: []string{},
			},
		},
		Options: datadog.SecurityMonitoringRuleOptions{
			EvaluationWindow:  datadog.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(),
			KeepAlive:         datadog.SECURITYMONITORINGRULEKEEPALIVE_ONE_HOUR.Ptr(),
			MaxSignalDuration: datadog.SECURITYMONITORINGRULEMAXSIGNALDURATION_ONE_DAY.Ptr(),
		},
		Message:   "Test rule",
		Tags:      []string{},
		IsEnabled: true,
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	resp, r, err := apiClient.SecurityMonitoringApi.CreateSecurityMonitoringRule(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityMonitoringRule`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Create a detection rule returns "OK" response

import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleCreatePayload;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleOptions;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleQueryCreate;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleResponse;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleSeverity;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = Configuration.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringRuleCreatePayload body =
        new SecurityMonitoringRuleCreatePayload()
            .name("Example-Create_a_detection_rule_returns_OK_response")
            .queries(
                Collections.singletonList(
                    new SecurityMonitoringRuleQueryCreate()
                        .query("@test:true")
                        .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)
                        .metric("")))
            .cases(
                Collections.singletonList(
                    new SecurityMonitoringRuleCaseCreate()
                        .name("")
                        .status(SecurityMonitoringRuleSeverity.INFO)
                        .condition("a > 0")))
            .options(
                new SecurityMonitoringRuleOptions()
                    .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES)
                    .keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR)
                    .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.ONE_DAY))
            .message("Test rule")
            .isEnabled(true);

    try {
      SecurityMonitoringRuleResponse result = apiInstance.createSecurityMonitoringRule(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#createSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

Get a rule's details

GET https://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}https://api.ddog-gov.com/api/v2/security_monitoring/rules/{rule_id}https://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}

Overview

Get a rule’s details. This endpoint requires the security_monitoring_rules_read authorization scope.

Arguments

Path Parameters

Name

Type

Description

rule_id [required]

string

The ID of the rule.

Response

OK

Rule.

Expand All

Field

Type

Description

cases

[object]

Cases for generating signals.

condition

string

A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

name

string

Name of the case.

notifications

[string]

Notification targets for each rule case.

status

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

createdAt

int64

When the rule was created, timestamp in milliseconds.

creationAuthorId

int64

User ID of the user who created the rule.

filters

[object]

Additional queries to filter matched events before they are processed.

action

enum

The type of filtering action. Allowed enum values: require,suppress

query

string

Query for selecting logs to apply the filtering action.

hasExtendedTitle

boolean

Whether the notifications include the triggering group-by values in their title.

id

string

The ID of the rule.

isDefault

boolean

Whether the rule is included by default.

isDeleted

boolean

Whether the rule has been deleted.

isEnabled

boolean

Whether the rule is enabled.

message

string

Message for generated signals.

name

string

The name of the rule.

options

object

Options on rules.

detectionMethod

enum

The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded

evaluationWindow

enum

A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Allowed enum values: 0,60,300,600,900,1800,3600,7200

hardcodedEvaluatorType

enum

Hardcoded evaluator type. Allowed enum values: log4shell

impossibleTravelOptions

object

Options on impossible travel rules.

baselineUserLocations

boolean

If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

keepAlive

enum

Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600

maxSignalDuration

enum

A signal will “close” regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

newValueOptions

object

Options on new value rules.

forgetAfter

enum

The duration in days after which a learned value is forgotten. Allowed enum values: 1,2,7,14,21,28

learningDuration

enum

The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: 0,1,7

queries

[object]

Queries for selecting logs which are part of the rule.

aggregation

enum

The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data

distinctFields

[string]

Field for which the cardinality is measured. Sent as an array.

groupByFields

[string]

Fields to group by.

metric

string

The target field to aggregate over when using the sum or max aggregations.

name

string

Name of the query.

query

string

Query to run on logs.

tags

[string]

Tags for generated signals.

type

enum

The rule type. Allowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration

updateAuthorId

int64

User ID of the user who updated the rule.

version

int64

The version of the rule.

{
  "cases": [
    {
      "condition": "string",
      "name": "string",
      "notifications": [],
      "status": "critical"
    }
  ],
  "createdAt": "integer",
  "creationAuthorId": "integer",
  "filters": [
    {
      "action": "string",
      "query": "string"
    }
  ],
  "hasExtendedTitle": false,
  "id": "string",
  "isDefault": false,
  "isDeleted": false,
  "isEnabled": false,
  "message": "string",
  "name": "string",
  "options": {
    "detectionMethod": "string",
    "evaluationWindow": "integer",
    "hardcodedEvaluatorType": "string",
    "impossibleTravelOptions": {
      "baselineUserLocations": true
    },
    "keepAlive": "integer",
    "maxSignalDuration": "integer",
    "newValueOptions": {
      "forgetAfter": "integer",
      "learningDuration": "integer"
    }
  },
  "queries": [
    {
      "aggregation": "string",
      "distinctFields": [],
      "groupByFields": [],
      "metric": "string",
      "name": "string",
      "query": "string"
    }
  ],
  "tags": [],
  "type": "string",
  "updateAuthorId": "integer",
  "version": "integer"
}

Not Found

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example


# Path parameters
export rule_id="CHANGE_ME"
# Curl command
curl -X GET "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"



           
"""
Get a rule's details returns "OK" response
"""

from datadog_api_client.v2 import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.get_security_monitoring_rule(
        rule_id="rule_id",
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Get a rule's details returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.get_security_monitoring_rule("rule_id")

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
/**
 * Get a rule's details returns "OK" response
 */

import { v2 } from "@datadog/datadog-api-client";

const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiGetSecurityMonitoringRuleRequest = {
  ruleId: "rule_id",
};

apiInstance
  .getSecurityMonitoringRule(params)
  .then((data: v2.SecurityMonitoringRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
// Get a rule's details returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	resp, r, err := apiClient.SecurityMonitoringApi.GetSecurityMonitoringRule(ctx, "rule_id")

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSecurityMonitoringRule`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Get a rule's details returns "OK" response

import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = Configuration.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    try {
      SecurityMonitoringRuleResponse result = apiInstance.getSecurityMonitoringRule("rule_id");
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#getSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

Update an existing rule

PUT https://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}https://api.ddog-gov.com/api/v2/security_monitoring/rules/{rule_id}https://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}

Overview

Update an existing rule. When updating cases, queries or options, the whole field must be included. For example, when modifying a query all queries must be included. Default rules can only be updated to be enabled and to change notifications. This endpoint requires the security_monitoring_rules_write authorization scope.

Arguments

Path Parameters

Name

Type

Description

rule_id [required]

string

The ID of the rule.

Request

Body Data (required)

Expand All

Field

Type

Description

cases

[object]

Cases for generating signals.

condition

string

A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

name

string

Name of the case.

notifications

[string]

Notification targets for each rule case.

status

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

filters

[object]

Additional queries to filter matched events before they are processed.

action

enum

The type of filtering action. Allowed enum values: require,suppress

query

string

Query for selecting logs to apply the filtering action.

hasExtendedTitle

boolean

Whether the notifications include the triggering group-by values in their title.

isEnabled

boolean

Whether the rule is enabled.

message

string

Message for generated signals.

name

string

Name of the rule.

options

object

Options on rules.

detectionMethod

enum

The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded

evaluationWindow

enum

A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Allowed enum values: 0,60,300,600,900,1800,3600,7200

hardcodedEvaluatorType

enum

Hardcoded evaluator type. Allowed enum values: log4shell

impossibleTravelOptions

object

Options on impossible travel rules.

baselineUserLocations

boolean

If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

keepAlive

enum

Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600

maxSignalDuration

enum

A signal will “close” regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

newValueOptions

object

Options on new value rules.

forgetAfter

enum

The duration in days after which a learned value is forgotten. Allowed enum values: 1,2,7,14,21,28

learningDuration

enum

The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: 0,1,7

queries

[object]

Queries for selecting logs which are part of the rule.

aggregation

enum

The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data

distinctFields

[string]

Field for which the cardinality is measured. Sent as an array.

groupByFields

[string]

Fields to group by.

metric

string

The target field to aggregate over when using the sum or max aggregations.

name

string

Name of the query.

query

string

Query to run on logs.

tags

[string]

Tags for generated signals.

version

int32

The version of the rule being updated.

{
  "cases": [
    {
      "condition": "string",
      "name": "string",
      "notifications": [],
      "status": "critical"
    }
  ],
  "filters": [
    {
      "action": "string",
      "query": "string"
    }
  ],
  "hasExtendedTitle": true,
  "isEnabled": false,
  "message": "string",
  "name": "string",
  "options": {
    "detectionMethod": "string",
    "evaluationWindow": "integer",
    "hardcodedEvaluatorType": "string",
    "impossibleTravelOptions": {
      "baselineUserLocations": true
    },
    "keepAlive": "integer",
    "maxSignalDuration": "integer",
    "newValueOptions": {
      "forgetAfter": "integer",
      "learningDuration": "integer"
    }
  },
  "queries": [
    {
      "aggregation": "string",
      "distinctFields": [],
      "groupByFields": [],
      "metric": "string",
      "name": "string",
      "query": "string"
    }
  ],
  "tags": [],
  "version": 1
}

Response

OK

Rule.

Expand All

Field

Type

Description

cases

[object]

Cases for generating signals.

condition

string

A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

name

string

Name of the case.

notifications

[string]

Notification targets for each rule case.

status

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

createdAt

int64

When the rule was created, timestamp in milliseconds.

creationAuthorId

int64

User ID of the user who created the rule.

filters

[object]

Additional queries to filter matched events before they are processed.

action

enum

The type of filtering action. Allowed enum values: require,suppress

query

string

Query for selecting logs to apply the filtering action.

hasExtendedTitle

boolean

Whether the notifications include the triggering group-by values in their title.

id

string

The ID of the rule.

isDefault

boolean

Whether the rule is included by default.

isDeleted

boolean

Whether the rule has been deleted.

isEnabled

boolean

Whether the rule is enabled.

message

string

Message for generated signals.

name

string

The name of the rule.

options

object

Options on rules.

detectionMethod

enum

The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded

evaluationWindow

enum

A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Allowed enum values: 0,60,300,600,900,1800,3600,7200

hardcodedEvaluatorType

enum

Hardcoded evaluator type. Allowed enum values: log4shell

impossibleTravelOptions

object

Options on impossible travel rules.

baselineUserLocations

boolean

If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

keepAlive

enum

Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600

maxSignalDuration

enum

A signal will “close” regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

newValueOptions

object

Options on new value rules.

forgetAfter

enum

The duration in days after which a learned value is forgotten. Allowed enum values: 1,2,7,14,21,28

learningDuration

enum

The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: 0,1,7

queries

[object]

Queries for selecting logs which are part of the rule.

aggregation

enum

The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data

distinctFields

[string]

Field for which the cardinality is measured. Sent as an array.

groupByFields

[string]

Fields to group by.

metric

string

The target field to aggregate over when using the sum or max aggregations.

name

string

Name of the query.

query

string

Query to run on logs.

tags

[string]

Tags for generated signals.

type

enum

The rule type. Allowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration

updateAuthorId

int64

User ID of the user who updated the rule.

version

int64

The version of the rule.

{
  "cases": [
    {
      "condition": "string",
      "name": "string",
      "notifications": [],
      "status": "critical"
    }
  ],
  "createdAt": "integer",
  "creationAuthorId": "integer",
  "filters": [
    {
      "action": "string",
      "query": "string"
    }
  ],
  "hasExtendedTitle": false,
  "id": "string",
  "isDefault": false,
  "isDeleted": false,
  "isEnabled": false,
  "message": "string",
  "name": "string",
  "options": {
    "detectionMethod": "string",
    "evaluationWindow": "integer",
    "hardcodedEvaluatorType": "string",
    "impossibleTravelOptions": {
      "baselineUserLocations": true
    },
    "keepAlive": "integer",
    "maxSignalDuration": "integer",
    "newValueOptions": {
      "forgetAfter": "integer",
      "learningDuration": "integer"
    }
  },
  "queries": [
    {
      "aggregation": "string",
      "distinctFields": [],
      "groupByFields": [],
      "metric": "string",
      "name": "string",
      "query": "string"
    }
  ],
  "tags": [],
  "type": "string",
  "updateAuthorId": "integer",
  "version": "integer"
}

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Concurrent Modification

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example


# Path parameters
export rule_id="CHANGE_ME"
# Curl command
curl -X PUT "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{}
EOF



           
"""
Update an existing rule returns "OK" response
"""

from datadog_api_client.v2 import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_filter import SecurityMonitoringFilter
from datadog_api_client.v2.model.security_monitoring_filter_action import SecurityMonitoringFilterAction
from datadog_api_client.v2.model.security_monitoring_rule_case import SecurityMonitoringRuleCase
from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
    SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_hardcoded_evaluator_type import (
    SecurityMonitoringRuleHardcodedEvaluatorType,
)
from datadog_api_client.v2.model.security_monitoring_rule_impossible_travel_options import (
    SecurityMonitoringRuleImpossibleTravelOptions,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
    SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_new_value_options import SecurityMonitoringRuleNewValueOptions
from datadog_api_client.v2.model.security_monitoring_rule_new_value_options_forget_after import (
    SecurityMonitoringRuleNewValueOptionsForgetAfter,
)
from datadog_api_client.v2.model.security_monitoring_rule_new_value_options_learning_duration import (
    SecurityMonitoringRuleNewValueOptionsLearningDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query import SecurityMonitoringRuleQuery
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
    SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_update_payload import SecurityMonitoringRuleUpdatePayload

body = SecurityMonitoringRuleUpdatePayload(
    cases=[
        SecurityMonitoringRuleCase(
            notifications=[],
            status=SecurityMonitoringRuleSeverity("critical"),
        ),
    ],
    filters=[
        SecurityMonitoringFilter(
            action=SecurityMonitoringFilterAction("require"),
        ),
    ],
    has_extended_title=True,
    options=SecurityMonitoringRuleOptions(
        detection_method=SecurityMonitoringRuleDetectionMethod("threshold"),
        evaluation_window=SecurityMonitoringRuleEvaluationWindow(0),
        hardcoded_evaluator_type=SecurityMonitoringRuleHardcodedEvaluatorType("log4shell"),
        impossible_travel_options=SecurityMonitoringRuleImpossibleTravelOptions(
            baseline_user_locations=True,
        ),
        keep_alive=SecurityMonitoringRuleKeepAlive(0),
        max_signal_duration=SecurityMonitoringRuleMaxSignalDuration(0),
        new_value_options=SecurityMonitoringRuleNewValueOptions(
            forget_after=SecurityMonitoringRuleNewValueOptionsForgetAfter(1),
            learning_duration=SecurityMonitoringRuleNewValueOptionsLearningDuration(0),
        ),
    ),
    queries=[
        SecurityMonitoringRuleQuery(
            aggregation=SecurityMonitoringRuleQueryAggregation("count"),
            distinct_fields=[],
            group_by_fields=[],
        ),
    ],
    tags=[],
    version=1,
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.update_security_monitoring_rule(rule_id="rule_id", body=body)

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Update an existing rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringRuleUpdatePayload.new({
  cases: [
    DatadogAPIClient::V2::SecurityMonitoringRuleCase.new({
      notifications: [],
      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::CRITICAL,
    }),
  ],
  filters: [
    DatadogAPIClient::V2::SecurityMonitoringFilter.new({
      action: DatadogAPIClient::V2::SecurityMonitoringFilterAction::REQUIRE,
    }),
  ],
  has_extended_title: true,
  options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
    detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::THRESHOLD,
    evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES,
    hardcoded_evaluator_type: DatadogAPIClient::V2::SecurityMonitoringRuleHardcodedEvaluatorType::LOG4SHELL,
    impossible_travel_options: DatadogAPIClient::V2::SecurityMonitoringRuleImpossibleTravelOptions.new({
      baseline_user_locations: true,
    }),
    keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ZERO_MINUTES,
    max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ZERO_MINUTES,
    new_value_options: DatadogAPIClient::V2::SecurityMonitoringRuleNewValueOptions.new({
      forget_after: DatadogAPIClient::V2::SecurityMonitoringRuleNewValueOptionsForgetAfter::ONE_DAY,
      learning_duration: DatadogAPIClient::V2::SecurityMonitoringRuleNewValueOptionsLearningDuration::ZERO_DAYS,
    }),
  }),
  queries: [
    DatadogAPIClient::V2::SecurityMonitoringRuleQuery.new({
      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
      distinct_fields: [],
      group_by_fields: [],
    }),
  ],
  tags: [],
  version: 1,
})
p api_instance.update_security_monitoring_rule("rule_id", body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
/**
 * Update an existing rule returns "OK" response
 */

import { v2 } from "@datadog/datadog-api-client";

const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiUpdateSecurityMonitoringRuleRequest = {
  body: {
    cases: [
      {
        notifications: [],
        status: "critical",
      },
    ],
    filters: [
      {
        action: "require",
      },
    ],
    hasExtendedTitle: true,
    options: {
      detectionMethod: "threshold",
      evaluationWindow: 0,
      hardcodedEvaluatorType: "log4shell",
      impossibleTravelOptions: {
        baselineUserLocations: true,
      },
      keepAlive: 0,
      maxSignalDuration: 0,
      newValueOptions: {
        forgetAfter: 1,
        learningDuration: 0,
      },
    },
    queries: [
      {
        aggregation: "count",
        distinctFields: [],
        groupByFields: [],
      },
    ],
    tags: [],
    version: 1,
  },
  ruleId: "rule_id",
};

apiInstance
  .updateSecurityMonitoringRule(params)
  .then((data: v2.SecurityMonitoringRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
// Update an existing rule returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)

func main() {
	body := datadog.SecurityMonitoringRuleUpdatePayload{
		Cases: []datadog.SecurityMonitoringRuleCase{
			{
				Notifications: []string{},
				Status:        datadog.SECURITYMONITORINGRULESEVERITY_CRITICAL.Ptr(),
			},
		},
		Filters: []datadog.SecurityMonitoringFilter{
			{
				Action: datadog.SECURITYMONITORINGFILTERACTION_REQUIRE.Ptr(),
			},
		},
		HasExtendedTitle: datadog.PtrBool(true),
		Options: &datadog.SecurityMonitoringRuleOptions{
			DetectionMethod:        datadog.SECURITYMONITORINGRULEDETECTIONMETHOD_THRESHOLD.Ptr(),
			EvaluationWindow:       datadog.SECURITYMONITORINGRULEEVALUATIONWINDOW_ZERO_MINUTES.Ptr(),
			HardcodedEvaluatorType: datadog.SECURITYMONITORINGRULEHARDCODEDEVALUATORTYPE_LOG4SHELL.Ptr(),
			ImpossibleTravelOptions: &datadog.SecurityMonitoringRuleImpossibleTravelOptions{
				BaselineUserLocations: datadog.PtrBool(true),
			},
			KeepAlive:         datadog.SECURITYMONITORINGRULEKEEPALIVE_ZERO_MINUTES.Ptr(),
			MaxSignalDuration: datadog.SECURITYMONITORINGRULEMAXSIGNALDURATION_ZERO_MINUTES.Ptr(),
			NewValueOptions: &datadog.SecurityMonitoringRuleNewValueOptions{
				ForgetAfter:      datadog.SECURITYMONITORINGRULENEWVALUEOPTIONSFORGETAFTER_ONE_DAY.Ptr(),
				LearningDuration: datadog.SECURITYMONITORINGRULENEWVALUEOPTIONSLEARNINGDURATION_ZERO_DAYS.Ptr(),
			},
		},
		Queries: []datadog.SecurityMonitoringRuleQuery{
			{
				Aggregation:    datadog.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),
				DistinctFields: []string{},
				GroupByFields:  []string{},
			},
		},
		Tags:    []string{},
		Version: datadog.PtrInt32(1),
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	resp, r, err := apiClient.SecurityMonitoringApi.UpdateSecurityMonitoringRule(ctx, "rule_id", body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.UpdateSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.UpdateSecurityMonitoringRule`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Update an existing rule returns "OK" response

import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;
import com.datadog.api.v2.client.model.SecurityMonitoringFilter;
import com.datadog.api.v2.client.model.SecurityMonitoringFilterAction;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleCase;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleDetectionMethod;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleHardcodedEvaluatorType;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleImpossibleTravelOptions;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleNewValueOptions;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleNewValueOptionsForgetAfter;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleNewValueOptionsLearningDuration;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleOptions;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleQuery;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleResponse;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleUpdatePayload;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = Configuration.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringRuleUpdatePayload body =
        new SecurityMonitoringRuleUpdatePayload()
            .cases(
                Collections.singletonList(
                    new SecurityMonitoringRuleCase()
                        .status(SecurityMonitoringRuleSeverity.CRITICAL)))
            .filters(
                Collections.singletonList(
                    new SecurityMonitoringFilter().action(SecurityMonitoringFilterAction.REQUIRE)))
            .hasExtendedTitle(true)
            .options(
                new SecurityMonitoringRuleOptions()
                    .detectionMethod(SecurityMonitoringRuleDetectionMethod.THRESHOLD)
                    .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES)
                    .hardcodedEvaluatorType(SecurityMonitoringRuleHardcodedEvaluatorType.LOG4SHELL)
                    .impossibleTravelOptions(
                        new SecurityMonitoringRuleImpossibleTravelOptions()
                            .baselineUserLocations(true))
                    .keepAlive(SecurityMonitoringRuleKeepAlive.ZERO_MINUTES)
                    .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.ZERO_MINUTES)
                    .newValueOptions(
                        new SecurityMonitoringRuleNewValueOptions()
                            .forgetAfter(SecurityMonitoringRuleNewValueOptionsForgetAfter.ONE_DAY)
                            .learningDuration(
                                SecurityMonitoringRuleNewValueOptionsLearningDuration.ZERO_DAYS)))
            .queries(
                Collections.singletonList(
                    new SecurityMonitoringRuleQuery()
                        .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)))
            .version(1);

    try {
      SecurityMonitoringRuleResponse result =
          apiInstance.updateSecurityMonitoringRule("rule_id", body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#updateSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

Delete an existing rule

DELETE https://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}https://api.ddog-gov.com/api/v2/security_monitoring/rules/{rule_id}https://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}

Overview

Delete an existing rule. Default rules cannot be deleted. This endpoint requires the security_monitoring_rules_write authorization scope.

Arguments

Path Parameters

Name

Type

Description

rule_id [required]

string

The ID of the rule.

Response

OK

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example


# Path parameters
export rule_id="CHANGE_ME"
# Curl command
curl -X DELETE "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"



           
"""
Delete an existing rule returns "OK" response
"""

from os import environ
from datadog_api_client.v2 import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

# there is a valid "security_rule" in the system
SECURITY_RULE_ID = environ["SECURITY_RULE_ID"]

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    api_instance.delete_security_monitoring_rule(
        rule_id=SECURITY_RULE_ID,
    )

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Delete an existing rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

# there is a valid "security_rule" in the system
SECURITY_RULE_ID = ENV["SECURITY_RULE_ID"]
api_instance.delete_security_monitoring_rule(SECURITY_RULE_ID)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
/**
 * Delete an existing rule returns "OK" response
 */

import { v2 } from "@datadog/datadog-api-client";

const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

// there is a valid "security_rule" in the system
const SECURITY_RULE_ID = process.env.SECURITY_RULE_ID as string;

const params: v2.SecurityMonitoringApiDeleteSecurityMonitoringRuleRequest = {
  ruleId: SECURITY_RULE_ID,
};

apiInstance
  .deleteSecurityMonitoringRule(params)
  .then((data: any) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
// Delete an existing rule returns "OK" response

package main

import (
	"context"
	"fmt"
	"os"

	datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)

func main() {
	// there is a valid "security_rule" in the system
	SecurityRuleID := os.Getenv("SECURITY_RULE_ID")

	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	r, err := apiClient.SecurityMonitoringApi.DeleteSecurityMonitoringRule(ctx, SecurityRuleID)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.DeleteSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Delete an existing rule returns "OK" response

import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = Configuration.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    // there is a valid "security_rule" in the system
    String SECURITY_RULE_ID = System.getenv("SECURITY_RULE_ID");

    try {
      apiInstance.deleteSecurityMonitoringRule(SECURITY_RULE_ID);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#deleteSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

Get a list of security signals

Note: This endpoint is in public beta. If you have any feedback, contact Datadog support.

POST https://api.datadoghq.eu/api/v2/security_monitoring/signals/searchhttps://api.ddog-gov.com/api/v2/security_monitoring/signals/searchhttps://api.datadoghq.com/api/v2/security_monitoring/signals/searchhttps://api.us3.datadoghq.com/api/v2/security_monitoring/signals/searchhttps://api.us5.datadoghq.com/api/v2/security_monitoring/signals/search

Overview

Returns security signals that match a search query. Both this endpoint and the GET endpoint can be used interchangeably for listing security signals. This endpoint requires the security_monitoring_signals_read authorization scope.

Request

Body Data

Expand All

Field

Type

Description

filter

object

Search filters for listing security signals.

from

date-time

The minimum timestamp for requested security signals.

query

string

Search query for listing security signals.

to

date-time

The maximum timestamp for requested security signals.

page

object

The paging attributes for listing security signals.

cursor

string

A list of results using the cursor provided in the previous query.

limit

int32

The maximum number of security signals in the response.

sort

enum

The sort parameters used for querying security signals. Allowed enum values: timestamp,-timestamp

{
  "filter": {
    "from": "2019-01-02T09:42:36.320Z",
    "query": "security:attack status:high",
    "to": "2019-01-03T09:42:36.320Z"
  },
  "page": {
    "cursor": "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==",
    "limit": 25
  },
  "sort": "string"
}

Response

OK

The response object with all security signals matching the request and pagination information.

Expand All

Field

Type

Description

data

[object]

An array of security signals matching the request.

attributes

object

The object containing all signal attributes and their associated values.

attributes

object

A JSON object of attributes in the security signal.

message

string

The message in the security signal defined by the rule that generated the signal.

tags

[string]

An array of tags associated with the security signal.

timestamp

date-time

The timestamp of the security signal.

id

string

The unique ID of the security signal.

type

enum

The type of event. Allowed enum values: signal

links

object

Links attributes.

next

string

The link for the next set of results. Note: The request can also be made using the POST endpoint.

meta

object

Meta attributes.

page

object

Paging attributes.

after

string

The cursor used to get the next results, if any. To make the next request, use the same parameters with the addition of the page[cursor].

{
  "data": [
    {
      "attributes": {
        "attributes": {
          "workflow": {
            "first_seen": "2020-06-23T14:46:01.000Z",
            "last_seen": "2020-06-23T14:46:49.000Z",
            "rule": {
              "id": "0f5-e0c-805",
              "name": "Brute Force Attack Grouped By User ",
              "version": 12
            }
          }
        },
        "message": "Detect Account Take Over (ATO) through brute force attempts",
        "tags": [
          "security:attack",
          "technique:T1110-brute-force"
        ],
        "timestamp": "2019-01-02T09:42:36.320Z"
      },
      "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA",
      "type": "signal"
    }
  ],
  "links": {
    "next": "https://app.datadoghq.com/api/v2/security_monitoring/signals?filter[query]=foo\u0026page[cursor]=eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="
  },
  "meta": {
    "page": {
      "after": "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="
    }
  }
}

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example


# Curl command
curl -X POST "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/search" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{}
EOF



           
"""
Get a list of security signals returns "OK" response
"""

from datadog_api_client.v2 import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_signal_list_request import SecurityMonitoringSignalListRequest
from datadog_api_client.v2.model.security_monitoring_signal_list_request_filter import (
    SecurityMonitoringSignalListRequestFilter,
)
from datadog_api_client.v2.model.security_monitoring_signal_list_request_page import (
    SecurityMonitoringSignalListRequestPage,
)
from datadog_api_client.v2.model.security_monitoring_signals_sort import SecurityMonitoringSignalsSort
from datetime import datetime
from dateutil.tz import tzutc

body = SecurityMonitoringSignalListRequest(
    filter=SecurityMonitoringSignalListRequestFilter(
        _from=datetime(2019, 1, 2, 9, 42, 36, 320000, tzinfo=tzutc()),
        query="security:attack status:high",
        to=datetime(2019, 1, 3, 9, 42, 36, 320000, tzinfo=tzutc()),
    ),
    page=SecurityMonitoringSignalListRequestPage(
        cursor="eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==",
        limit=25,
    ),
    sort=SecurityMonitoringSignalsSort("timestamp"),
)

configuration = Configuration()
configuration.unstable_operations["search_security_monitoring_signals"] = True
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.search_security_monitoring_signals(body=body)

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Get a list of security signals returns "OK" response

require "datadog_api_client"
DatadogAPIClient::V2.configure do |config|
  config.unstable_operations[:search_security_monitoring_signals] = true
end
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringSignalListRequest.new({
  filter: DatadogAPIClient::V2::SecurityMonitoringSignalListRequestFilter.new({
    from: "2019-01-02T09:42:36.320Z",
    query: "security:attack status:high",
    to: "2019-01-03T09:42:36.320Z",
  }),
  page: DatadogAPIClient::V2::SecurityMonitoringSignalListRequestPage.new({
    cursor: "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==",
    limit: 25,
  }),
  sort: DatadogAPIClient::V2::SecurityMonitoringSignalsSort::TIMESTAMP_ASCENDING,
})
opts = {
  body: body,
}
p api_instance.search_security_monitoring_signals(opts)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
/**
 * Get a list of security signals returns "OK" response
 */

import { v2 } from "@datadog/datadog-api-client";

const configuration = v2.createConfiguration();
configuration.unstableOperations["searchSecurityMonitoringSignals"] = true;
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiSearchSecurityMonitoringSignalsRequest = {
  body: {
    filter: {
      from: new Date(2019, 1, 2, 9, 42, 36, 320000),
      query: "security:attack status:high",
      to: new Date(2019, 1, 3, 9, 42, 36, 320000),
    },
    page: {
      cursor:
        "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==",
      limit: 25,
    },
    sort: "timestamp",
  },
};

apiInstance
  .searchSecurityMonitoringSignals(params)
  .then((data: v2.SecurityMonitoringSignalsListResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
// Get a list of security signals returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"
	"time"

	datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)

func main() {
	body := datadog.SecurityMonitoringSignalListRequest{
		Filter: &datadog.SecurityMonitoringSignalListRequestFilter{
			From:  datadog.PtrTime(time.Date(2019, 1, 2, 9, 42, 36, 320000, time.UTC)),
			Query: datadog.PtrString("security:attack status:high"),
			To:    datadog.PtrTime(time.Date(2019, 1, 3, 9, 42, 36, 320000, time.UTC)),
		},
		Page: &datadog.SecurityMonitoringSignalListRequestPage{
			Cursor: datadog.PtrString("eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="),
			Limit:  datadog.PtrInt32(25),
		},
		Sort: datadog.SECURITYMONITORINGSIGNALSSORT_TIMESTAMP_ASCENDING.Ptr(),
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	configuration.SetUnstableOperationEnabled("SearchSecurityMonitoringSignals", true)
	apiClient := datadog.NewAPIClient(configuration)
	resp, r, err := apiClient.SecurityMonitoringApi.SearchSecurityMonitoringSignals(ctx, *datadog.NewSearchSecurityMonitoringSignalsOptionalParameters().WithBody(body))

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.SearchSecurityMonitoringSignals`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.SearchSecurityMonitoringSignals`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

              
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Get a list of security signals returns "OK" response

import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;
import com.datadog.api.v2.client.api.SecurityMonitoringApi.SearchSecurityMonitoringSignalsOptionalParameters;
import com.datadog.api.v2.client.model.SecurityMonitoringSignalListRequest;
import com.datadog.api.v2.client.model.SecurityMonitoringSignalListRequestFilter;
import com.datadog.api.v2.client.model.SecurityMonitoringSignalListRequestPage;
import com.datadog.api.v2.client.model.SecurityMonitoringSignalsListResponse;
import com.datadog.api.v2.client.model.SecurityMonitoringSignalsSort;
import java.time.OffsetDateTime;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = Configuration.getDefaultApiClient();
    defaultClient.setUnstableOperationEnabled("searchSecurityMonitoringSignals", true);
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringSignalListRequest body =
        new SecurityMonitoringSignalListRequest()
            .filter(
                new SecurityMonitoringSignalListRequestFilter()
                    .from(OffsetDateTime.parse("2019-01-02T09:42:36.320Z"))
                    .query("security:attack status:high")
                    .to(OffsetDateTime.parse("2019-01-03T09:42:36.320Z")))
            .page(
                new SecurityMonitoringSignalListRequestPage()
                    .cursor(
                        "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==")
                    .limit(25))
            .sort(SecurityMonitoringSignalsSort.TIMESTAMP_ASCENDING);

    try {
      SecurityMonitoringSignalsListResponse result =
          apiInstance.searchSecurityMonitoringSignals(
              new SearchSecurityMonitoringSignalsOptionalParameters().body(body));
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#searchSecurityMonitoringSignals");