Language

English Français 日本語 한국어 Español

Datadog Site

Site help
US1 US3 US5 EU AP1 AP2 US1-FED

Security Monitoring

Create and manage your security rules, signals, filters, and more. See the Datadog Security page for more information.

Create a suppression rule

POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/suppressionshttps://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/suppressionshttps://api.datadoghq.eu/api/v2/security_monitoring/configuration/suppressionshttps://api.ddog-gov.com/api/v2/security_monitoring/configuration/suppressionshttps://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressionshttps://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/suppressionshttps://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions

Overview

Create a new suppression rule.

OAuth apps require the security_monitoring_suppressions_write authorization scope to access this endpoint.

Request

Body Data (required)

The definition of the new suppression rule.

Expand All

Field

Type

Description

data [required]

object

Object for a single suppression rule.

attributes [required]

object

Object containing the attributes of the suppression rule to be created.

data_exclusion_query

string

An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule.

description

string

A description for the suppression rule.

enabled [required]

boolean

Whether the suppression rule is enabled.

expiration_date

int64

A Unix millisecond timestamp giving an expiration date for the suppression rule. After this date, it won't suppress signals anymore.

name [required]

string

The name of the suppression rule.

rule_query [required]

string

The rule query of the suppression rule, with the same syntax as the search bar for detection rules.

start_date

int64

A Unix millisecond timestamp giving the start date for the suppression rule. After this date, it starts suppressing signals.

suppression_query

string

The suppression query of the suppression rule. If a signal matches this query, it is suppressed and is not triggered. It uses the same syntax as the queries to search signals in the Signals Explorer.

type [required]

enum

The type of the resource. The value should always be suppressions. Allowed enum values: suppressions

default: suppressions

{
  "data": {
    "attributes": {
      "description": "This rule suppresses low-severity signals in staging environments.",
      "enabled": true,
      "start_date": 1637493071000,
      "expiration_date": 1638443471000,
      "name": "Example-Security-Monitoring",
      "rule_query": "type:log_detection source:cloudtrail",
      "suppression_query": "env:staging status:low"
    },
    "type": "suppressions"
  }
}
{
  "data": {
    "attributes": {
      "description": "This rule suppresses low-severity signals in staging environments.",
      "enabled": true,
      "start_date": 1637493071000,
      "expiration_date": 1638443471000,
      "name": "Example-Security-Monitoring",
      "rule_query": "type:log_detection source:cloudtrail",
      "data_exclusion_query": "account_id:12345"
    },
    "type": "suppressions"
  }
}

Response

OK

Response object containing a single suppression rule.

Expand All

Field

Type

Description

data

object

The suppression rule's properties.

attributes

object

The attributes of the suppression rule.

creation_date

int64

A Unix millisecond timestamp given the creation date of the suppression rule.

creator

object

A user.

handle

string

The handle of the user.

name

string

The name of the user.

data_exclusion_query

string

An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule.

description

string

A description for the suppression rule.

editable

boolean

Whether the suppression rule is editable.

enabled

boolean

Whether the suppression rule is enabled.

expiration_date

int64

A Unix millisecond timestamp giving an expiration date for the suppression rule. After this date, it won't suppress signals anymore.

name

string

The name of the suppression rule.

rule_query

string

The rule query of the suppression rule, with the same syntax as the search bar for detection rules.

start_date

int64

A Unix millisecond timestamp giving the start date for the suppression rule. After this date, it starts suppressing signals.

suppression_query

string

The suppression query of the suppression rule. If a signal matches this query, it is suppressed and not triggered. Same syntax as the queries to search signals in the signal explorer.

update_date

int64

A Unix millisecond timestamp given the update date of the suppression rule.

updater

object

A user.

handle

string

The handle of the user.

name

string

The name of the user.

version

int32

The version of the suppression rule; it starts at 1, and is incremented at each update.

id

string

The ID of the suppression rule.

type

enum

The type of the resource. The value should always be suppressions. Allowed enum values: suppressions

default: suppressions

{
  "data": {
    "attributes": {
      "creation_date": "integer",
      "creator": {
        "handle": "john.doe@datadoghq.com",
        "name": "John Doe"
      },
      "data_exclusion_query": "source:cloudtrail account_id:12345",
      "description": "This rule suppresses low-severity signals in staging environments.",
      "editable": true,
      "enabled": true,
      "expiration_date": 1703187336000,
      "name": "Custom suppression",
      "rule_query": "type:log_detection source:cloudtrail",
      "start_date": 1703187336000,
      "suppression_query": "env:staging status:low",
      "update_date": "integer",
      "updater": {
        "handle": "john.doe@datadoghq.com",
        "name": "John Doe"
      },
      "version": 42
    },
    "id": "3dd-0uc-h1s",
    "type": "suppressions"
  }
}

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Conflict

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                          # Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "description": "This rule suppresses low-severity signals in staging environments.",
      "enabled": true,
      "start_date": 1637493071000,
      "expiration_date": 1638443471000,
      "name": "Example-Security-Monitoring",
      "rule_query": "type:log_detection source:cloudtrail",
      "suppression_query": "env:staging status:low"
    },
    "type": "suppressions"
  }
}
EOF

                        
                          # Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "description": "This rule suppresses low-severity signals in staging environments.",
      "enabled": true,
      "start_date": 1637493071000,
      "expiration_date": 1638443471000,
      "name": "Example-Security-Monitoring",
      "rule_query": "type:log_detection source:cloudtrail",
      "data_exclusion_query": "account_id:12345"
    },
    "type": "suppressions"
  }
}
EOF

                        
// Create a suppression rule returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringSuppressionCreateRequest{
		Data: datadogV2.SecurityMonitoringSuppressionCreateData{
			Attributes: datadogV2.SecurityMonitoringSuppressionCreateAttributes{
				Description:      datadog.PtrString("This rule suppresses low-severity signals in staging environments."),
				Enabled:          true,
				StartDate:        datadog.PtrInt64(1637493071000),
				ExpirationDate:   datadog.PtrInt64(1638443471000),
				Name:             "Example-Security-Monitoring",
				RuleQuery:        "type:log_detection source:cloudtrail",
				SuppressionQuery: datadog.PtrString("env:staging status:low"),
			},
			Type: datadogV2.SECURITYMONITORINGSUPPRESSIONTYPE_SUPPRESSIONS,
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.CreateSecurityMonitoringSuppression(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringSuppression`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityMonitoringSuppression`:\n%s\n", responseContent)
}

// Create a suppression rule with an exclusion query returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringSuppressionCreateRequest{
		Data: datadogV2.SecurityMonitoringSuppressionCreateData{
			Attributes: datadogV2.SecurityMonitoringSuppressionCreateAttributes{
				Description:        datadog.PtrString("This rule suppresses low-severity signals in staging environments."),
				Enabled:            true,
				StartDate:          datadog.PtrInt64(1637493071000),
				ExpirationDate:     datadog.PtrInt64(1638443471000),
				Name:               "Example-Security-Monitoring",
				RuleQuery:          "type:log_detection source:cloudtrail",
				DataExclusionQuery: datadog.PtrString("account_id:12345"),
			},
			Type: datadogV2.SECURITYMONITORINGSUPPRESSIONTYPE_SUPPRESSIONS,
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.CreateSecurityMonitoringSuppression(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringSuppression`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityMonitoringSuppression`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Create a suppression rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionCreateAttributes;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionCreateData;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionCreateRequest;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionType;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringSuppressionCreateRequest body =
        new SecurityMonitoringSuppressionCreateRequest()
            .data(
                new SecurityMonitoringSuppressionCreateData()
                    .attributes(
                        new SecurityMonitoringSuppressionCreateAttributes()
                            .description(
                                "This rule suppresses low-severity signals in staging"
                                    + " environments.")
                            .enabled(true)
                            .startDate(1637493071000L)
                            .expirationDate(1638443471000L)
                            .name("Example-Security-Monitoring")
                            .ruleQuery("type:log_detection source:cloudtrail")
                            .suppressionQuery("env:staging status:low"))
                    .type(SecurityMonitoringSuppressionType.SUPPRESSIONS));

    try {
      SecurityMonitoringSuppressionResponse result =
          apiInstance.createSecurityMonitoringSuppression(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#createSecurityMonitoringSuppression");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

// Create a suppression rule with an exclusion query returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionCreateAttributes;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionCreateData;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionCreateRequest;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionType;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringSuppressionCreateRequest body =
        new SecurityMonitoringSuppressionCreateRequest()
            .data(
                new SecurityMonitoringSuppressionCreateData()
                    .attributes(
                        new SecurityMonitoringSuppressionCreateAttributes()
                            .description(
                                "This rule suppresses low-severity signals in staging"
                                    + " environments.")
                            .enabled(true)
                            .startDate(1637493071000L)
                            .expirationDate(1638443471000L)
                            .name("Example-Security-Monitoring")
                            .ruleQuery("type:log_detection source:cloudtrail")
                            .dataExclusionQuery("account_id:12345"))
                    .type(SecurityMonitoringSuppressionType.SUPPRESSIONS));

    try {
      SecurityMonitoringSuppressionResponse result =
          apiInstance.createSecurityMonitoringSuppression(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#createSecurityMonitoringSuppression");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
"""
Create a suppression rule returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_suppression_create_attributes import (
    SecurityMonitoringSuppressionCreateAttributes,
)
from datadog_api_client.v2.model.security_monitoring_suppression_create_data import (
    SecurityMonitoringSuppressionCreateData,
)
from datadog_api_client.v2.model.security_monitoring_suppression_create_request import (
    SecurityMonitoringSuppressionCreateRequest,
)
from datadog_api_client.v2.model.security_monitoring_suppression_type import SecurityMonitoringSuppressionType

body = SecurityMonitoringSuppressionCreateRequest(
    data=SecurityMonitoringSuppressionCreateData(
        attributes=SecurityMonitoringSuppressionCreateAttributes(
            description="This rule suppresses low-severity signals in staging environments.",
            enabled=True,
            start_date=1637493071000,
            expiration_date=1638443471000,
            name="Example-Security-Monitoring",
            rule_query="type:log_detection source:cloudtrail",
            suppression_query="env:staging status:low",
        ),
        type=SecurityMonitoringSuppressionType.SUPPRESSIONS,
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.create_security_monitoring_suppression(body=body)

    print(response)

"""
Create a suppression rule with an exclusion query returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_suppression_create_attributes import (
    SecurityMonitoringSuppressionCreateAttributes,
)
from datadog_api_client.v2.model.security_monitoring_suppression_create_data import (
    SecurityMonitoringSuppressionCreateData,
)
from datadog_api_client.v2.model.security_monitoring_suppression_create_request import (
    SecurityMonitoringSuppressionCreateRequest,
)
from datadog_api_client.v2.model.security_monitoring_suppression_type import SecurityMonitoringSuppressionType

body = SecurityMonitoringSuppressionCreateRequest(
    data=SecurityMonitoringSuppressionCreateData(
        attributes=SecurityMonitoringSuppressionCreateAttributes(
            description="This rule suppresses low-severity signals in staging environments.",
            enabled=True,
            start_date=1637493071000,
            expiration_date=1638443471000,
            name="Example-Security-Monitoring",
            rule_query="type:log_detection source:cloudtrail",
            data_exclusion_query="account_id:12345",
        ),
        type=SecurityMonitoringSuppressionType.SUPPRESSIONS,
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.create_security_monitoring_suppression(body=body)

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Create a suppression rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateRequest.new({
  data: DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateData.new({
    attributes: DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateAttributes.new({
      description: "This rule suppresses low-severity signals in staging environments.",
      enabled: true,
      start_date: 1637493071000,
      expiration_date: 1638443471000,
      name: "Example-Security-Monitoring",
      rule_query: "type:log_detection source:cloudtrail",
      suppression_query: "env:staging status:low",
    }),
    type: DatadogAPIClient::V2::SecurityMonitoringSuppressionType::SUPPRESSIONS,
  }),
})
p api_instance.create_security_monitoring_suppression(body)

# Create a suppression rule with an exclusion query returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateRequest.new({
  data: DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateData.new({
    attributes: DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateAttributes.new({
      description: "This rule suppresses low-severity signals in staging environments.",
      enabled: true,
      start_date: 1637493071000,
      expiration_date: 1638443471000,
      name: "Example-Security-Monitoring",
      rule_query: "type:log_detection source:cloudtrail",
      data_exclusion_query: "account_id:12345",
    }),
    type: DatadogAPIClient::V2::SecurityMonitoringSuppressionType::SUPPRESSIONS,
  }),
})
p api_instance.create_security_monitoring_suppression(body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Create a suppression rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionCreateAttributes;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionCreateData;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionCreateRequest;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionType;

#[tokio::main]
async fn main() {
    let body = SecurityMonitoringSuppressionCreateRequest::new(
        SecurityMonitoringSuppressionCreateData::new(
            SecurityMonitoringSuppressionCreateAttributes::new(
                true,
                "Example-Security-Monitoring".to_string(),
                "type:log_detection source:cloudtrail".to_string(),
            )
            .description(
                "This rule suppresses low-severity signals in staging environments.".to_string(),
            )
            .expiration_date(1638443471000)
            .start_date(1637493071000)
            .suppression_query("env:staging status:low".to_string()),
            SecurityMonitoringSuppressionType::SUPPRESSIONS,
        ),
    );
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.create_security_monitoring_suppression(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

// Create a suppression rule with an exclusion query returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionCreateAttributes;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionCreateData;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionCreateRequest;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionType;

#[tokio::main]
async fn main() {
    let body = SecurityMonitoringSuppressionCreateRequest::new(
        SecurityMonitoringSuppressionCreateData::new(
            SecurityMonitoringSuppressionCreateAttributes::new(
                true,
                "Example-Security-Monitoring".to_string(),
                "type:log_detection source:cloudtrail".to_string(),
            )
            .data_exclusion_query("account_id:12345".to_string())
            .description(
                "This rule suppresses low-severity signals in staging environments.".to_string(),
            )
            .expiration_date(1638443471000)
            .start_date(1637493071000),
            SecurityMonitoringSuppressionType::SUPPRESSIONS,
        ),
    );
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.create_security_monitoring_suppression(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
 * Create a suppression rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiCreateSecurityMonitoringSuppressionRequest =
  {
    body: {
      data: {
        attributes: {
          description:
            "This rule suppresses low-severity signals in staging environments.",
          enabled: true,
          startDate: 1637493071000,
          expirationDate: 1638443471000,
          name: "Example-Security-Monitoring",
          ruleQuery: "type:log_detection source:cloudtrail",
          suppressionQuery: "env:staging status:low",
        },
        type: "suppressions",
      },
    },
  };

apiInstance
  .createSecurityMonitoringSuppression(params)
  .then((data: v2.SecurityMonitoringSuppressionResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

/**
 * Create a suppression rule with an exclusion query returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiCreateSecurityMonitoringSuppressionRequest =
  {
    body: {
      data: {
        attributes: {
          description:
            "This rule suppresses low-severity signals in staging environments.",
          enabled: true,
          startDate: 1637493071000,
          expirationDate: 1638443471000,
          name: "Example-Security-Monitoring",
          ruleQuery: "type:log_detection source:cloudtrail",
          dataExclusionQuery: "account_id:12345",
        },
        type: "suppressions",
      },
    },
  };

apiInstance
  .createSecurityMonitoringSuppression(params)
  .then((data: v2.SecurityMonitoringSuppressionResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Delete a suppression rule

DELETE https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.datadoghq.eu/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.ddog-gov.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}

Overview

Delete a specific suppression rule.

OAuth apps require the security_monitoring_suppressions_write authorization scope to access this endpoint.

Arguments

Path Parameters

Name

Type

Description

suppression_id [required]

string

The ID of the suppression rule

Response

OK

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                  # Path parameters
export suppression_id="CHANGE_ME"
# Curl command
curl -X DELETE "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/${suppression_id}" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

                
"""
Delete a suppression rule returns "OK" response
"""

from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

# there is a valid "suppression" in the system
SUPPRESSION_DATA_ID = environ["SUPPRESSION_DATA_ID"]

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    api_instance.delete_security_monitoring_suppression(
        suppression_id=SUPPRESSION_DATA_ID,
    )

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Delete a suppression rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

# there is a valid "suppression" in the system
SUPPRESSION_DATA_ID = ENV["SUPPRESSION_DATA_ID"]
api_instance.delete_security_monitoring_suppression(SUPPRESSION_DATA_ID)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Delete a suppression rule returns "OK" response

package main

import (
	"context"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	// there is a valid "suppression" in the system
	SuppressionDataID := os.Getenv("SUPPRESSION_DATA_ID")

	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	r, err := api.DeleteSecurityMonitoringSuppression(ctx, SuppressionDataID)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.DeleteSecurityMonitoringSuppression`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Delete a suppression rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    // there is a valid "suppression" in the system
    String SUPPRESSION_DATA_ID = System.getenv("SUPPRESSION_DATA_ID");

    try {
      apiInstance.deleteSecurityMonitoringSuppression(SUPPRESSION_DATA_ID);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#deleteSecurityMonitoringSuppression");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
// Delete a suppression rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    // there is a valid "suppression" in the system
    let suppression_data_id = std::env::var("SUPPRESSION_DATA_ID").unwrap();
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .delete_security_monitoring_suppression(suppression_data_id.clone())
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
 * Delete a suppression rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

// there is a valid "suppression" in the system
const SUPPRESSION_DATA_ID = process.env.SUPPRESSION_DATA_ID as string;

const params: v2.SecurityMonitoringApiDeleteSecurityMonitoringSuppressionRequest =
  {
    suppressionId: SUPPRESSION_DATA_ID,
  };

apiInstance
  .deleteSecurityMonitoringSuppression(params)
  .then((data: any) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Get a suppression rule

GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.datadoghq.eu/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.ddog-gov.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}

Overview

Get the details of a specific suppression rule.

OAuth apps require the security_monitoring_suppressions_read authorization scope to access this endpoint.

Arguments

Path Parameters

Name

Type

Description

suppression_id [required]

string

The ID of the suppression rule

Response

OK

Response object containing a single suppression rule.

Expand All

Field

Type

Description

data

object

The suppression rule's properties.

attributes

object

The attributes of the suppression rule.

creation_date

int64

A Unix millisecond timestamp given the creation date of the suppression rule.

creator

object

A user.

handle

string

The handle of the user.

name

string

The name of the user.

data_exclusion_query

string

An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule.

description

string

A description for the suppression rule.

editable

boolean

Whether the suppression rule is editable.

enabled

boolean

Whether the suppression rule is enabled.

expiration_date

int64

A Unix millisecond timestamp giving an expiration date for the suppression rule. After this date, it won't suppress signals anymore.

name

string

The name of the suppression rule.

rule_query

string

The rule query of the suppression rule, with the same syntax as the search bar for detection rules.

start_date

int64

A Unix millisecond timestamp giving the start date for the suppression rule. After this date, it starts suppressing signals.

suppression_query

string

The suppression query of the suppression rule. If a signal matches this query, it is suppressed and not triggered. Same syntax as the queries to search signals in the signal explorer.

update_date

int64

A Unix millisecond timestamp given the update date of the suppression rule.

updater

object

A user.

handle

string

The handle of the user.

name

string

The name of the user.

version

int32

The version of the suppression rule; it starts at 1, and is incremented at each update.

id

string

The ID of the suppression rule.

type

enum

The type of the resource. The value should always be suppressions. Allowed enum values: suppressions

default: suppressions

{
  "data": {
    "attributes": {
      "creation_date": "integer",
      "creator": {
        "handle": "john.doe@datadoghq.com",
        "name": "John Doe"
      },
      "data_exclusion_query": "source:cloudtrail account_id:12345",
      "description": "This rule suppresses low-severity signals in staging environments.",
      "editable": true,
      "enabled": true,
      "expiration_date": 1703187336000,
      "name": "Custom suppression",
      "rule_query": "type:log_detection source:cloudtrail",
      "start_date": 1703187336000,
      "suppression_query": "env:staging status:low",
      "update_date": "integer",
      "updater": {
        "handle": "john.doe@datadoghq.com",
        "name": "John Doe"
      },
      "version": 42
    },
    "id": "3dd-0uc-h1s",
    "type": "suppressions"
  }
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                  # Path parameters
export suppression_id="CHANGE_ME"
# Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/${suppression_id}" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

                
"""
Get a suppression rule returns "OK" response
"""

from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

# there is a valid "suppression" in the system
SUPPRESSION_DATA_ID = environ["SUPPRESSION_DATA_ID"]

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.get_security_monitoring_suppression(
        suppression_id=SUPPRESSION_DATA_ID,
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Get a suppression rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

# there is a valid "suppression" in the system
SUPPRESSION_DATA_ID = ENV["SUPPRESSION_DATA_ID"]
p api_instance.get_security_monitoring_suppression(SUPPRESSION_DATA_ID)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Get a suppression rule returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	// there is a valid "suppression" in the system
	SuppressionDataID := os.Getenv("SUPPRESSION_DATA_ID")

	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.GetSecurityMonitoringSuppression(ctx, SuppressionDataID)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSecurityMonitoringSuppression`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSecurityMonitoringSuppression`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Get a suppression rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    // there is a valid "suppression" in the system
    String SUPPRESSION_DATA_ID = System.getenv("SUPPRESSION_DATA_ID");

    try {
      SecurityMonitoringSuppressionResponse result =
          apiInstance.getSecurityMonitoringSuppression(SUPPRESSION_DATA_ID);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#getSecurityMonitoringSuppression");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
// Get a suppression rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    // there is a valid "suppression" in the system
    let suppression_data_id = std::env::var("SUPPRESSION_DATA_ID").unwrap();
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .get_security_monitoring_suppression(suppression_data_id.clone())
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
 * Get a suppression rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

// there is a valid "suppression" in the system
const SUPPRESSION_DATA_ID = process.env.SUPPRESSION_DATA_ID as string;

const params: v2.SecurityMonitoringApiGetSecurityMonitoringSuppressionRequest =
  {
    suppressionId: SUPPRESSION_DATA_ID,
  };

apiInstance
  .getSecurityMonitoringSuppression(params)
  .then((data: v2.SecurityMonitoringSuppressionResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Get all suppression rules

GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/suppressionshttps://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/suppressionshttps://api.datadoghq.eu/api/v2/security_monitoring/configuration/suppressionshttps://api.ddog-gov.com/api/v2/security_monitoring/configuration/suppressionshttps://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressionshttps://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/suppressionshttps://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions

Overview

Get the list of all suppression rules.

OAuth apps require the security_monitoring_suppressions_read authorization scope to access this endpoint.

Arguments

Query Strings

Name

Type

Description

query

string

Query string.

Response

OK

Response object containing the available suppression rules.

Expand All

Field

Type

Description

data

[object]

A list of suppressions objects.

attributes

object

The attributes of the suppression rule.

creation_date

int64

A Unix millisecond timestamp given the creation date of the suppression rule.

creator

object

A user.

handle

string

The handle of the user.

name

string

The name of the user.

data_exclusion_query

string

An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule.

description

string

A description for the suppression rule.

editable

boolean

Whether the suppression rule is editable.

enabled

boolean

Whether the suppression rule is enabled.

expiration_date

int64

A Unix millisecond timestamp giving an expiration date for the suppression rule. After this date, it won't suppress signals anymore.

name

string

The name of the suppression rule.

rule_query

string

The rule query of the suppression rule, with the same syntax as the search bar for detection rules.

start_date

int64

A Unix millisecond timestamp giving the start date for the suppression rule. After this date, it starts suppressing signals.

suppression_query

string

The suppression query of the suppression rule. If a signal matches this query, it is suppressed and not triggered. Same syntax as the queries to search signals in the signal explorer.

update_date

int64

A Unix millisecond timestamp given the update date of the suppression rule.

updater

object

A user.

handle

string

The handle of the user.

name

string

The name of the user.

version

int32

The version of the suppression rule; it starts at 1, and is incremented at each update.

id

string

The ID of the suppression rule.

type

enum

The type of the resource. The value should always be suppressions. Allowed enum values: suppressions

default: suppressions

{
  "data": [
    {
      "attributes": {
        "creation_date": "integer",
        "creator": {
          "handle": "john.doe@datadoghq.com",
          "name": "John Doe"
        },
        "data_exclusion_query": "source:cloudtrail account_id:12345",
        "description": "This rule suppresses low-severity signals in staging environments.",
        "editable": true,
        "enabled": true,
        "expiration_date": 1703187336000,
        "name": "Custom suppression",
        "rule_query": "type:log_detection source:cloudtrail",
        "start_date": 1703187336000,
        "suppression_query": "env:staging status:low",
        "update_date": "integer",
        "updater": {
          "handle": "john.doe@datadoghq.com",
          "name": "John Doe"
        },
        "version": 42
      },
      "id": "3dd-0uc-h1s",
      "type": "suppressions"
    }
  ]
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                  # Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

                
"""
Get all suppression rules returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.list_security_monitoring_suppressions()

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Get all suppression rules returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.list_security_monitoring_suppressions()

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Get all suppression rules returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.ListSecurityMonitoringSuppressions(ctx, *datadogV2.NewListSecurityMonitoringSuppressionsOptionalParameters())

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListSecurityMonitoringSuppressions`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListSecurityMonitoringSuppressions`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Get all suppression rules returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionsResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    try {
      SecurityMonitoringSuppressionsResponse result =
          apiInstance.listSecurityMonitoringSuppressions();
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#listSecurityMonitoringSuppressions");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
// Get all suppression rules returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::ListSecurityMonitoringSuppressionsOptionalParams;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .list_security_monitoring_suppressions(
            ListSecurityMonitoringSuppressionsOptionalParams::default(),
        )
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
 * Get all suppression rules returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

apiInstance
  .listSecurityMonitoringSuppressions()
  .then((data: v2.SecurityMonitoringSuppressionsResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Get suppressions affecting a specific rule

GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/rules/{rule_id}https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/rules/{rule_id}https://api.datadoghq.eu/api/v2/security_monitoring/configuration/suppressions/rules/{rule_id}https://api.ddog-gov.com/api/v2/security_monitoring/configuration/suppressions/rules/{rule_id}https://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/rules/{rule_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/rules/{rule_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/rules/{rule_id}

Overview

Get the list of suppressions that affect a specific existing rule by its ID.

OAuth apps require the security_monitoring_suppressions_read authorization scope to access this endpoint.

Arguments

Path Parameters

Name

Type

Description

rule_id [required]

string

The ID of the rule.

Response

OK

Response object containing the available suppression rules.

Expand All

Field

Type

Description

data

[object]

A list of suppressions objects.

attributes

object

The attributes of the suppression rule.

creation_date

int64

A Unix millisecond timestamp given the creation date of the suppression rule.

creator

object

A user.

handle

string

The handle of the user.

name

string

The name of the user.

data_exclusion_query

string

An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule.

description

string

A description for the suppression rule.

editable

boolean

Whether the suppression rule is editable.

enabled

boolean

Whether the suppression rule is enabled.

expiration_date

int64

A Unix millisecond timestamp giving an expiration date for the suppression rule. After this date, it won't suppress signals anymore.

name

string

The name of the suppression rule.

rule_query

string

The rule query of the suppression rule, with the same syntax as the search bar for detection rules.

start_date

int64

A Unix millisecond timestamp giving the start date for the suppression rule. After this date, it starts suppressing signals.

suppression_query

string

The suppression query of the suppression rule. If a signal matches this query, it is suppressed and not triggered. Same syntax as the queries to search signals in the signal explorer.

update_date

int64

A Unix millisecond timestamp given the update date of the suppression rule.

updater

object

A user.

handle

string

The handle of the user.

name

string

The name of the user.

version

int32

The version of the suppression rule; it starts at 1, and is incremented at each update.

id

string

The ID of the suppression rule.

type

enum

The type of the resource. The value should always be suppressions. Allowed enum values: suppressions

default: suppressions

{
  "data": [
    {
      "attributes": {
        "creation_date": "integer",
        "creator": {
          "handle": "john.doe@datadoghq.com",
          "name": "John Doe"
        },
        "data_exclusion_query": "source:cloudtrail account_id:12345",
        "description": "This rule suppresses low-severity signals in staging environments.",
        "editable": true,
        "enabled": true,
        "expiration_date": 1703187336000,
        "name": "Custom suppression",
        "rule_query": "type:log_detection source:cloudtrail",
        "start_date": 1703187336000,
        "suppression_query": "env:staging status:low",
        "update_date": "integer",
        "updater": {
          "handle": "john.doe@datadoghq.com",
          "name": "John Doe"
        },
        "version": 42
      },
      "id": "3dd-0uc-h1s",
      "type": "suppressions"
    }
  ]
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                  # Path parameters
export rule_id="CHANGE_ME"
# Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/rules/${rule_id}" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

                
"""
Get suppressions affecting a specific rule returns "OK" response
"""

from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

# there is a valid "security_rule" in the system
SECURITY_RULE_ID = environ["SECURITY_RULE_ID"]

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.get_suppressions_affecting_rule(
        rule_id=SECURITY_RULE_ID,
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Get suppressions affecting a specific rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

# there is a valid "security_rule" in the system
SECURITY_RULE_ID = ENV["SECURITY_RULE_ID"]
p api_instance.get_suppressions_affecting_rule(SECURITY_RULE_ID)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Get suppressions affecting a specific rule returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	// there is a valid "security_rule" in the system
	SecurityRuleID := os.Getenv("SECURITY_RULE_ID")

	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.GetSuppressionsAffectingRule(ctx, SecurityRuleID)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSuppressionsAffectingRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSuppressionsAffectingRule`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Get suppressions affecting a specific rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionsResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    // there is a valid "security_rule" in the system
    String SECURITY_RULE_ID = System.getenv("SECURITY_RULE_ID");

    try {
      SecurityMonitoringSuppressionsResponse result =
          apiInstance.getSuppressionsAffectingRule(SECURITY_RULE_ID);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#getSuppressionsAffectingRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
// Get suppressions affecting a specific rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    // there is a valid "security_rule" in the system
    let security_rule_id = std::env::var("SECURITY_RULE_ID").unwrap();
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .get_suppressions_affecting_rule(security_rule_id.clone())
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
 * Get suppressions affecting a specific rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

// there is a valid "security_rule" in the system
const SECURITY_RULE_ID = process.env.SECURITY_RULE_ID as string;

const params: v2.SecurityMonitoringApiGetSuppressionsAffectingRuleRequest = {
  ruleId: SECURITY_RULE_ID,
};

apiInstance
  .getSuppressionsAffectingRule(params)
  .then((data: v2.SecurityMonitoringSuppressionsResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Get suppressions affecting future rule

POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/ruleshttps://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/ruleshttps://api.datadoghq.eu/api/v2/security_monitoring/configuration/suppressions/ruleshttps://api.ddog-gov.com/api/v2/security_monitoring/configuration/suppressions/ruleshttps://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/ruleshttps://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/ruleshttps://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/rules

Overview

Get the list of suppressions that would affect a rule.

OAuth apps require the security_monitoring_suppressions_read authorization scope to access this endpoint.

Request

Body Data (required)

Expand All

Field

Type

Description

Option 1

object

Create a new rule.

calculatedFields

[object]

Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.

expression [required]

string

Expression.

name [required]

string

Field name.

cases [required]

[object]

Cases for generating signals.

actions

[object]

Action to perform for each rule case.

options

object

Options for the rule action

duration

int64

Duration of the action in seconds. 0 indicates no expiration.

flaggedIPType

enum

Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: SUSPICIOUS,FLAGGED

userBehaviorName

string

Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.

type

enum

The action type. Allowed enum values: block_ip,block_user,user_behavior,flag_ip

condition

string

A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

name

string

Name of the case.

notifications

[string]

Notification targets.

status [required]

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

filters

[object]

Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.

action

enum

The type of filtering action. Allowed enum values: require,suppress

query

string

Query for selecting logs to apply the filtering action.

groupSignalsBy

[string]

Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.

hasExtendedTitle

boolean

Whether the notifications include the triggering group-by values in their title.

isEnabled [required]

boolean

Whether the rule is enabled.

message [required]

string

Message for generated signals.

name [required]

string

The name of the rule.

options [required]

object

Options.

complianceRuleOptions

object

Options for cloud_configuration rules. Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.

complexRule

boolean

Whether the rule is a complex one. Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.

regoRule

object

Rule details.

policy [required]

string

The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/

resourceTypes [required]

[string]

List of resource types that will be evaluated upon. Must have at least one element.

resourceType

string

Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.

decreaseCriticalityBasedOnEnv

boolean

If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO. The decrement is applied when the environment tag of the signal starts with staging, test or dev.

detectionMethod

enum

The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection

evaluationWindow

enum

A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

hardcodedEvaluatorType

enum

Hardcoded evaluator type. Allowed enum values: log4shell

impossibleTravelOptions

object

Options on impossible travel detection method.

baselineUserLocations

boolean

If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

keepAlive

enum

Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

maxSignalDuration

enum

A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

newValueOptions

object

Options on new value detection method.

forgetAfter

enum

The duration in days after which a learned value is forgotten. Allowed enum values: 1,2,7,14,21,28

learningDuration

enum

The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: 0,1,7

learningMethod

enum

The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: duration,threshold

default: duration

learningThreshold

enum

A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: 0,1

sequenceDetectionOptions

object

Options on sequence detection method.

stepTransitions

[object]

Transitions defining the allowed order of steps and their evaluation windows.

child

string

Name of the child step.

evaluationWindow

enum

A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

parent

string

Name of the parent step.

steps

[object]

Steps that define the conditions to be matched in sequence.

condition

string

Condition referencing rule queries (e.g., a > 0).

evaluationWindow

enum

A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

name

string

Unique name identifying the step.

thirdPartyRuleOptions

object

Options on third party detection method.

defaultNotifications

[string]

Notification targets for the logs that do not correspond to any of the cases.

defaultStatus

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

rootQueries

[object]

Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.

groupByFields

[string]

Fields to group by.

query

string

Query to run on logs.

signalTitleTemplate

string

A template for the signal title; if omitted, the title is generated based on the case name.

queries [required]

[object]

Queries for selecting logs which are part of the rule.

aggregation

enum

The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none

customQueryExtension

string

Query extension to append to the logs query.

dataSource

enum

Source of events, either logs, audit trail, or Datadog events. Allowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events

default: logs

distinctFields

[string]

Field for which the cardinality is measured. Sent as an array.

groupByFields

[string]

Fields to group by.

hasOptionalGroupByFields

boolean

When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.

index

string

This field is currently unstable and might be removed in a minor version upgrade. The index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.

indexes

[string]

List of indexes to query when the dataSource is logs. Only used for scheduled rules, such as when the schedulingOptions field is present in the rule payload.

metric

string

DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max aggregations. metrics field should be used instead.

metrics

[string]

Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.

name

string

Name of the query.

query

string

Query to run on logs.

referenceTables

[object]

Reference tables for the rule.

checkPresence

boolean

Whether to include or exclude the matched values.

columnName

string

The name of the column in the reference table.

logFieldPath

string

The field in the log to match against the reference table.

ruleQueryName

string

The name of the query to apply the reference table to.

tableName

string

The name of the reference table.

schedulingOptions

object

Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.

rrule

string

Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.

start

string

Start date for the schedule, in ISO 8601 format without timezone.

timezone

string

Time zone of the start date, in the tz database format.

tags

[string]

Tags for generated signals.

thirdPartyCases

[object]

Cases for generating signals from third-party rules. Only available for third-party rules.

name

string

Name of the case.

notifications

[string]

Notification targets for each case.

query

string

A query to map a third party event to this case.

status [required]

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

type

enum

The rule type. Allowed enum values: api_security,application_security,log_detection,workload_security

Option 2

object

Create a new signal correlation rule.

cases [required]

[object]

Cases for generating signals.

actions

[object]

Action to perform for each rule case.

options

object

Options for the rule action

duration

int64

Duration of the action in seconds. 0 indicates no expiration.

flaggedIPType

enum

Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: SUSPICIOUS,FLAGGED

userBehaviorName

string

Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.

type

enum

The action type. Allowed enum values: block_ip,block_user,user_behavior,flag_ip

condition

string

A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

name

string

Name of the case.

notifications

[string]

Notification targets.

status [required]

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

filters

[object]

Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.

action

enum

The type of filtering action. Allowed enum values: require,suppress

query

string

Query for selecting logs to apply the filtering action.

hasExtendedTitle

boolean

Whether the notifications include the triggering group-by values in their title.

isEnabled [required]

boolean

Whether the rule is enabled.

message [required]

string

Message for generated signals.

name [required]

string

The name of the rule.

options [required]

object

Options.

complianceRuleOptions

object

Options for cloud_configuration rules. Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.

complexRule

boolean

Whether the rule is a complex one. Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.

regoRule

object

Rule details.

policy [required]

string

The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/

resourceTypes [required]

[string]

List of resource types that will be evaluated upon. Must have at least one element.

resourceType

string

Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.

decreaseCriticalityBasedOnEnv

boolean

If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO. The decrement is applied when the environment tag of the signal starts with staging, test or dev.

detectionMethod

enum

The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection

evaluationWindow

enum

A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

hardcodedEvaluatorType

enum

Hardcoded evaluator type. Allowed enum values: log4shell

impossibleTravelOptions

object

Options on impossible travel detection method.

baselineUserLocations

boolean

If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

keepAlive

enum

Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

maxSignalDuration

enum

A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

newValueOptions

object

Options on new value detection method.

forgetAfter

enum

The duration in days after which a learned value is forgotten. Allowed enum values: 1,2,7,14,21,28

learningDuration

enum

The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: 0,1,7

learningMethod

enum

The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: duration,threshold

default: duration

learningThreshold

enum

A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: 0,1

sequenceDetectionOptions

object

Options on sequence detection method.

stepTransitions

[object]

Transitions defining the allowed order of steps and their evaluation windows.

child

string

Name of the child step.

evaluationWindow

enum

A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

parent

string

Name of the parent step.

steps

[object]

Steps that define the conditions to be matched in sequence.

condition

string

Condition referencing rule queries (e.g., a > 0).

evaluationWindow

enum

A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

name

string

Unique name identifying the step.

thirdPartyRuleOptions

object

Options on third party detection method.

defaultNotifications

[string]

Notification targets for the logs that do not correspond to any of the cases.

defaultStatus

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

rootQueries

[object]

Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.

groupByFields

[string]

Fields to group by.

query

string

Query to run on logs.

signalTitleTemplate

string

A template for the signal title; if omitted, the title is generated based on the case name.

queries [required]

[object]

Queries for selecting signals which are part of the rule.

aggregation

enum

The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none

correlatedByFields

[string]

Fields to group by.

correlatedQueryIndex

int32

Index of the rule query used to retrieve the correlated field.

metrics

[string]

Group of target fields to aggregate over.

name

string

Name of the query.

ruleId [required]

string

Rule ID to match on signals.

tags

[string]

Tags for generated signals.

type

enum

The rule type. Allowed enum values: signal_correlation

Option 3

object

Create a new cloud configuration rule.

cases [required]

[object]

Description of generated findings and signals (severity and channels to be notified in case of a signal). Must contain exactly one item.

notifications

[string]

Notification targets for each rule case.

status [required]

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

complianceSignalOptions [required]

object

How to generate compliance signals. Useful for cloud_configuration rules only.

defaultActivationStatus

boolean

The default activation status.

defaultGroupByFields

[string]

The default group by fields.

userActivationStatus

boolean

Whether signals will be sent.

userGroupByFields

[string]

Fields to use to group findings by when sending signals.

filters

[object]

Additional queries to filter matched events before they are processed.

action

enum

The type of filtering action. Allowed enum values: require,suppress

query

string

Query for selecting logs to apply the filtering action.

isEnabled [required]

boolean

Whether the rule is enabled.

message [required]

string

Message in markdown format for generated findings and signals.

name [required]

string

The name of the rule.

options [required]

object

Options on cloud configuration rules.

complianceRuleOptions [required]

object

Options for cloud_configuration rules. Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.

complexRule

boolean

Whether the rule is a complex one. Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.

regoRule

object

Rule details.

policy [required]

string

The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/

resourceTypes [required]

[string]

List of resource types that will be evaluated upon. Must have at least one element.

resourceType

string

Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.

tags

[string]

Tags for generated findings and signals.

type

enum

The rule type. Allowed enum values: cloud_configuration

{
  "name": "Example-Security-Monitoring",
  "queries": [
    {
      "query": "@test:true",
      "aggregation": "count",
      "groupByFields": [],
      "distinctFields": [],
      "metrics": []
    }
  ],
  "filters": [],
  "cases": [
    {
      "name": "",
      "status": "info",
      "condition": "a > 0",
      "notifications": []
    }
  ],
  "options": {
    "evaluationWindow": 900,
    "keepAlive": 3600,
    "maxSignalDuration": 86400
  },
  "message": "Test rule",
  "tags": [],
  "isEnabled": true,
  "type": "log_detection"
}

Response

OK

Response object containing the available suppression rules.

Expand All

Field

Type

Description

data

[object]

A list of suppressions objects.

attributes

object

The attributes of the suppression rule.

creation_date

int64

A Unix millisecond timestamp given the creation date of the suppression rule.

creator

object

A user.

handle

string

The handle of the user.

name

string

The name of the user.

data_exclusion_query

string

An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule.

description

string

A description for the suppression rule.

editable

boolean

Whether the suppression rule is editable.

enabled

boolean

Whether the suppression rule is enabled.

expiration_date

int64

A Unix millisecond timestamp giving an expiration date for the suppression rule. After this date, it won't suppress signals anymore.

name

string

The name of the suppression rule.

rule_query

string

The rule query of the suppression rule, with the same syntax as the search bar for detection rules.

start_date

int64

A Unix millisecond timestamp giving the start date for the suppression rule. After this date, it starts suppressing signals.

suppression_query

string

The suppression query of the suppression rule. If a signal matches this query, it is suppressed and not triggered. Same syntax as the queries to search signals in the signal explorer.

update_date

int64

A Unix millisecond timestamp given the update date of the suppression rule.

updater

object

A user.

handle

string

The handle of the user.

name

string

The name of the user.

version

int32

The version of the suppression rule; it starts at 1, and is incremented at each update.

id

string

The ID of the suppression rule.

type

enum

The type of the resource. The value should always be suppressions. Allowed enum values: suppressions

default: suppressions

{
  "data": [
    {
      "attributes": {
        "creation_date": "integer",
        "creator": {
          "handle": "john.doe@datadoghq.com",
          "name": "John Doe"
        },
        "data_exclusion_query": "source:cloudtrail account_id:12345",
        "description": "This rule suppresses low-severity signals in staging environments.",
        "editable": true,
        "enabled": true,
        "expiration_date": 1703187336000,
        "name": "Custom suppression",
        "rule_query": "type:log_detection source:cloudtrail",
        "start_date": 1703187336000,
        "suppression_query": "env:staging status:low",
        "update_date": "integer",
        "updater": {
          "handle": "john.doe@datadoghq.com",
          "name": "John Doe"
        },
        "version": 42
      },
      "id": "3dd-0uc-h1s",
      "type": "suppressions"
    }
  ]
}

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                          # Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/rules" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "name": "Example-Security-Monitoring",
  "queries": [
    {
      "query": "@test:true",
      "aggregation": "count",
      "groupByFields": [],
      "distinctFields": [],
      "metrics": []
    }
  ],
  "filters": [],
  "cases": [
    {
      "name": "",
      "status": "info",
      "condition": "a > 0",
      "notifications": []
    }
  ],
  "options": {
    "evaluationWindow": 900,
    "keepAlive": 3600,
    "maxSignalDuration": 86400
  },
  "message": "Test rule",
  "tags": [],
  "isEnabled": true,
  "type": "log_detection"
}
EOF

                        
// Get suppressions affecting future rule returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringRuleCreatePayload{
		SecurityMonitoringStandardRuleCreatePayload: &datadogV2.SecurityMonitoringStandardRuleCreatePayload{
			Name: "Example-Security-Monitoring",
			Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{
				{
					Query:          datadog.PtrString("@test:true"),
					Aggregation:    datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),
					GroupByFields:  []string{},
					DistinctFields: []string{},
					Metrics:        []string{},
				},
			},
			Filters: []datadogV2.SecurityMonitoringFilter{},
			Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{
				{
					Name:          datadog.PtrString(""),
					Status:        datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
					Condition:     datadog.PtrString("a > 0"),
					Notifications: []string{},
				},
			},
			Options: datadogV2.SecurityMonitoringRuleOptions{
				EvaluationWindow:  datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(),
				KeepAlive:         datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ONE_HOUR.Ptr(),
				MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ONE_DAY.Ptr(),
			},
			Message:   "Test rule",
			Tags:      []string{},
			IsEnabled: true,
			Type:      datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(),
		}}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.GetSuppressionsAffectingFutureRule(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSuppressionsAffectingFutureRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSuppressionsAffectingFutureRule`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Get suppressions affecting future rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCreatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleCreatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionsResponse;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringRuleCreatePayload body =
        new SecurityMonitoringRuleCreatePayload(
            new SecurityMonitoringStandardRuleCreatePayload()
                .name("Example-Security-Monitoring")
                .queries(
                    Collections.singletonList(
                        new SecurityMonitoringStandardRuleQuery()
                            .query("@test:true")
                            .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)))
                .cases(
                    Collections.singletonList(
                        new SecurityMonitoringRuleCaseCreate()
                            .name("")
                            .status(SecurityMonitoringRuleSeverity.INFO)
                            .condition("a > 0")))
                .options(
                    new SecurityMonitoringRuleOptions()
                        .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES)
                        .keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR)
                        .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.ONE_DAY))
                .message("Test rule")
                .isEnabled(true)
                .type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION));

    try {
      SecurityMonitoringSuppressionsResponse result =
          apiInstance.getSuppressionsAffectingFutureRule(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#getSuppressionsAffectingFutureRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
"""
Get suppressions affecting future rule returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
    SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
    SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
    SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate
from datadog_api_client.v2.model.security_monitoring_standard_rule_create_payload import (
    SecurityMonitoringStandardRuleCreatePayload,
)
from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery

body = SecurityMonitoringStandardRuleCreatePayload(
    name="Example-Security-Monitoring",
    queries=[
        SecurityMonitoringStandardRuleQuery(
            query="@test:true",
            aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
            group_by_fields=[],
            distinct_fields=[],
            metrics=[],
        ),
    ],
    filters=[],
    cases=[
        SecurityMonitoringRuleCaseCreate(
            name="",
            status=SecurityMonitoringRuleSeverity.INFO,
            condition="a > 0",
            notifications=[],
        ),
    ],
    options=SecurityMonitoringRuleOptions(
        evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES,
        keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR,
        max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY,
    ),
    message="Test rule",
    tags=[],
    is_enabled=True,
    type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.get_suppressions_affecting_future_rule(body=body)

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Get suppressions affecting future rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringStandardRuleCreatePayload.new({
  name: "Example-Security-Monitoring",
  queries: [
    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
      query: "@test:true",
      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
      group_by_fields: [],
      distinct_fields: [],
      metrics: [],
    }),
  ],
  filters: [],
  cases: [
    DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
      name: "",
      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
      condition: "a > 0",
      notifications: [],
    }),
  ],
  options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
    evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
    keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ONE_HOUR,
    max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ONE_DAY,
  }),
  message: "Test rule",
  tags: [],
  is_enabled: true,
  type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION,
})
p api_instance.get_suppressions_affecting_future_rule(body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Get suppressions affecting future rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCreatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleCreatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery;

#[tokio::main]
async fn main() {
    let body =
        SecurityMonitoringRuleCreatePayload::SecurityMonitoringStandardRuleCreatePayload(Box::new(
            SecurityMonitoringStandardRuleCreatePayload::new(
                vec![
                    SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO)
                        .condition("a > 0".to_string())
                        .name("".to_string())
                        .notifications(vec![]),
                ],
                true,
                "Test rule".to_string(),
                "Example-Security-Monitoring".to_string(),
                SecurityMonitoringRuleOptions::new()
                    .evaluation_window(SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES)
                    .keep_alive(SecurityMonitoringRuleKeepAlive::ONE_HOUR)
                    .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::ONE_DAY),
                vec![SecurityMonitoringStandardRuleQuery::new()
                    .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT)
                    .distinct_fields(vec![])
                    .group_by_fields(vec![])
                    .metrics(vec![])
                    .query("@test:true".to_string())],
            )
            .filters(vec![])
            .tags(vec![])
            .type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION),
        ));
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.get_suppressions_affecting_future_rule(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
 * Get suppressions affecting future rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiGetSuppressionsAffectingFutureRuleRequest =
  {
    body: {
      name: "Example-Security-Monitoring",
      queries: [
        {
          query: "@test:true",
          aggregation: "count",
          groupByFields: [],
          distinctFields: [],
          metrics: [],
        },
      ],
      filters: [],
      cases: [
        {
          name: "",
          status: "info",
          condition: "a > 0",
          notifications: [],
        },
      ],
      options: {
        evaluationWindow: 900,
        keepAlive: 3600,
        maxSignalDuration: 86400,
      },
      message: "Test rule",
      tags: [],
      isEnabled: true,
      type: "log_detection",
    },
  };

apiInstance
  .getSuppressionsAffectingFutureRule(params)
  .then((data: v2.SecurityMonitoringSuppressionsResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Update a suppression rule

PATCH https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.datadoghq.eu/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.ddog-gov.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}

Overview

Update a specific suppression rule.

OAuth apps require the security_monitoring_suppressions_write authorization scope to access this endpoint.

Arguments

Path Parameters

Name

Type

Description

suppression_id [required]

string

The ID of the suppression rule

Request

Body Data (required)

New definition of the suppression rule. Supports partial updates.

Expand All

Field

Type

Description

data [required]

object

The new suppression properties; partial updates are supported.

attributes [required]

object

The suppression rule properties to be updated.

data_exclusion_query

string

An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule.

description

string

A description for the suppression rule.

enabled

boolean

Whether the suppression rule is enabled.

expiration_date

int64

A Unix millisecond timestamp giving an expiration date for the suppression rule. After this date, it won't suppress signals anymore. If unset, the expiration date of the suppression rule is left untouched. If set to null, the expiration date is removed.

name

string

The name of the suppression rule.

rule_query

string

The rule query of the suppression rule, with the same syntax as the search bar for detection rules.

start_date

int64

A Unix millisecond timestamp giving the start date for the suppression rule. After this date, it starts suppressing signals. If unset, the start date of the suppression rule is left untouched. If set to null, the start date is removed.

suppression_query

string

The suppression query of the suppression rule. If a signal matches this query, it is suppressed and not triggered. Same syntax as the queries to search signals in the signal explorer.

version

int32

The current version of the suppression. This is optional, but it can help prevent concurrent modifications.

type [required]

enum

The type of the resource. The value should always be suppressions. Allowed enum values: suppressions

default: suppressions

{
  "data": {
    "attributes": {
      "suppression_query": "env:staging status:low"
    },
    "type": "suppressions"
  }
}

Response

OK

Response object containing a single suppression rule.

Expand All

Field

Type

Description

data

object

The suppression rule's properties.

attributes

object

The attributes of the suppression rule.

creation_date

int64

A Unix millisecond timestamp given the creation date of the suppression rule.

creator

object

A user.

handle

string

The handle of the user.

name

string

The name of the user.

data_exclusion_query

string

An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule.

description

string

A description for the suppression rule.

editable

boolean

Whether the suppression rule is editable.

enabled

boolean

Whether the suppression rule is enabled.

expiration_date

int64

A Unix millisecond timestamp giving an expiration date for the suppression rule. After this date, it won't suppress signals anymore.

name

string

The name of the suppression rule.

rule_query

string

The rule query of the suppression rule, with the same syntax as the search bar for detection rules.

start_date

int64

A Unix millisecond timestamp giving the start date for the suppression rule. After this date, it starts suppressing signals.

suppression_query

string

The suppression query of the suppression rule. If a signal matches this query, it is suppressed and not triggered. Same syntax as the queries to search signals in the signal explorer.

update_date

int64

A Unix millisecond timestamp given the update date of the suppression rule.

updater

object

A user.

handle

string

The handle of the user.

name

string

The name of the user.

version

int32

The version of the suppression rule; it starts at 1, and is incremented at each update.

id

string

The ID of the suppression rule.

type

enum

The type of the resource. The value should always be suppressions. Allowed enum values: suppressions

default: suppressions

{
  "data": {
    "attributes": {
      "creation_date": "integer",
      "creator": {
        "handle": "john.doe@datadoghq.com",
        "name": "John Doe"
      },
      "data_exclusion_query": "source:cloudtrail account_id:12345",
      "description": "This rule suppresses low-severity signals in staging environments.",
      "editable": true,
      "enabled": true,
      "expiration_date": 1703187336000,
      "name": "Custom suppression",
      "rule_query": "type:log_detection source:cloudtrail",
      "start_date": 1703187336000,
      "suppression_query": "env:staging status:low",
      "update_date": "integer",
      "updater": {
        "handle": "john.doe@datadoghq.com",
        "name": "John Doe"
      },
      "version": 42
    },
    "id": "3dd-0uc-h1s",
    "type": "suppressions"
  }
}

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Concurrent Modification

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                          # Path parameters
export suppression_id="CHANGE_ME"
# Curl command
curl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/${suppression_id}" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "suppression_query": "env:staging status:low"
    },
    "type": "suppressions"
  }
}
EOF

                        
// Update a suppression rule returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	// there is a valid "suppression" in the system
	SuppressionDataID := os.Getenv("SUPPRESSION_DATA_ID")

	body := datadogV2.SecurityMonitoringSuppressionUpdateRequest{
		Data: datadogV2.SecurityMonitoringSuppressionUpdateData{
			Attributes: datadogV2.SecurityMonitoringSuppressionUpdateAttributes{
				SuppressionQuery: datadog.PtrString("env:staging status:low"),
			},
			Type: datadogV2.SECURITYMONITORINGSUPPRESSIONTYPE_SUPPRESSIONS,
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.UpdateSecurityMonitoringSuppression(ctx, SuppressionDataID, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.UpdateSecurityMonitoringSuppression`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.UpdateSecurityMonitoringSuppression`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Update a suppression rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionType;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionUpdateAttributes;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionUpdateData;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionUpdateRequest;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    // there is a valid "suppression" in the system
    String SUPPRESSION_DATA_ID = System.getenv("SUPPRESSION_DATA_ID");

    SecurityMonitoringSuppressionUpdateRequest body =
        new SecurityMonitoringSuppressionUpdateRequest()
            .data(
                new SecurityMonitoringSuppressionUpdateData()
                    .attributes(
                        new SecurityMonitoringSuppressionUpdateAttributes()
                            .suppressionQuery("env:staging status:low"))
                    .type(SecurityMonitoringSuppressionType.SUPPRESSIONS));

    try {
      SecurityMonitoringSuppressionResponse result =
          apiInstance.updateSecurityMonitoringSuppression(SUPPRESSION_DATA_ID, body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#updateSecurityMonitoringSuppression");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
"""
Update a suppression rule returns "OK" response
"""

from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_suppression_type import SecurityMonitoringSuppressionType
from datadog_api_client.v2.model.security_monitoring_suppression_update_attributes import (
    SecurityMonitoringSuppressionUpdateAttributes,
)
from datadog_api_client.v2.model.security_monitoring_suppression_update_data import (
    SecurityMonitoringSuppressionUpdateData,
)
from datadog_api_client.v2.model.security_monitoring_suppression_update_request import (
    SecurityMonitoringSuppressionUpdateRequest,
)

# there is a valid "suppression" in the system
SUPPRESSION_DATA_ID = environ["SUPPRESSION_DATA_ID"]

body = SecurityMonitoringSuppressionUpdateRequest(
    data=SecurityMonitoringSuppressionUpdateData(
        attributes=SecurityMonitoringSuppressionUpdateAttributes(
            suppression_query="env:staging status:low",
        ),
        type=SecurityMonitoringSuppressionType.SUPPRESSIONS,
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.update_security_monitoring_suppression(suppression_id=SUPPRESSION_DATA_ID, body=body)

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Update a suppression rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

# there is a valid "suppression" in the system
SUPPRESSION_DATA_ID = ENV["SUPPRESSION_DATA_ID"]

body = DatadogAPIClient::V2::SecurityMonitoringSuppressionUpdateRequest.new({
  data: DatadogAPIClient::V2::SecurityMonitoringSuppressionUpdateData.new({
    attributes: DatadogAPIClient::V2::SecurityMonitoringSuppressionUpdateAttributes.new({
      suppression_query: "env:staging status:low",
    }),
    type: DatadogAPIClient::V2::SecurityMonitoringSuppressionType::SUPPRESSIONS,
  }),
})
p api_instance.update_security_monitoring_suppression(SUPPRESSION_DATA_ID, body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Update a suppression rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionType;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionUpdateAttributes;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionUpdateData;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionUpdateRequest;

#[tokio::main]
async fn main() {
    // there is a valid "suppression" in the system
    let suppression_data_id = std::env::var("SUPPRESSION_DATA_ID").unwrap();
    let body = SecurityMonitoringSuppressionUpdateRequest::new(
        SecurityMonitoringSuppressionUpdateData::new(
            SecurityMonitoringSuppressionUpdateAttributes::new()
                .suppression_query("env:staging status:low".to_string()),
            SecurityMonitoringSuppressionType::SUPPRESSIONS,
        ),
    );
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .update_security_monitoring_suppression(suppression_data_id.clone(), body)
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
 * Update a suppression rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

// there is a valid "suppression" in the system
const SUPPRESSION_DATA_ID = process.env.SUPPRESSION_DATA_ID as string;

const params: v2.SecurityMonitoringApiUpdateSecurityMonitoringSuppressionRequest =
  {
    body: {
      data: {
        attributes: {
          suppressionQuery: "env:staging status:low",
        },
        type: "suppressions",
      },
    },
    suppressionId: SUPPRESSION_DATA_ID,
  };

apiInstance
  .updateSecurityMonitoringSuppression(params)
  .then((data: v2.SecurityMonitoringSuppressionResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Validate a suppression rule

POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/validationhttps://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/validationhttps://api.datadoghq.eu/api/v2/security_monitoring/configuration/suppressions/validationhttps://api.ddog-gov.com/api/v2/security_monitoring/configuration/suppressions/validationhttps://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/validationhttps://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/validationhttps://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/validation

Overview

Validate a suppression rule. This endpoint requires the security_monitoring_suppressions_write permission.

OAuth apps require the security_monitoring_suppressions_write authorization scope to access this endpoint.

Request

Body Data (required)

Expand All

Field

Type

Description

data [required]

object

Object for a single suppression rule.

attributes [required]

object

Object containing the attributes of the suppression rule to be created.

data_exclusion_query

string

An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule.

description

string

A description for the suppression rule.

enabled [required]

boolean

Whether the suppression rule is enabled.

expiration_date

int64

A Unix millisecond timestamp giving an expiration date for the suppression rule. After this date, it won't suppress signals anymore.

name [required]

string

The name of the suppression rule.

rule_query [required]

string

The rule query of the suppression rule, with the same syntax as the search bar for detection rules.

start_date

int64

A Unix millisecond timestamp giving the start date for the suppression rule. After this date, it starts suppressing signals.

suppression_query

string

The suppression query of the suppression rule. If a signal matches this query, it is suppressed and is not triggered. It uses the same syntax as the queries to search signals in the Signals Explorer.

type [required]

enum

The type of the resource. The value should always be suppressions. Allowed enum values: suppressions

default: suppressions

{
  "data": {
    "attributes": {
      "data_exclusion_query": "source:cloudtrail account_id:12345",
      "description": "This rule suppresses low-severity signals in staging environments.",
      "enabled": true,
      "name": "Custom suppression",
      "rule_query": "type:log_detection source:cloudtrail"
    },
    "type": "suppressions"
  }
}

Response

OK

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                          # Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/validation" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "data_exclusion_query": "source:cloudtrail account_id:12345",
      "description": "This rule suppresses low-severity signals in staging environments.",
      "enabled": true,
      "name": "Custom suppression",
      "rule_query": "type:log_detection source:cloudtrail"
    },
    "type": "suppressions"
  }
}
EOF

                        
// Validate a suppression rule returns "OK" response

package main

import (
	"context"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringSuppressionCreateRequest{
		Data: datadogV2.SecurityMonitoringSuppressionCreateData{
			Attributes: datadogV2.SecurityMonitoringSuppressionCreateAttributes{
				DataExclusionQuery: datadog.PtrString("source:cloudtrail account_id:12345"),
				Description:        datadog.PtrString("This rule suppresses low-severity signals in staging environments."),
				Enabled:            true,
				Name:               "Custom suppression",
				RuleQuery:          "type:log_detection source:cloudtrail",
			},
			Type: datadogV2.SECURITYMONITORINGSUPPRESSIONTYPE_SUPPRESSIONS,
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	r, err := api.ValidateSecurityMonitoringSuppression(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ValidateSecurityMonitoringSuppression`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Validate a suppression rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionCreateAttributes;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionCreateData;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionCreateRequest;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionType;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringSuppressionCreateRequest body =
        new SecurityMonitoringSuppressionCreateRequest()
            .data(
                new SecurityMonitoringSuppressionCreateData()
                    .attributes(
                        new SecurityMonitoringSuppressionCreateAttributes()
                            .dataExclusionQuery("source:cloudtrail account_id:12345")
                            .description(
                                "This rule suppresses low-severity signals in staging"
                                    + " environments.")
                            .enabled(true)
                            .name("Custom suppression")
                            .ruleQuery("type:log_detection source:cloudtrail"))
                    .type(SecurityMonitoringSuppressionType.SUPPRESSIONS));

    try {
      apiInstance.validateSecurityMonitoringSuppression(body);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#validateSecurityMonitoringSuppression");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
"""
Validate a suppression rule returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_suppression_create_attributes import (
    SecurityMonitoringSuppressionCreateAttributes,
)
from datadog_api_client.v2.model.security_monitoring_suppression_create_data import (
    SecurityMonitoringSuppressionCreateData,
)
from datadog_api_client.v2.model.security_monitoring_suppression_create_request import (
    SecurityMonitoringSuppressionCreateRequest,
)
from datadog_api_client.v2.model.security_monitoring_suppression_type import SecurityMonitoringSuppressionType

body = SecurityMonitoringSuppressionCreateRequest(
    data=SecurityMonitoringSuppressionCreateData(
        attributes=SecurityMonitoringSuppressionCreateAttributes(
            data_exclusion_query="source:cloudtrail account_id:12345",
            description="This rule suppresses low-severity signals in staging environments.",
            enabled=True,
            name="Custom suppression",
            rule_query="type:log_detection source:cloudtrail",
        ),
        type=SecurityMonitoringSuppressionType.SUPPRESSIONS,
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    api_instance.validate_security_monitoring_suppression(body=body)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Validate a suppression rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateRequest.new({
  data: DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateData.new({
    attributes: DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateAttributes.new({
      data_exclusion_query: "source:cloudtrail account_id:12345",
      description: "This rule suppresses low-severity signals in staging environments.",
      enabled: true,
      name: "Custom suppression",
      rule_query: "type:log_detection source:cloudtrail",
    }),
    type: DatadogAPIClient::V2::SecurityMonitoringSuppressionType::SUPPRESSIONS,
  }),
})
api_instance.validate_security_monitoring_suppression(body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Validate a suppression rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionCreateAttributes;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionCreateData;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionCreateRequest;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionType;

#[tokio::main]
async fn main() {
    let body = SecurityMonitoringSuppressionCreateRequest::new(
        SecurityMonitoringSuppressionCreateData::new(
            SecurityMonitoringSuppressionCreateAttributes::new(
                true,
                "Custom suppression".to_string(),
                "type:log_detection source:cloudtrail".to_string(),
            )
            .data_exclusion_query("source:cloudtrail account_id:12345".to_string())
            .description(
                "This rule suppresses low-severity signals in staging environments.".to_string(),
            ),
            SecurityMonitoringSuppressionType::SUPPRESSIONS,
        ),
    );
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.validate_security_monitoring_suppression(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
 * Validate a suppression rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiValidateSecurityMonitoringSuppressionRequest =
  {
    body: {
      data: {
        attributes: {
          dataExclusionQuery: "source:cloudtrail account_id:12345",
          description:
            "This rule suppresses low-severity signals in staging environments.",
          enabled: true,
          name: "Custom suppression",
          ruleQuery: "type:log_detection source:cloudtrail",
        },
        type: "suppressions",
      },
    },
  };

apiInstance
  .validateSecurityMonitoringSuppression(params)
  .then((data: any) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

List findings

Note: This endpoint is in public beta. If you have any feedback, contact Datadog support.

GET https://api.ap1.datadoghq.com/api/v2/posture_management/findingshttps://api.ap2.datadoghq.com/api/v2/posture_management/findingshttps://api.datadoghq.eu/api/v2/posture_management/findingshttps://api.ddog-gov.com/api/v2/posture_management/findingshttps://api.datadoghq.com/api/v2/posture_management/findingshttps://api.us3.datadoghq.com/api/v2/posture_management/findingshttps://api.us5.datadoghq.com/api/v2/posture_management/findings

Overview

Get a list of findings. These include both misconfigurations and identity risks.

Note: To filter and return only identity risks, add the following query parameter: ?filter[tags]=dd_rule_type:ciem

Filtering

Filters can be applied by appending query parameters to the URL.

  • Using a single filter: ?filter[attribute_key]=attribute_value
  • Chaining filters: ?filter[attribute_key]=attribute_value&filter[attribute_key]=attribute_value...
  • Filtering on tags: ?filter[tags]=tag_key:tag_value&filter[tags]=tag_key_2:tag_value_2

Here, attribute_key can be any of the filter keys described further below.

Query parameters of type integer support comparison operators (>, >=, <, <=). This is particularly useful when filtering by evaluation_changed_at or resource_discovery_timestamp. For example: ?filter[evaluation_changed_at]=>20123123121.

You can also use the negation operator on strings. For example, use filter[resource_type]=-aws* to filter for any non-AWS resources.

The operator must come after the equal sign. For example, to filter with the >= operator, add the operator after the equal sign: filter[evaluation_changed_at]=>=1678809373257.

Query parameters must be only among the documented ones and with values of correct types. Duplicated query parameters (e.g. filter[status]=low&filter[status]=info) are not allowed.

Additional extension fields

Additional extension fields are available for some findings.

The data is available when you include the query parameter ?detailed_findings=true in the request.

The following fields are available for findings:

  • external_id: The resource external ID related to the finding.
  • description: The description and remediation steps for the finding.
  • datadog_link: The Datadog relative link for the finding.
  • ip_addresses: The list of private IP addresses for the resource related to the finding.

Response

The response includes an array of finding objects, pagination metadata, and a count of items that match the query.

Each finding object contains the following:

  • The finding ID that can be used in a GetFinding request to retrieve the full finding details.
  • Core attributes, including status, evaluation, high-level resource details, muted state, and rule details.
  • evaluation_changed_at and resource_discovery_date time stamps.
  • An array of associated tags.

OAuth apps require the security_monitoring_findings_read authorization scope to access this endpoint.

Arguments

Query Strings

Name

Type

Description

page[limit]

integer

Limit the number of findings returned. Must be <= 1000.

snapshot_timestamp

integer

Return findings for a given snapshot of time (Unix ms).

page[cursor]

string

Return the next page of findings pointed to by the cursor.

filter[tags]

string

Return findings that have these associated tags (repeatable).

filter[evaluation_changed_at]

string

Return findings that have changed from pass to fail or vice versa on a specified date (Unix ms) or date range (using comparison operators).

filter[muted]

boolean

Set to true to return findings that are muted. Set to false to return unmuted findings.

filter[rule_id]

string

Return findings for the specified rule ID.

filter[rule_name]

string

Return findings for the specified rule.

filter[resource_type]

string

Return only findings for the specified resource type.

filter[@resource_id]

string

Return only findings for the specified resource id.

filter[discovery_timestamp]

string

Return findings that were found on a specified date (Unix ms) or date range (using comparison operators).

filter[evaluation]

enum

Return only pass or fail findings.
Allowed enum values: pass, fail

filter[status]

enum

Return only findings with the specified status.
Allowed enum values: critical, high, medium, low, info

filter[vulnerability_type]

array

Return findings that match the selected vulnerability types (repeatable).

detailed_findings

boolean

Return additional fields for some findings.

Response

OK

The expected response schema when listing findings.

Expand All

Field

Type

Description

data [required]

[object]

Array of findings.

attributes

object

The JSON:API attributes of the finding.

datadog_link

string

The Datadog relative link for this finding.

description

string

The description and remediation steps for this finding.

evaluation

enum

The evaluation of the finding. Allowed enum values: pass,fail

evaluation_changed_at

int64

The date on which the evaluation for this finding changed (Unix ms).

external_id

string

The cloud-based ID for the resource related to the finding.

mute

object

Information about the mute status of this finding.

description

string

Additional information about the reason why this finding is muted or unmuted.

expiration_date

int64

The expiration date of the mute or unmute action (Unix ms).

muted

boolean

Whether this finding is muted or unmuted.

reason

enum

The reason why this finding is muted or unmuted. Allowed enum values: PENDING_FIX,FALSE_POSITIVE,ACCEPTED_RISK,NO_PENDING_FIX,HUMAN_ERROR,NO_LONGER_ACCEPTED_RISK,OTHER

start_date

int64

The start of the mute period.

uuid

string

The ID of the user who muted or unmuted this finding.

resource

string

The resource name of this finding.

resource_discovery_date

int64

The date on which the resource was discovered (Unix ms).

resource_type

string

The resource type of this finding.

rule

object

The rule that triggered this finding.

id

string

The ID of the rule that triggered this finding.

name

string

The name of the rule that triggered this finding.

status

enum

The status of the finding. Allowed enum values: critical,high,medium,low,info

tags

[string]

The tags associated with this finding.

vulnerability_type

enum

The vulnerability type of the finding. Allowed enum values: misconfiguration,attack_path,identity_risk,api_security

id

string

The unique ID for this finding.

type

enum

The JSON:API type for findings. Allowed enum values: finding

default: finding

meta [required]

object

Metadata for pagination.

page

object

Pagination and findings count information.

cursor

string

The cursor used to paginate requests.

total_filtered_count

int64

The total count of findings after the filter has been applied.

snapshot_timestamp

int64

The point in time corresponding to the listed findings.

{
  "data": [
    {
      "attributes": {
        "datadog_link": "/security/compliance?panels=cpfinding%7Cevent%7CruleId%3Adef-000-u5t%7CresourceId%3Ae8c9ab7c52ebd7bf2fdb4db641082d7d%7CtabId%3Aoverview",
        "description": "## Remediation\n\n1. In the console, go to **Storage Account**.\n2. For each Storage Account, navigate to **Data Protection**.\n3. Select **Set soft delete enabled** and enter the number of days to retain soft deleted data.",
        "evaluation": "pass",
        "evaluation_changed_at": 1678721573794,
        "external_id": "arn:aws:s3:::my-example-bucket",
        "mute": {
          "description": "To be resolved later",
          "expiration_date": 1778721573794,
          "muted": true,
          "reason": "ACCEPTED_RISK",
          "start_date": 1678721573794,
          "uuid": "e51c9744-d158-11ec-ad23-da7ad0900002"
        },
        "resource": "my_resource_name",
        "resource_discovery_date": 1678721573794,
        "resource_type": "azure_storage_account",
        "rule": {
          "id": "dv2-jzf-41i",
          "name": "Soft delete is enabled for Azure Storage"
        },
        "status": "critical",
        "tags": [
          "cloud_provider:aws",
          "myTag:myValue"
        ],
        "vulnerability_type": "misconfiguration"
      },
      "id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==",
      "type": "finding"
    }
  ],
  "meta": {
    "page": {
      "cursor": "eyJhZnRlciI6IkFRQUFBWWJiaEJXQS1OY1dqUUFBQUFCQldXSmlhRUpYUVVGQlJFSktkbTlDTUdaWFRVbDNRVUUiLCJ2YWx1ZXMiOlsiY3JpdGljYWwiXX0=",
      "total_filtered_count": 213
    },
    "snapshot_timestamp": 1678721573794
  }
}

Bad Request: The server cannot process the request due to invalid syntax in the request.

API error response.

Expand All

Field

Type

Description

errors [required]

[object]

A list of errors.

detail

string

A human-readable explanation specific to this occurrence of the error.

meta

object

Non-standard meta-information about the error

source

object

References to the source of the error.

header

string

A string indicating the name of a single request header which caused the error.

parameter

string

A string indicating which URI query parameter caused the error.

pointer

string

A JSON pointer to the value in the request document that caused the error.

status

string

Status code of the response.

title

string

Short human-readable summary of the error.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Forbidden: Access denied

API error response.

Expand All

Field

Type

Description

errors [required]

[object]

A list of errors.

detail

string

A human-readable explanation specific to this occurrence of the error.

meta

object

Non-standard meta-information about the error

source

object

References to the source of the error.

header

string

A string indicating the name of a single request header which caused the error.

parameter

string

A string indicating which URI query parameter caused the error.

pointer

string

A JSON pointer to the value in the request document that caused the error.

status

string

Status code of the response.

title

string

Short human-readable summary of the error.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Not Found: The requested finding cannot be found.

API error response.

Expand All

Field

Type

Description

errors [required]

[object]

A list of errors.

detail

string

A human-readable explanation specific to this occurrence of the error.

meta

object

Non-standard meta-information about the error

source

object

References to the source of the error.

header

string

A string indicating the name of a single request header which caused the error.

parameter

string

A string indicating which URI query parameter caused the error.

pointer

string

A JSON pointer to the value in the request document that caused the error.

status

string

Status code of the response.

title

string

Short human-readable summary of the error.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Too many requests: The rate limit set by the API has been exceeded.

API error response.

Expand All

Field

Type

Description

errors [required]

[object]

A list of errors.

detail

string

A human-readable explanation specific to this occurrence of the error.

meta

object

Non-standard meta-information about the error

source

object

References to the source of the error.

header

string

A string indicating the name of a single request header which caused the error.

parameter

string

A string indicating which URI query parameter caused the error.

pointer

string

A JSON pointer to the value in the request document that caused the error.

status

string

Status code of the response.

title

string

Short human-readable summary of the error.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Code Example

                  # Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/posture_management/findings" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

                
"""
List findings returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

configuration = Configuration()
configuration.unstable_operations["list_findings"] = True
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.list_findings()

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# List findings returns "OK" response

require "datadog_api_client"
DatadogAPIClient.configure do |config|
  config.unstable_operations["v2.list_findings".to_sym] = true
end
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.list_findings()

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// List findings returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	configuration.SetUnstableOperationEnabled("v2.ListFindings", true)
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.ListFindings(ctx, *datadogV2.NewListFindingsOptionalParameters())

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListFindings`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListFindings`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// List findings returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.ListFindingsResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    defaultClient.setUnstableOperationEnabled("v2.listFindings", true);
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    try {
      ListFindingsResponse result = apiInstance.listFindings();
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#listFindings");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
// List findings returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::ListFindingsOptionalParams;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    let mut configuration = datadog::Configuration::new();
    configuration.set_unstable_operation_enabled("v2.ListFindings", true);
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .list_findings(ListFindingsOptionalParams::default())
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
 * List findings returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
configuration.unstableOperations["v2.listFindings"] = true;
const apiInstance = new v2.SecurityMonitoringApi(configuration);

apiInstance
  .listFindings()
  .then((data: v2.ListFindingsResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Get a finding

Note: This endpoint is in public beta. If you have any feedback, contact Datadog support.

GET https://api.ap1.datadoghq.com/api/v2/posture_management/findings/{finding_id}https://api.ap2.datadoghq.com/api/v2/posture_management/findings/{finding_id}https://api.datadoghq.eu/api/v2/posture_management/findings/{finding_id}https://api.ddog-gov.com/api/v2/posture_management/findings/{finding_id}https://api.datadoghq.com/api/v2/posture_management/findings/{finding_id}https://api.us3.datadoghq.com/api/v2/posture_management/findings/{finding_id}https://api.us5.datadoghq.com/api/v2/posture_management/findings/{finding_id}

Overview

Returns a single finding with message and resource configuration.

OAuth apps require the security_monitoring_findings_read authorization scope to access this endpoint.

Arguments

Path Parameters

Name

Type

Description

finding_id [required]

string

The ID of the finding.

Query Strings

Name

Type

Description

snapshot_timestamp

integer

Return the finding for a given snapshot of time (Unix ms).

Response

OK

The expected response schema when getting a finding.

Expand All

Field

Type

Description

data [required]

object

A single finding with with message and resource configuration.

attributes

object

The JSON:API attributes of the detailed finding.

evaluation

enum

The evaluation of the finding. Allowed enum values: pass,fail

evaluation_changed_at

int64

The date on which the evaluation for this finding changed (Unix ms).

message

string

The remediation message for this finding.

mute

object

Information about the mute status of this finding.

description

string

Additional information about the reason why this finding is muted or unmuted.

expiration_date

int64

The expiration date of the mute or unmute action (Unix ms).

muted

boolean

Whether this finding is muted or unmuted.

reason

enum

The reason why this finding is muted or unmuted. Allowed enum values: PENDING_FIX,FALSE_POSITIVE,ACCEPTED_RISK,NO_PENDING_FIX,HUMAN_ERROR,NO_LONGER_ACCEPTED_RISK,OTHER

start_date

int64

The start of the mute period.

uuid

string

The ID of the user who muted or unmuted this finding.

resource

string

The resource name of this finding.

resource_configuration

object

The resource configuration for this finding.

resource_discovery_date

int64

The date on which the resource was discovered (Unix ms).

resource_type

string

The resource type of this finding.

rule

object

The rule that triggered this finding.

id

string

The ID of the rule that triggered this finding.

name

string

The name of the rule that triggered this finding.

status

enum

The status of the finding. Allowed enum values: critical,high,medium,low,info

tags

[string]

The tags associated with this finding.

id

string

The unique ID for this finding.

type

enum

The JSON:API type for findings that have the message and resource configuration. Allowed enum values: detailed_finding

default: detailed_finding

{
  "data": {
    "attributes": {
      "evaluation": "pass",
      "evaluation_changed_at": 1678721573794,
      "message": "## Remediation\n\n### From the console\n\n1. Go to Storage Account\n2. For each Storage Account, navigate to Data Protection\n3. Select Set soft delete enabled and enter the number of days to retain soft deleted data.",
      "mute": {
        "description": "To be resolved later",
        "expiration_date": 1778721573794,
        "muted": true,
        "reason": "ACCEPTED_RISK",
        "start_date": 1678721573794,
        "uuid": "e51c9744-d158-11ec-ad23-da7ad0900002"
      },
      "resource": "my_resource_name",
      "resource_configuration": {},
      "resource_discovery_date": 1678721573794,
      "resource_type": "azure_storage_account",
      "rule": {
        "id": "dv2-jzf-41i",
        "name": "Soft delete is enabled for Azure Storage"
      },
      "status": "critical",
      "tags": [
        "cloud_provider:aws",
        "myTag:myValue"
      ]
    },
    "id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==",
    "type": "detailed_finding"
  }
}

Bad Request: The server cannot process the request due to invalid syntax in the request.

API error response.

Expand All

Field

Type

Description

errors [required]

[object]

A list of errors.

detail

string

A human-readable explanation specific to this occurrence of the error.

meta

object

Non-standard meta-information about the error

source

object

References to the source of the error.

header

string

A string indicating the name of a single request header which caused the error.

parameter

string

A string indicating which URI query parameter caused the error.

pointer

string

A JSON pointer to the value in the request document that caused the error.

status

string

Status code of the response.

title

string

Short human-readable summary of the error.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Forbidden: Access denied

API error response.

Expand All

Field

Type

Description

errors [required]

[object]

A list of errors.

detail

string

A human-readable explanation specific to this occurrence of the error.

meta

object

Non-standard meta-information about the error

source

object

References to the source of the error.

header

string

A string indicating the name of a single request header which caused the error.

parameter

string

A string indicating which URI query parameter caused the error.

pointer

string

A JSON pointer to the value in the request document that caused the error.

status

string

Status code of the response.

title

string

Short human-readable summary of the error.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Not Found: The requested finding cannot be found.

API error response.

Expand All

Field

Type

Description

errors [required]

[object]

A list of errors.

detail

string

A human-readable explanation specific to this occurrence of the error.

meta

object

Non-standard meta-information about the error

source

object

References to the source of the error.

header

string

A string indicating the name of a single request header which caused the error.

parameter

string

A string indicating which URI query parameter caused the error.

pointer

string

A JSON pointer to the value in the request document that caused the error.

status

string

Status code of the response.

title

string

Short human-readable summary of the error.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Too many requests: The rate limit set by the API has been exceeded.

API error response.

Expand All

Field

Type

Description

errors [required]

[object]

A list of errors.

detail

string

A human-readable explanation specific to this occurrence of the error.

meta

object

Non-standard meta-information about the error

source

object

References to the source of the error.

header

string

A string indicating the name of a single request header which caused the error.

parameter

string

A string indicating which URI query parameter caused the error.

pointer

string

A JSON pointer to the value in the request document that caused the error.

status

string

Status code of the response.

title

string

Short human-readable summary of the error.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Code Example

                  # Path parameters
export finding_id="CHANGE_ME"
# Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/posture_management/findings/${finding_id}" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

                
"""
Get a finding returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

configuration = Configuration()
configuration.unstable_operations["get_finding"] = True
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.get_finding(
        finding_id="AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz",
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Get a finding returns "OK" response

require "datadog_api_client"
DatadogAPIClient.configure do |config|
  config.unstable_operations["v2.get_finding".to_sym] = true
end
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.get_finding("AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz")

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Get a finding returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	configuration.SetUnstableOperationEnabled("v2.GetFinding", true)
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.GetFinding(ctx, "AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz", *datadogV2.NewGetFindingOptionalParameters())

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetFinding`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetFinding`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Get a finding returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.GetFindingResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    defaultClient.setUnstableOperationEnabled("v2.getFinding", true);
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    try {
      GetFindingResponse result =
          apiInstance.getFinding(
              "AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz");
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#getFinding");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
// Get a finding returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::GetFindingOptionalParams;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    let mut configuration = datadog::Configuration::new();
    configuration.set_unstable_operation_enabled("v2.GetFinding", true);
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp =
        api
            .get_finding(
                "AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz".to_string(),
                GetFindingOptionalParams::default(),
            )
            .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
 * Get a finding returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
configuration.unstableOperations["v2.getFinding"] = true;
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiGetFindingRequest = {
  findingId:
    "AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz",
};

apiInstance
  .getFinding(params)
  .then((data: v2.GetFindingResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Mute or unmute a batch of findings

Note: This endpoint is in public beta. If you have any feedback, contact Datadog support.

PATCH https://api.ap1.datadoghq.com/api/v2/posture_management/findingshttps://api.ap2.datadoghq.com/api/v2/posture_management/findingshttps://api.datadoghq.eu/api/v2/posture_management/findingshttps://api.ddog-gov.com/api/v2/posture_management/findingshttps://api.datadoghq.com/api/v2/posture_management/findingshttps://api.us3.datadoghq.com/api/v2/posture_management/findingshttps://api.us5.datadoghq.com/api/v2/posture_management/findings

Overview

Mute or unmute findings.

Request

Body Data (required)

Attributes

All findings are updated with the same attributes. The request body must include at least two attributes: muted and reason. The allowed reasons depend on whether the finding is being muted or unmuted:

  • To mute a finding: PENDING_FIX, FALSE_POSITIVE, ACCEPTED_RISK, OTHER.
  • To unmute a finding : NO_PENDING_FIX, HUMAN_ERROR, NO_LONGER_ACCEPTED_RISK, OTHER.

Meta

The request body must include a list of the finding IDs to be updated.

Expand All

Field

Type

Description

data [required]

object

Data object containing the new bulk mute properties of the finding.

attributes [required]

object

The mute properties to be updated.

mute [required]

object

Object containing the new mute properties of the findings.

description

string

Additional information about the reason why those findings are muted or unmuted. This field has a maximum limit of 280 characters.

expiration_date

int64

The expiration date of the mute or unmute action (Unix ms). It must be set to a value greater than the current timestamp. If this field is not provided, the finding will be muted or unmuted indefinitely, which is equivalent to setting the expiration date to 9999999999999.

muted [required]

boolean

Whether those findings should be muted or unmuted.

reason [required]

enum

The reason why this finding is muted or unmuted. Allowed enum values: PENDING_FIX,FALSE_POSITIVE,ACCEPTED_RISK,NO_PENDING_FIX,HUMAN_ERROR,NO_LONGER_ACCEPTED_RISK,OTHER

id [required]

string

UUID to identify the request

meta [required]

object

Meta object containing the findings to be updated.

findings

[object]

Array of findings.

finding_id

string

The unique ID for this finding.

type [required]

enum

The JSON:API type for findings. Allowed enum values: finding

default: finding

{
  "data": {
    "attributes": {
      "mute": {
        "expiration_date": 1778721573794,
        "muted": true,
        "reason": "ACCEPTED_RISK"
      }
    },
    "id": "dbe5f567-192b-4404-b908-29b70e1c9f76",
    "meta": {
      "findings": [
        {
          "finding_id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw=="
        }
      ]
    },
    "type": "finding"
  }
}

Response

OK

The expected response schema.

Expand All

Field

Type

Description

data [required]

object

Data object containing the ID of the request that was updated.

id

string

UUID used to identify the request

type

enum

The JSON:API type for findings. Allowed enum values: finding

default: finding

{
  "data": {
    "id": "93bfeb70-af47-424d-908a-948d3f08e37f",
    "type": "finding"
  }
}

Bad Request: The server cannot process the request due to invalid syntax in the request.

API error response.

Expand All

Field

Type

Description

errors [required]

[object]

A list of errors.

detail

string

A human-readable explanation specific to this occurrence of the error.

meta

object

Non-standard meta-information about the error

source

object

References to the source of the error.

header

string

A string indicating the name of a single request header which caused the error.

parameter

string

A string indicating which URI query parameter caused the error.

pointer

string

A JSON pointer to the value in the request document that caused the error.

status

string

Status code of the response.

title

string

Short human-readable summary of the error.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Forbidden: Access denied

API error response.

Expand All

Field

Type

Description

errors [required]

[object]

A list of errors.

detail

string

A human-readable explanation specific to this occurrence of the error.

meta

object

Non-standard meta-information about the error

source

object

References to the source of the error.

header

string

A string indicating the name of a single request header which caused the error.

parameter

string

A string indicating which URI query parameter caused the error.

pointer

string

A JSON pointer to the value in the request document that caused the error.

status

string

Status code of the response.

title

string

Short human-readable summary of the error.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Not Found: The requested finding cannot be found.

API error response.

Expand All

Field

Type

Description

errors [required]

[object]

A list of errors.

detail

string

A human-readable explanation specific to this occurrence of the error.

meta

object

Non-standard meta-information about the error

source

object

References to the source of the error.

header

string

A string indicating the name of a single request header which caused the error.

parameter

string

A string indicating which URI query parameter caused the error.

pointer

string

A JSON pointer to the value in the request document that caused the error.

status

string

Status code of the response.

title

string

Short human-readable summary of the error.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Invalid Request: The server understands the request syntax but cannot process it due to invalid data.

API error response.

Expand All

Field

Type

Description

errors [required]

[object]

A list of errors.

detail

string

A human-readable explanation specific to this occurrence of the error.

meta

object

Non-standard meta-information about the error

source

object

References to the source of the error.

header

string

A string indicating the name of a single request header which caused the error.

parameter

string

A string indicating which URI query parameter caused the error.

pointer

string

A JSON pointer to the value in the request document that caused the error.

status

string

Status code of the response.

title

string

Short human-readable summary of the error.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Too many requests: The rate limit set by the API has been exceeded.

API error response.

Expand All

Field

Type

Description

errors [required]

[object]

A list of errors.

detail

string

A human-readable explanation specific to this occurrence of the error.

meta

object

Non-standard meta-information about the error

source

object

References to the source of the error.

header

string

A string indicating the name of a single request header which caused the error.

parameter

string

A string indicating which URI query parameter caused the error.

pointer

string

A JSON pointer to the value in the request document that caused the error.

status

string

Status code of the response.

title

string

Short human-readable summary of the error.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Code Example

                          # Curl command
curl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/posture_management/findings" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "mute": {
        "expiration_date": 1778721573794,
        "muted": true,
        "reason": "ACCEPTED_RISK"
      }
    },
    "id": "dbe5f567-192b-4404-b908-29b70e1c9f76",
    "meta": {
      "findings": [
        {
          "finding_id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw=="
        }
      ]
    },
    "type": "finding"
  }
}
EOF

                        
// Mute or unmute a batch of findings returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.BulkMuteFindingsRequest{
		Data: datadogV2.BulkMuteFindingsRequestData{
			Attributes: datadogV2.BulkMuteFindingsRequestAttributes{
				Mute: datadogV2.BulkMuteFindingsRequestProperties{
					ExpirationDate: datadog.PtrInt64(1778721573794),
					Muted:          true,
					Reason:         datadogV2.FINDINGMUTEREASON_ACCEPTED_RISK,
				},
			},
			Id: "dbe5f567-192b-4404-b908-29b70e1c9f76",
			Meta: datadogV2.BulkMuteFindingsRequestMeta{
				Findings: []datadogV2.BulkMuteFindingsRequestMetaFindings{
					{
						FindingId: datadog.PtrString("ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw=="),
					},
				},
			},
			Type: datadogV2.FINDINGTYPE_FINDING,
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	configuration.SetUnstableOperationEnabled("v2.MuteFindings", true)
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.MuteFindings(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.MuteFindings`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.MuteFindings`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Mute or unmute a batch of findings returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.BulkMuteFindingsRequest;
import com.datadog.api.client.v2.model.BulkMuteFindingsRequestAttributes;
import com.datadog.api.client.v2.model.BulkMuteFindingsRequestData;
import com.datadog.api.client.v2.model.BulkMuteFindingsRequestMeta;
import com.datadog.api.client.v2.model.BulkMuteFindingsRequestMetaFindings;
import com.datadog.api.client.v2.model.BulkMuteFindingsRequestProperties;
import com.datadog.api.client.v2.model.BulkMuteFindingsResponse;
import com.datadog.api.client.v2.model.FindingMuteReason;
import com.datadog.api.client.v2.model.FindingType;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    defaultClient.setUnstableOperationEnabled("v2.muteFindings", true);
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    BulkMuteFindingsRequest body =
        new BulkMuteFindingsRequest()
            .data(
                new BulkMuteFindingsRequestData()
                    .attributes(
                        new BulkMuteFindingsRequestAttributes()
                            .mute(
                                new BulkMuteFindingsRequestProperties()
                                    .expirationDate(1778721573794L)
                                    .muted(true)
                                    .reason(FindingMuteReason.ACCEPTED_RISK)))
                    .id("dbe5f567-192b-4404-b908-29b70e1c9f76")
                    .meta(
                        new BulkMuteFindingsRequestMeta()
                            .findings(
                                Collections.singletonList(
                                    new BulkMuteFindingsRequestMetaFindings()
                                        .findingId(
                                            "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw=="))))
                    .type(FindingType.FINDING));

    try {
      BulkMuteFindingsResponse result = apiInstance.muteFindings(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#muteFindings");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
"""
Mute or unmute a batch of findings returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.bulk_mute_findings_request import BulkMuteFindingsRequest
from datadog_api_client.v2.model.bulk_mute_findings_request_attributes import BulkMuteFindingsRequestAttributes
from datadog_api_client.v2.model.bulk_mute_findings_request_data import BulkMuteFindingsRequestData
from datadog_api_client.v2.model.bulk_mute_findings_request_meta import BulkMuteFindingsRequestMeta
from datadog_api_client.v2.model.bulk_mute_findings_request_meta_findings import BulkMuteFindingsRequestMetaFindings
from datadog_api_client.v2.model.bulk_mute_findings_request_properties import BulkMuteFindingsRequestProperties
from datadog_api_client.v2.model.finding_mute_reason import FindingMuteReason
from datadog_api_client.v2.model.finding_type import FindingType

body = BulkMuteFindingsRequest(
    data=BulkMuteFindingsRequestData(
        attributes=BulkMuteFindingsRequestAttributes(
            mute=BulkMuteFindingsRequestProperties(
                expiration_date=1778721573794,
                muted=True,
                reason=FindingMuteReason.ACCEPTED_RISK,
            ),
        ),
        id="dbe5f567-192b-4404-b908-29b70e1c9f76",
        meta=BulkMuteFindingsRequestMeta(
            findings=[
                BulkMuteFindingsRequestMetaFindings(
                    finding_id="ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==",
                ),
            ],
        ),
        type=FindingType.FINDING,
    ),
)

configuration = Configuration()
configuration.unstable_operations["mute_findings"] = True
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.mute_findings(body=body)

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Mute or unmute a batch of findings returns "OK" response

require "datadog_api_client"
DatadogAPIClient.configure do |config|
  config.unstable_operations["v2.mute_findings".to_sym] = true
end
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::BulkMuteFindingsRequest.new({
  data: DatadogAPIClient::V2::BulkMuteFindingsRequestData.new({
    attributes: DatadogAPIClient::V2::BulkMuteFindingsRequestAttributes.new({
      mute: DatadogAPIClient::V2::BulkMuteFindingsRequestProperties.new({
        expiration_date: 1778721573794,
        muted: true,
        reason: DatadogAPIClient::V2::FindingMuteReason::ACCEPTED_RISK,
      }),
    }),
    id: "dbe5f567-192b-4404-b908-29b70e1c9f76",
    meta: DatadogAPIClient::V2::BulkMuteFindingsRequestMeta.new({
      findings: [
        DatadogAPIClient::V2::BulkMuteFindingsRequestMetaFindings.new({
          finding_id: "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==",
        }),
      ],
    }),
    type: DatadogAPIClient::V2::FindingType::FINDING,
  }),
})
p api_instance.mute_findings(body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Mute or unmute a batch of findings returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::BulkMuteFindingsRequest;
use datadog_api_client::datadogV2::model::BulkMuteFindingsRequestAttributes;
use datadog_api_client::datadogV2::model::BulkMuteFindingsRequestData;
use datadog_api_client::datadogV2::model::BulkMuteFindingsRequestMeta;
use datadog_api_client::datadogV2::model::BulkMuteFindingsRequestMetaFindings;
use datadog_api_client::datadogV2::model::BulkMuteFindingsRequestProperties;
use datadog_api_client::datadogV2::model::FindingMuteReason;
use datadog_api_client::datadogV2::model::FindingType;

#[tokio::main]
async fn main() {
    let body = BulkMuteFindingsRequest::new(BulkMuteFindingsRequestData::new(
        BulkMuteFindingsRequestAttributes::new(
            BulkMuteFindingsRequestProperties::new(true, FindingMuteReason::ACCEPTED_RISK)
                .expiration_date(1778721573794),
        ),
        "dbe5f567-192b-4404-b908-29b70e1c9f76".to_string(),
        BulkMuteFindingsRequestMeta::new()
            .findings(vec![BulkMuteFindingsRequestMetaFindings::new().finding_id(
                "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==".to_string(),
            )]),
        FindingType::FINDING,
    ));
    let mut configuration = datadog::Configuration::new();
    configuration.set_unstable_operation_enabled("v2.MuteFindings", true);
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.mute_findings(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
 * Mute or unmute a batch of findings returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
configuration.unstableOperations["v2.muteFindings"] = true;
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiMuteFindingsRequest = {
  body: {
    data: {
      attributes: {
        mute: {
          expirationDate: 1778721573794,
          muted: true,
          reason: "ACCEPTED_RISK",
        },
      },
      id: "dbe5f567-192b-4404-b908-29b70e1c9f76",
      meta: {
        findings: [
          {
            findingId: "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==",
          },
        ],
      },
      type: "finding",
    },
  },
};

apiInstance
  .muteFindings(params)
  .then((data: v2.BulkMuteFindingsResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Add a security signal to an incident

PATCH https://api.ap1.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/add_to_incidenthttps://api.ap2.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/add_to_incidenthttps://api.datadoghq.eu/api/v1/security_analytics/signals/{signal_id}/add_to_incidenthttps://api.ddog-gov.com/api/v1/security_analytics/signals/{signal_id}/add_to_incidenthttps://api.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/add_to_incidenthttps://api.us3.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/add_to_incidenthttps://api.us5.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/add_to_incident

Overview

Add a security signal to an incident. This makes it possible to search for signals by incident within the signal explorer and to view the signals on the incident timeline. This endpoint requires the security_monitoring_signals_write permission.

Arguments

Path Parameters

Name

Type

Description

signal_id [required]

string

The ID of the signal.

Request

Body Data (required)

Attributes describing the signal update.

Expand All

Field

Type

Description

add_to_signal_timeline

boolean

Whether to post the signal on the incident timeline.

incident_id [required]

int64

Public ID attribute of the incident to which the signal will be added.

version

int64

Version of the updated signal. If server side version is higher, update will be rejected.

{
  "incident_id": 2609
}

Response

OK

Updated signal data following a successfully performed update.

Expand All

Field

Type

Description

status

string

Status of the response.

{
  "status": "string"
}

Bad Request

Error response object.

Expand All

Field

Type

Description

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

Forbidden

Error response object.

Expand All

Field

Type

Description

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

Error response object.

Expand All

Field

Type

Description

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

Error response object.

Expand All

Field

Type

Description

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                          # Path parameters
export signal_id="CHANGE_ME"
# Curl command
curl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v1/security_analytics/signals/${signal_id}/add_to_incident" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "incident_id": 2609
}
EOF

                        
// Add a security signal to an incident returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV1"
)

func main() {
	body := datadogV1.AddSignalToIncidentRequest{
		IncidentId: 2609,
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV1.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.AddSecurityMonitoringSignalToIncident(ctx, "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.AddSecurityMonitoringSignalToIncident`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.AddSecurityMonitoringSignalToIncident`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"
// Add a security signal to an incident returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v1.api.SecurityMonitoringApi;
import com.datadog.api.client.v1.model.AddSignalToIncidentRequest;
import com.datadog.api.client.v1.model.SuccessfulSignalUpdateResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    AddSignalToIncidentRequest body = new AddSignalToIncidentRequest().incidentId(2609L);

    try {
      SuccessfulSignalUpdateResponse result =
          apiInstance.addSecurityMonitoringSignalToIncident(
              "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#addSecurityMonitoringSignalToIncident");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"
"""
Add a security signal to an incident returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v1.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v1.model.add_signal_to_incident_request import AddSignalToIncidentRequest

body = AddSignalToIncidentRequest(
    incident_id=2609,
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.add_security_monitoring_signal_to_incident(
        signal_id="AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body=body
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"
# Add a security signal to an incident returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V1::SecurityMonitoringAPI.new

body = DatadogAPIClient::V1::AddSignalToIncidentRequest.new({
  incident_id: 2609,
})
p api_instance.add_security_monitoring_signal_to_incident("AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"
// Add a security signal to an incident returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV1::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV1::model::AddSignalToIncidentRequest;

#[tokio::main]
async fn main() {
    let body = AddSignalToIncidentRequest::new(2609);
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .add_security_monitoring_signal_to_incident(
            "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE".to_string(),
            body,
        )
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" cargo run
/**
 * Add a security signal to an incident returns "OK" response
 */

import { client, v1 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v1.SecurityMonitoringApi(configuration);

const params: v1.SecurityMonitoringApiAddSecurityMonitoringSignalToIncidentRequest =
  {
    body: {
      incidentId: 2609,
    },
    signalId: "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE",
  };

apiInstance
  .addSecurityMonitoringSignalToIncident(params)
  .then((data: v1.SuccessfulSignalUpdateResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"

Change the triage state of a security signal

PATCH https://api.ap1.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/statehttps://api.ap2.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/statehttps://api.datadoghq.eu/api/v1/security_analytics/signals/{signal_id}/statehttps://api.ddog-gov.com/api/v1/security_analytics/signals/{signal_id}/statehttps://api.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/statehttps://api.us3.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/statehttps://api.us5.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/state

Overview

This endpoint is deprecated - Change the triage state of a security signal. This endpoint requires the security_monitoring_signals_write permission.

Arguments

Path Parameters

Name

Type

Description

signal_id [required]

string

The ID of the signal.

Request

Body Data (required)

Attributes describing the signal update.

Expand All

Field

Type

Description

archiveComment

string

Optional comment to explain why a signal is being archived.

archiveReason

enum

Reason why a signal has been archived. Allowed enum values: none,false_positive,testing_or_maintenance,investigated_case_opened,true_positive_benign,true_positive_malicious,other

state [required]

enum

The new triage state of the signal. Allowed enum values: open,archived,under_review

version

int64

Version of the updated signal. If server side version is higher, update will be rejected.

{
  "archiveReason": "none",
  "state": "open"
}

Response

OK

Updated signal data following a successfully performed update.

Expand All

Field

Type

Description

status

string

Status of the response.

{
  "status": "string"
}

Bad Request

Error response object.

Expand All

Field

Type

Description

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

Forbidden

Error response object.

Expand All

Field

Type

Description

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

Error response object.

Expand All

Field

Type

Description

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

Error response object.

Expand All

Field

Type

Description

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                          # Path parameters
export signal_id="CHANGE_ME"
# Curl command
curl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v1/security_analytics/signals/${signal_id}/state" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "archiveReason": "none",
  "state": "open"
}
EOF

                        
// Change the triage state of a security signal returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV1"
)

func main() {
	body := datadogV1.SignalStateUpdateRequest{
		ArchiveReason: datadogV1.SIGNALARCHIVEREASON_NONE.Ptr(),
		State:         datadogV1.SIGNALTRIAGESTATE_OPEN,
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV1.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.EditSecurityMonitoringSignalState(ctx, "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.EditSecurityMonitoringSignalState`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.EditSecurityMonitoringSignalState`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"
// Change the triage state of a security signal returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v1.api.SecurityMonitoringApi;
import com.datadog.api.client.v1.model.SignalArchiveReason;
import com.datadog.api.client.v1.model.SignalStateUpdateRequest;
import com.datadog.api.client.v1.model.SignalTriageState;
import com.datadog.api.client.v1.model.SuccessfulSignalUpdateResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SignalStateUpdateRequest body =
        new SignalStateUpdateRequest()
            .archiveReason(SignalArchiveReason.NONE)
            .state(SignalTriageState.OPEN);

    try {
      SuccessfulSignalUpdateResponse result =
          apiInstance.editSecurityMonitoringSignalState(
              "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#editSecurityMonitoringSignalState");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"
"""
Change the triage state of a security signal returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v1.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v1.model.signal_archive_reason import SignalArchiveReason
from datadog_api_client.v1.model.signal_state_update_request import SignalStateUpdateRequest
from datadog_api_client.v1.model.signal_triage_state import SignalTriageState

body = SignalStateUpdateRequest(
    archive_reason=SignalArchiveReason.NONE,
    state=SignalTriageState.OPEN,
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.edit_security_monitoring_signal_state(
        signal_id="AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body=body
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"
# Change the triage state of a security signal returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V1::SecurityMonitoringAPI.new

body = DatadogAPIClient::V1::SignalStateUpdateRequest.new({
  archive_reason: DatadogAPIClient::V1::SignalArchiveReason::NONE,
  state: DatadogAPIClient::V1::SignalTriageState::OPEN,
})
p api_instance.edit_security_monitoring_signal_state("AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"
// Change the triage state of a security signal returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV1::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV1::model::SignalArchiveReason;
use datadog_api_client::datadogV1::model::SignalStateUpdateRequest;
use datadog_api_client::datadogV1::model::SignalTriageState;

#[tokio::main]
async fn main() {
    let body = SignalStateUpdateRequest::new(SignalTriageState::OPEN)
        .archive_reason(SignalArchiveReason::NONE);
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .edit_security_monitoring_signal_state(
            "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE".to_string(),
            body,
        )
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" cargo run
/**
 * Change the triage state of a security signal returns "OK" response
 */

import { client, v1 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v1.SecurityMonitoringApi(configuration);

const params: v1.SecurityMonitoringApiEditSecurityMonitoringSignalStateRequest =
  {
    body: {
      archiveReason: "none",
      state: "open",
    },
    signalId: "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE",
  };

apiInstance
  .editSecurityMonitoringSignalState(params)
  .then((data: v1.SuccessfulSignalUpdateResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"

PATCH https://api.ap1.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/statehttps://api.ap2.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/statehttps://api.datadoghq.eu/api/v2/security_monitoring/signals/{signal_id}/statehttps://api.ddog-gov.com/api/v2/security_monitoring/signals/{signal_id}/statehttps://api.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/statehttps://api.us3.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/statehttps://api.us5.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/state

Overview

Change the triage state of a security signal. This endpoint requires the security_monitoring_signals_write permission.

Arguments

Path Parameters

Name

Type

Description

signal_id [required]

string

The ID of the signal.

Request

Body Data (required)

Attributes describing the signal update.

Expand All

Field

Type

Description

data [required]

object

Data containing the patch for changing the state of a signal.

attributes [required]

object

Attributes describing the change of state of a security signal.

archive_comment

string

Optional comment to display on archived signals.

archive_reason

enum

Reason a signal is archived. Allowed enum values: none,false_positive,testing_or_maintenance,investigated_case_opened,true_positive_benign,true_positive_malicious,other

state [required]

enum

The new triage state of the signal. Allowed enum values: open,archived,under_review

version

int64

Version of the updated signal. If server side version is higher, update will be rejected.

id

The unique ID of the security signal.

type

enum

The type of event. Allowed enum values: signal_metadata

default: signal_metadata

{
  "data": {
    "attributes": {
      "archive_reason": "none",
      "state": "open"
    }
  }
}

Response

OK

The response returned after all triage operations, containing the updated signal triage data.

Expand All

Field

Type

Description

data [required]

object

Data containing the updated triage attributes of the signal.

attributes

object

Attributes describing a triage state update operation over a security signal.

archive_comment

string

Optional comment to display on archived signals.

archive_comment_timestamp

int64

Timestamp of the last edit to the comment.

archive_comment_user

object

Object representing a given user entity.

handle

string

The handle for this user account.

icon

string

Gravatar icon associated to the user.

id

int64

Numerical ID assigned by Datadog to this user account.

name

string

The name for this user account.

uuid [required]

string

UUID assigned by Datadog to this user account.

archive_reason

enum

Reason a signal is archived. Allowed enum values: none,false_positive,testing_or_maintenance,investigated_case_opened,true_positive_benign,true_positive_malicious,other

assignee [required]

object

Object representing a given user entity.

handle

string

The handle for this user account.

icon

string

Gravatar icon associated to the user.

id

int64

Numerical ID assigned by Datadog to this user account.

name

string

The name for this user account.

uuid [required]

string

UUID assigned by Datadog to this user account.

incident_ids [required]

[integer]

Array of incidents that are associated with this signal.

state [required]

enum

The new triage state of the signal. Allowed enum values: open,archived,under_review

state_update_timestamp

int64

Timestamp of the last update to the signal state.

state_update_user

object

Object representing a given user entity.

handle

string

The handle for this user account.

icon

string

Gravatar icon associated to the user.

id

int64

Numerical ID assigned by Datadog to this user account.

name

string

The name for this user account.

uuid [required]

string

UUID assigned by Datadog to this user account.

id

string

The unique ID of the security signal.

type

enum

The type of event. Allowed enum values: signal_metadata

default: signal_metadata

{
  "data": {
    "attributes": {
      "archive_comment": "string",
      "archive_comment_timestamp": "integer",
      "archive_comment_user": {
        "handle": "string",
        "icon": "/path/to/matching/gravatar/icon",
        "id": "integer",
        "name": "string",
        "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
      },
      "archive_reason": "string",
      "assignee": {
        "handle": "string",
        "icon": "/path/to/matching/gravatar/icon",
        "id": "integer",
        "name": "string",
        "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
      },
      "incident_ids": [
        2066
      ],
      "state": "open",
      "state_update_timestamp": "integer",
      "state_update_user": {
        "handle": "string",
        "icon": "/path/to/matching/gravatar/icon",
        "id": "integer",
        "name": "string",
        "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
      }
    },
    "id": "string",
    "type": "signal_metadata"
  }
}

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Forbidden

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                          # Path parameters
export signal_id="CHANGE_ME"
# Curl command
curl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/${signal_id}/state" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "archive_reason": "none",
      "state": "open"
    }
  }
}
EOF

                        
// Change the triage state of a security signal returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringSignalStateUpdateRequest{
		Data: datadogV2.SecurityMonitoringSignalStateUpdateData{
			Attributes: datadogV2.SecurityMonitoringSignalStateUpdateAttributes{
				ArchiveReason: datadogV2.SECURITYMONITORINGSIGNALARCHIVEREASON_NONE.Ptr(),
				State:         datadogV2.SECURITYMONITORINGSIGNALSTATE_OPEN,
			},
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.EditSecurityMonitoringSignalState(ctx, "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.EditSecurityMonitoringSignalState`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.EditSecurityMonitoringSignalState`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"
// Change the triage state of a security signal returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalArchiveReason;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalState;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalStateUpdateAttributes;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalStateUpdateData;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalStateUpdateRequest;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalTriageUpdateResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringSignalStateUpdateRequest body =
        new SecurityMonitoringSignalStateUpdateRequest()
            .data(
                new SecurityMonitoringSignalStateUpdateData()
                    .attributes(
                        new SecurityMonitoringSignalStateUpdateAttributes()
                            .archiveReason(SecurityMonitoringSignalArchiveReason.NONE)
                            .state(SecurityMonitoringSignalState.OPEN)));

    try {
      SecurityMonitoringSignalTriageUpdateResponse result =
          apiInstance.editSecurityMonitoringSignalState(
              "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#editSecurityMonitoringSignalState");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"
"""
Change the triage state of a security signal returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_signal_archive_reason import SecurityMonitoringSignalArchiveReason
from datadog_api_client.v2.model.security_monitoring_signal_state import SecurityMonitoringSignalState
from datadog_api_client.v2.model.security_monitoring_signal_state_update_attributes import (
    SecurityMonitoringSignalStateUpdateAttributes,
)
from datadog_api_client.v2.model.security_monitoring_signal_state_update_data import (
    SecurityMonitoringSignalStateUpdateData,
)
from datadog_api_client.v2.model.security_monitoring_signal_state_update_request import (
    SecurityMonitoringSignalStateUpdateRequest,
)

body = SecurityMonitoringSignalStateUpdateRequest(
    data=SecurityMonitoringSignalStateUpdateData(
        attributes=SecurityMonitoringSignalStateUpdateAttributes(
            archive_reason=SecurityMonitoringSignalArchiveReason.NONE,
            state=SecurityMonitoringSignalState.OPEN,
        ),
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.edit_security_monitoring_signal_state(
        signal_id="AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body=body
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"
# Change the triage state of a security signal returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringSignalStateUpdateRequest.new({
  data: DatadogAPIClient::V2::SecurityMonitoringSignalStateUpdateData.new({
    attributes: DatadogAPIClient::V2::SecurityMonitoringSignalStateUpdateAttributes.new({
      archive_reason: DatadogAPIClient::V2::SecurityMonitoringSignalArchiveReason::NONE,
      state: DatadogAPIClient::V2::SecurityMonitoringSignalState::OPEN,
    }),
  }),
})
p api_instance.edit_security_monitoring_signal_state("AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"
// Change the triage state of a security signal returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalArchiveReason;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalState;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalStateUpdateAttributes;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalStateUpdateData;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalStateUpdateRequest;

#[tokio::main]
async fn main() {
    let body = SecurityMonitoringSignalStateUpdateRequest::new(
        SecurityMonitoringSignalStateUpdateData::new(
            SecurityMonitoringSignalStateUpdateAttributes::new(SecurityMonitoringSignalState::OPEN)
                .archive_reason(SecurityMonitoringSignalArchiveReason::NONE),
        ),
    );
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .edit_security_monitoring_signal_state(
            "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE".to_string(),
            body,
        )
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" cargo run
/**
 * Change the triage state of a security signal returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiEditSecurityMonitoringSignalStateRequest =
  {
    body: {
      data: {
        attributes: {
          archiveReason: "none",
          state: "open",
        },
      },
    },
    signalId: "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE",
  };

apiInstance
  .editSecurityMonitoringSignalState(params)
  .then((data: v2.SecurityMonitoringSignalTriageUpdateResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"

Create a custom framework

POST https://api.ap1.datadoghq.com/api/v2/cloud_security_management/custom_frameworkshttps://api.ap2.datadoghq.com/api/v2/cloud_security_management/custom_frameworkshttps://api.datadoghq.eu/api/v2/cloud_security_management/custom_frameworkshttps://api.ddog-gov.com/api/v2/cloud_security_management/custom_frameworkshttps://api.datadoghq.com/api/v2/cloud_security_management/custom_frameworkshttps://api.us3.datadoghq.com/api/v2/cloud_security_management/custom_frameworkshttps://api.us5.datadoghq.com/api/v2/cloud_security_management/custom_frameworks

Overview

Create a custom framework. This endpoint requires all of the following permissions:

  • security_monitoring_rules_read
  • security_monitoring_rules_write

    • OAuth apps require the security_monitoring_rules_read, security_monitoring_rules_write authorization scope to access this endpoint.

    Request

    Body Data (required)

    Expand All

    Field

    Type

    Description

    data [required]

    object

    Contains type and attributes for custom frameworks.

    attributes [required]

    object

    Framework Data Attributes.

    description

    string

    Framework Description

    handle [required]

    string

    Framework Handle

    icon_url

    string

    Framework Icon URL

    name [required]

    string

    Framework Name

    requirements [required]

    [object]

    Framework Requirements

    controls [required]

    [object]

    Requirement Controls.

    name [required]

    string

    Control Name.

    rules_id [required]

    [string]

    Rule IDs.

    name [required]

    string

    Requirement Name.

    version [required]

    string

    Framework Version

    type [required]

    enum

    The type of the resource. The value must be custom_framework. Allowed enum values: custom_framework

    default: custom_framework

    {
  "data": {
    "type": "custom_framework",
    "attributes": {
      "name": "name",
      "handle": "create-framework-new",
      "version": "10",
      "icon_url": "test-url",
      "requirements": [
        {
          "name": "requirement",
          "controls": [
            {
              "name": "control",
              "rules_id": [
                "def-000-be9"
              ]
            }
          ]
        }
      ]
    }
  }
}

    Response

    OK

    Response object to create a custom framework.

    Expand All

    Field

    Type

    Description

    data [required]

    object

    Contains type and attributes for custom frameworks.

    attributes [required]

    object

    Framework Handle and Version.

    handle

    string

    Framework Handle

    version

    string

    Framework Version

    id [required]

    string

    The ID of the custom framework.

    type [required]

    enum

    The type of the resource. The value must be custom_framework. Allowed enum values: custom_framework

    default: custom_framework

    {
  "data": {
    "attributes": {
      "handle": "sec2",
      "version": "2"
    },
    "id": "handle-version",
    "type": "custom_framework"
  }
}

    Bad Request

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Conflict

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Too many requests

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Bad Request

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Code Example

                              # Curl command
    curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/cloud_security_management/custom_frameworks" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "type": "custom_framework",
    "attributes": {
      "name": "name",
      "handle": "create-framework-new",
      "version": "10",
      "icon_url": "test-url",
      "requirements": [
        {
          "name": "requirement",
          "controls": [
            {
              "name": "control",
              "rules_id": [
                "def-000-be9"
              ]
            }
          ]
        }
      ]
    }
  }
}
EOF
    
                        
    // Create a custom framework returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.CreateCustomFrameworkRequest{
		Data: datadogV2.CustomFrameworkData{
			Type: datadogV2.CUSTOMFRAMEWORKTYPE_CUSTOM_FRAMEWORK,
			Attributes: datadogV2.CustomFrameworkDataAttributes{
				Name:    "name",
				Handle:  "create-framework-new",
				Version: "10",
				IconUrl: datadog.PtrString("test-url"),
				Requirements: []datadogV2.CustomFrameworkRequirement{
					{
						Name: "requirement",
						Controls: []datadogV2.CustomFrameworkControl{
							{
								Name: "control",
								RulesId: []string{
									"def-000-be9",
								},
							},
						},
					},
				},
			},
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.CreateCustomFramework(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateCustomFramework`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateCustomFramework`:\n%s\n", responseContent)
}

    Instructions

    First install the library and its dependencies and then save the example to main.go and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
    // Create a custom framework returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.CreateCustomFrameworkRequest;
import com.datadog.api.client.v2.model.CreateCustomFrameworkResponse;
import com.datadog.api.client.v2.model.CustomFrameworkControl;
import com.datadog.api.client.v2.model.CustomFrameworkData;
import com.datadog.api.client.v2.model.CustomFrameworkDataAttributes;
import com.datadog.api.client.v2.model.CustomFrameworkRequirement;
import com.datadog.api.client.v2.model.CustomFrameworkType;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    CreateCustomFrameworkRequest body =
        new CreateCustomFrameworkRequest()
            .data(
                new CustomFrameworkData()
                    .type(CustomFrameworkType.CUSTOM_FRAMEWORK)
                    .attributes(
                        new CustomFrameworkDataAttributes()
                            .name("name")
                            .handle("create-framework-new")
                            .version("10")
                            .iconUrl("test-url")
                            .requirements(
                                Collections.singletonList(
                                    new CustomFrameworkRequirement()
                                        .name("requirement")
                                        .controls(
                                            Collections.singletonList(
                                                new CustomFrameworkControl()
                                                    .name("control")
                                                    .rulesId(
                                                        Collections.singletonList(
                                                            "def-000-be9"))))))));

    try {
      CreateCustomFrameworkResponse result = apiInstance.createCustomFramework(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#createCustomFramework");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

    Instructions

    First install the library and its dependencies and then save the example to Example.java and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
    """
Create a custom framework returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.create_custom_framework_request import CreateCustomFrameworkRequest
from datadog_api_client.v2.model.custom_framework_control import CustomFrameworkControl
from datadog_api_client.v2.model.custom_framework_data import CustomFrameworkData
from datadog_api_client.v2.model.custom_framework_data_attributes import CustomFrameworkDataAttributes
from datadog_api_client.v2.model.custom_framework_requirement import CustomFrameworkRequirement
from datadog_api_client.v2.model.custom_framework_type import CustomFrameworkType

body = CreateCustomFrameworkRequest(
    data=CustomFrameworkData(
        type=CustomFrameworkType.CUSTOM_FRAMEWORK,
        attributes=CustomFrameworkDataAttributes(
            name="name",
            handle="create-framework-new",
            version="10",
            icon_url="test-url",
            requirements=[
                CustomFrameworkRequirement(
                    name="requirement",
                    controls=[
                        CustomFrameworkControl(
                            name="control",
                            rules_id=[
                                "def-000-be9",
                            ],
                        ),
                    ],
                ),
            ],
        ),
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.create_custom_framework(body=body)

    print(response)

    Instructions

    First install the library and its dependencies and then save the example to example.py and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
    # Create a custom framework returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::CreateCustomFrameworkRequest.new({
  data: DatadogAPIClient::V2::CustomFrameworkData.new({
    type: DatadogAPIClient::V2::CustomFrameworkType::CUSTOM_FRAMEWORK,
    attributes: DatadogAPIClient::V2::CustomFrameworkDataAttributes.new({
      name: "name",
      handle: "create-framework-new",
      version: "10",
      icon_url: "test-url",
      requirements: [
        DatadogAPIClient::V2::CustomFrameworkRequirement.new({
          name: "requirement",
          controls: [
            DatadogAPIClient::V2::CustomFrameworkControl.new({
              name: "control",
              rules_id: [
                "def-000-be9",
              ],
            }),
          ],
        }),
      ],
    }),
  }),
})
p api_instance.create_custom_framework(body)

    Instructions

    First install the library and its dependencies and then save the example to example.rb and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
    // Create a custom framework returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::CreateCustomFrameworkRequest;
use datadog_api_client::datadogV2::model::CustomFrameworkControl;
use datadog_api_client::datadogV2::model::CustomFrameworkData;
use datadog_api_client::datadogV2::model::CustomFrameworkDataAttributes;
use datadog_api_client::datadogV2::model::CustomFrameworkRequirement;
use datadog_api_client::datadogV2::model::CustomFrameworkType;

#[tokio::main]
async fn main() {
    let body = CreateCustomFrameworkRequest::new(CustomFrameworkData::new(
        CustomFrameworkDataAttributes::new(
            "create-framework-new".to_string(),
            "name".to_string(),
            vec![CustomFrameworkRequirement::new(
                vec![CustomFrameworkControl::new(
                    "control".to_string(),
                    vec!["def-000-be9".to_string()],
                )],
                "requirement".to_string(),
            )],
            "10".to_string(),
        )
        .icon_url("test-url".to_string()),
        CustomFrameworkType::CUSTOM_FRAMEWORK,
    ));
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.create_custom_framework(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

    Instructions

    First install the library and its dependencies and then save the example to src/main.rs and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
    /**
 * Create a custom framework returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiCreateCustomFrameworkRequest = {
  body: {
    data: {
      type: "custom_framework",
      attributes: {
        name: "name",
        handle: "create-framework-new",
        version: "10",
        iconUrl: "test-url",
        requirements: [
          {
            name: "requirement",
            controls: [
              {
                name: "control",
                rulesId: ["def-000-be9"],
              },
            ],
          },
        ],
      },
    },
  },
};

apiInstance
  .createCustomFramework(params)
  .then((data: v2.CreateCustomFrameworkResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

    Instructions

    First install the library and its dependencies and then save the example to example.ts and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

    Create a detection rule

    POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.ap2.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.datadoghq.eu/api/v2/security_monitoring/ruleshttps://api.ddog-gov.com/api/v2/security_monitoring/ruleshttps://api.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.us3.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.us5.datadoghq.com/api/v2/security_monitoring/rules

    Overview

    Create a detection rule. This endpoint requires the security_monitoring_rules_write permission.

    OAuth apps require the security_monitoring_rules_write authorization scope to access this endpoint.

    Request

    Body Data (required)

    Expand All

    Field

    Type

    Description

    Option 1

    object

    Create a new rule.

    calculatedFields

    [object]

    Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.

    expression [required]

    string

    Expression.

    name [required]

    string

    Field name.

    cases [required]

    [object]

    Cases for generating signals.

    actions

    [object]

    Action to perform for each rule case.

    options

    object

    Options for the rule action

    duration

    int64

    Duration of the action in seconds. 0 indicates no expiration.

    flaggedIPType

    enum

    Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: SUSPICIOUS,FLAGGED

    userBehaviorName

    string

    Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.

    type

    enum

    The action type. Allowed enum values: block_ip,block_user,user_behavior,flag_ip

    condition

    string

    A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

    name

    string

    Name of the case.

    notifications

    [string]

    Notification targets.

    status [required]

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    filters

    [object]

    Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.

    action

    enum

    The type of filtering action. Allowed enum values: require,suppress

    query

    string

    Query for selecting logs to apply the filtering action.

    groupSignalsBy

    [string]

    Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.

    hasExtendedTitle

    boolean

    Whether the notifications include the triggering group-by values in their title.

    isEnabled [required]

    boolean

    Whether the rule is enabled.

    message [required]

    string

    Message for generated signals.

    name [required]

    string

    The name of the rule.

    options [required]

    object

    Options.

    complianceRuleOptions

    object

    Options for cloud_configuration rules. Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.

    complexRule

    boolean

    Whether the rule is a complex one. Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.

    regoRule

    object

    Rule details.

    policy [required]

    string

    The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/

    resourceTypes [required]

    [string]

    List of resource types that will be evaluated upon. Must have at least one element.

    resourceType

    string

    Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.

    decreaseCriticalityBasedOnEnv

    boolean

    If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO. The decrement is applied when the environment tag of the signal starts with staging, test or dev.

    detectionMethod

    enum

    The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    hardcodedEvaluatorType

    enum

    Hardcoded evaluator type. Allowed enum values: log4shell

    impossibleTravelOptions

    object

    Options on impossible travel detection method.

    baselineUserLocations

    boolean

    If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

    keepAlive

    enum

    Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    maxSignalDuration

    enum

    A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    newValueOptions

    object

    Options on new value detection method.

    forgetAfter

    enum

    The duration in days after which a learned value is forgotten. Allowed enum values: 1,2,7,14,21,28

    learningDuration

    enum

    The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: 0,1,7

    learningMethod

    enum

    The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: duration,threshold

    default: duration

    learningThreshold

    enum

    A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: 0,1

    sequenceDetectionOptions

    object

    Options on sequence detection method.

    stepTransitions

    [object]

    Transitions defining the allowed order of steps and their evaluation windows.

    child

    string

    Name of the child step.

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    parent

    string

    Name of the parent step.

    steps

    [object]

    Steps that define the conditions to be matched in sequence.

    condition

    string

    Condition referencing rule queries (e.g., a > 0).

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    name

    string

    Unique name identifying the step.

    thirdPartyRuleOptions

    object

    Options on third party detection method.

    defaultNotifications

    [string]

    Notification targets for the logs that do not correspond to any of the cases.

    defaultStatus

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    rootQueries

    [object]

    Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.

    groupByFields

    [string]

    Fields to group by.

    query

    string

    Query to run on logs.

    signalTitleTemplate

    string

    A template for the signal title; if omitted, the title is generated based on the case name.

    queries [required]

    [object]

    Queries for selecting logs which are part of the rule.

    aggregation

    enum

    The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none

    customQueryExtension

    string

    Query extension to append to the logs query.

    dataSource

    enum

    Source of events, either logs, audit trail, or Datadog events. Allowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events

    default: logs

    distinctFields

    [string]

    Field for which the cardinality is measured. Sent as an array.

    groupByFields

    [string]

    Fields to group by.

    hasOptionalGroupByFields

    boolean

    When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.

    index

    string

    This field is currently unstable and might be removed in a minor version upgrade. The index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.

    indexes

    [string]

    List of indexes to query when the dataSource is logs. Only used for scheduled rules, such as when the schedulingOptions field is present in the rule payload.

    metric

    string

    DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max aggregations. metrics field should be used instead.

    metrics

    [string]

    Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.

    name

    string

    Name of the query.

    query

    string

    Query to run on logs.

    referenceTables

    [object]

    Reference tables for the rule.

    checkPresence

    boolean

    Whether to include or exclude the matched values.

    columnName

    string

    The name of the column in the reference table.

    logFieldPath

    string

    The field in the log to match against the reference table.

    ruleQueryName

    string

    The name of the query to apply the reference table to.

    tableName

    string

    The name of the reference table.

    schedulingOptions

    object

    Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.

    rrule

    string

    Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.

    start

    string

    Start date for the schedule, in ISO 8601 format without timezone.

    timezone

    string

    Time zone of the start date, in the tz database format.

    tags

    [string]

    Tags for generated signals.

    thirdPartyCases

    [object]

    Cases for generating signals from third-party rules. Only available for third-party rules.

    name

    string

    Name of the case.

    notifications

    [string]

    Notification targets for each case.

    query

    string

    A query to map a third party event to this case.

    status [required]

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    type

    enum

    The rule type. Allowed enum values: api_security,application_security,log_detection,workload_security

    Option 2

    object

    Create a new signal correlation rule.

    cases [required]

    [object]

    Cases for generating signals.

    actions

    [object]

    Action to perform for each rule case.

    options

    object

    Options for the rule action

    duration

    int64

    Duration of the action in seconds. 0 indicates no expiration.

    flaggedIPType

    enum

    Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: SUSPICIOUS,FLAGGED

    userBehaviorName

    string

    Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.

    type

    enum

    The action type. Allowed enum values: block_ip,block_user,user_behavior,flag_ip

    condition

    string

    A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

    name

    string

    Name of the case.

    notifications

    [string]

    Notification targets.

    status [required]

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    filters

    [object]

    Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.

    action

    enum

    The type of filtering action. Allowed enum values: require,suppress

    query

    string

    Query for selecting logs to apply the filtering action.

    hasExtendedTitle

    boolean

    Whether the notifications include the triggering group-by values in their title.

    isEnabled [required]

    boolean

    Whether the rule is enabled.

    message [required]

    string

    Message for generated signals.

    name [required]

    string

    The name of the rule.

    options [required]

    object

    Options.

    complianceRuleOptions

    object

    Options for cloud_configuration rules. Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.

    complexRule

    boolean

    Whether the rule is a complex one. Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.

    regoRule

    object

    Rule details.

    policy [required]

    string

    The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/

    resourceTypes [required]

    [string]

    List of resource types that will be evaluated upon. Must have at least one element.

    resourceType

    string

    Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.

    decreaseCriticalityBasedOnEnv

    boolean

    If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO. The decrement is applied when the environment tag of the signal starts with staging, test or dev.

    detectionMethod

    enum

    The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    hardcodedEvaluatorType

    enum

    Hardcoded evaluator type. Allowed enum values: log4shell

    impossibleTravelOptions

    object

    Options on impossible travel detection method.

    baselineUserLocations

    boolean

    If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

    keepAlive

    enum

    Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    maxSignalDuration

    enum

    A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    newValueOptions

    object

    Options on new value detection method.

    forgetAfter

    enum

    The duration in days after which a learned value is forgotten. Allowed enum values: 1,2,7,14,21,28

    learningDuration

    enum

    The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: 0,1,7

    learningMethod

    enum

    The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: duration,threshold

    default: duration

    learningThreshold

    enum

    A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: 0,1

    sequenceDetectionOptions

    object

    Options on sequence detection method.

    stepTransitions

    [object]

    Transitions defining the allowed order of steps and their evaluation windows.

    child

    string

    Name of the child step.

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    parent

    string

    Name of the parent step.

    steps

    [object]

    Steps that define the conditions to be matched in sequence.

    condition

    string

    Condition referencing rule queries (e.g., a > 0).

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    name

    string

    Unique name identifying the step.

    thirdPartyRuleOptions

    object

    Options on third party detection method.

    defaultNotifications

    [string]

    Notification targets for the logs that do not correspond to any of the cases.

    defaultStatus

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    rootQueries

    [object]

    Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.

    groupByFields

    [string]

    Fields to group by.

    query

    string

    Query to run on logs.

    signalTitleTemplate

    string

    A template for the signal title; if omitted, the title is generated based on the case name.

    queries [required]

    [object]

    Queries for selecting signals which are part of the rule.

    aggregation

    enum

    The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none

    correlatedByFields

    [string]

    Fields to group by.

    correlatedQueryIndex

    int32

    Index of the rule query used to retrieve the correlated field.

    metrics

    [string]

    Group of target fields to aggregate over.

    name

    string

    Name of the query.

    ruleId [required]

    string

    Rule ID to match on signals.

    tags

    [string]

    Tags for generated signals.

    type

    enum

    The rule type. Allowed enum values: signal_correlation

    Option 3

    object

    Create a new cloud configuration rule.

    cases [required]

    [object]

    Description of generated findings and signals (severity and channels to be notified in case of a signal). Must contain exactly one item.

    notifications

    [string]

    Notification targets for each rule case.

    status [required]

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    complianceSignalOptions [required]

    object

    How to generate compliance signals. Useful for cloud_configuration rules only.

    defaultActivationStatus

    boolean

    The default activation status.

    defaultGroupByFields

    [string]

    The default group by fields.

    userActivationStatus

    boolean

    Whether signals will be sent.

    userGroupByFields

    [string]

    Fields to use to group findings by when sending signals.

    filters

    [object]

    Additional queries to filter matched events before they are processed.

    action

    enum

    The type of filtering action. Allowed enum values: require,suppress

    query

    string

    Query for selecting logs to apply the filtering action.

    isEnabled [required]

    boolean

    Whether the rule is enabled.

    message [required]

    string

    Message in markdown format for generated findings and signals.

    name [required]

    string

    The name of the rule.

    options [required]

    object

    Options on cloud configuration rules.

    complianceRuleOptions [required]

    object

    Options for cloud_configuration rules. Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.

    complexRule

    boolean

    Whether the rule is a complex one. Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.

    regoRule

    object

    Rule details.

    policy [required]

    string

    The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/

    resourceTypes [required]

    [string]

    List of resource types that will be evaluated upon. Must have at least one element.

    resourceType

    string

    Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.

    tags

    [string]

    Tags for generated findings and signals.

    type

    enum

    The rule type. Allowed enum values: cloud_configuration

    {
  "type": "cloud_configuration",
  "name": "Example-Security-Monitoring_cloud",
  "isEnabled": false,
  "cases": [
    {
      "status": "info",
      "notifications": [
        "channel"
      ]
    }
  ],
  "options": {
    "complianceRuleOptions": {
      "resourceType": "gcp_compute_disk",
      "complexRule": false,
      "regoRule": {
        "policy": "package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = \"skip\" if {\n\tiam_service_account_key.disabled\n} else = \"pass\" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n",
        "resourceTypes": [
          "gcp_compute_disk"
        ]
      }
    }
  },
  "message": "ddd",
  "tags": [
    "my:tag"
  ],
  "complianceSignalOptions": {
    "userActivationStatus": true,
    "userGroupByFields": [
      "@account_id"
    ]
  },
  "filters": [
    {
      "action": "require",
      "query": "resource_id:helo*"
    },
    {
      "action": "suppress",
      "query": "control:helo*"
    }
  ]
}
    {
  "name": "Example-Security-Monitoring",
  "queries": [
    {
      "query": "@test:true",
      "aggregation": "count",
      "groupByFields": [],
      "distinctFields": [],
      "metric": ""
    }
  ],
  "filters": [],
  "cases": [
    {
      "name": "",
      "status": "info",
      "condition": "a > 0",
      "notifications": []
    }
  ],
  "options": {
    "evaluationWindow": 900,
    "keepAlive": 3600,
    "maxSignalDuration": 86400
  },
  "message": "Test rule",
  "tags": [],
  "isEnabled": true,
  "type": "log_detection",
  "referenceTables": [
    {
      "tableName": "synthetics_test_reference_table_dont_delete",
      "columnName": "value",
      "logFieldPath": "testtag",
      "checkPresence": true,
      "ruleQueryName": "a"
    }
  ]
}
    {
  "name": "Example-Security-Monitoring",
  "type": "log_detection",
  "isEnabled": true,
  "queries": [
    {
      "aggregation": "count",
      "dataSource": "logs",
      "distinctFields": [],
      "groupByFields": [],
      "hasOptionalGroupByFields": false,
      "name": "",
      "query": "service:logs-rule-reducer source:paul test2"
    },
    {
      "aggregation": "count",
      "dataSource": "logs",
      "distinctFields": [],
      "groupByFields": [],
      "hasOptionalGroupByFields": false,
      "name": "",
      "query": "service:logs-rule-reducer source:paul test1"
    }
  ],
  "cases": [
    {
      "name": "",
      "status": "info",
      "notifications": [],
      "condition": "step_b > 0"
    }
  ],
  "message": "Logs and signals asdf",
  "options": {
    "detectionMethod": "sequence_detection",
    "evaluationWindow": 0,
    "keepAlive": 300,
    "maxSignalDuration": 600,
    "sequenceDetectionOptions": {
      "stepTransitions": [
        {
          "child": "step_b",
          "evaluationWindow": 900,
          "parent": "step_a"
        }
      ],
      "steps": [
        {
          "condition": "a > 0",
          "evaluationWindow": 60,
          "name": "step_a"
        },
        {
          "condition": "b > 0",
          "evaluationWindow": 60,
          "name": "step_b"
        }
      ]
    }
  },
  "tags": []
}

    Response

    OK

    Create a new rule.

    Expand All

    Field

    Type

    Description

    Option 1

    object

    Rule.

    calculatedFields

    [object]

    Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.

    expression [required]

    string

    Expression.

    name [required]

    string

    Field name.

    cases

    [object]

    Cases for generating signals.

    actions

    [object]

    Action to perform for each rule case.

    options

    object

    Options for the rule action

    duration

    int64

    Duration of the action in seconds. 0 indicates no expiration.

    flaggedIPType

    enum

    Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: SUSPICIOUS,FLAGGED

    userBehaviorName

    string

    Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.

    type

    enum

    The action type. Allowed enum values: block_ip,block_user,user_behavior,flag_ip

    condition

    string

    A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

    customStatus

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    name

    string

    Name of the case.

    notifications

    [string]

    Notification targets for each rule case.

    status

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    complianceSignalOptions

    object

    How to generate compliance signals. Useful for cloud_configuration rules only.

    defaultActivationStatus

    boolean

    The default activation status.

    defaultGroupByFields

    [string]

    The default group by fields.

    userActivationStatus

    boolean

    Whether signals will be sent.

    userGroupByFields

    [string]

    Fields to use to group findings by when sending signals.

    createdAt

    int64

    When the rule was created, timestamp in milliseconds.

    creationAuthorId

    int64

    User ID of the user who created the rule.

    customMessage

    string

    Custom/Overridden message for generated signals (used in case of Default rule update).

    customName

    string

    Custom/Overridden name of the rule (used in case of Default rule update).

    defaultTags

    [string]

    Default Tags for default rules (included in tags)

    deprecationDate

    int64

    When the rule will be deprecated, timestamp in milliseconds.

    filters

    [object]

    Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.

    action

    enum

    The type of filtering action. Allowed enum values: require,suppress

    query

    string

    Query for selecting logs to apply the filtering action.

    groupSignalsBy

    [string]

    Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.

    hasExtendedTitle

    boolean

    Whether the notifications include the triggering group-by values in their title.

    id

    string

    The ID of the rule.

    isDefault

    boolean

    Whether the rule is included by default.

    isDeleted

    boolean

    Whether the rule has been deleted.

    isEnabled

    boolean

    Whether the rule is enabled.

    message

    string

    Message for generated signals.

    name

    string

    The name of the rule.

    options

    object

    Options.

    complianceRuleOptions

    object

    Options for cloud_configuration rules. Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.

    complexRule

    boolean

    Whether the rule is a complex one. Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.

    regoRule

    object

    Rule details.

    policy [required]

    string

    The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/

    resourceTypes [required]

    [string]

    List of resource types that will be evaluated upon. Must have at least one element.

    resourceType

    string

    Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.

    decreaseCriticalityBasedOnEnv

    boolean

    If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO. The decrement is applied when the environment tag of the signal starts with staging, test or dev.

    detectionMethod

    enum

    The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    hardcodedEvaluatorType

    enum

    Hardcoded evaluator type. Allowed enum values: log4shell

    impossibleTravelOptions

    object

    Options on impossible travel detection method.

    baselineUserLocations

    boolean

    If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

    keepAlive

    enum

    Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    maxSignalDuration

    enum

    A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    newValueOptions

    object

    Options on new value detection method.

    forgetAfter

    enum

    The duration in days after which a learned value is forgotten. Allowed enum values: 1,2,7,14,21,28

    learningDuration

    enum

    The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: 0,1,7

    learningMethod

    enum

    The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: duration,threshold

    default: duration

    learningThreshold

    enum

    A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: 0,1

    sequenceDetectionOptions

    object

    Options on sequence detection method.

    stepTransitions

    [object]

    Transitions defining the allowed order of steps and their evaluation windows.

    child

    string

    Name of the child step.

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    parent

    string

    Name of the parent step.

    steps

    [object]

    Steps that define the conditions to be matched in sequence.

    condition

    string

    Condition referencing rule queries (e.g., a > 0).

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    name

    string

    Unique name identifying the step.

    thirdPartyRuleOptions

    object

    Options on third party detection method.

    defaultNotifications

    [string]

    Notification targets for the logs that do not correspond to any of the cases.

    defaultStatus

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    rootQueries

    [object]

    Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.

    groupByFields

    [string]

    Fields to group by.

    query

    string

    Query to run on logs.

    signalTitleTemplate

    string

    A template for the signal title; if omitted, the title is generated based on the case name.

    queries

    [object]

    Queries for selecting logs which are part of the rule.

    aggregation

    enum

    The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none

    customQueryExtension

    string

    Query extension to append to the logs query.

    dataSource

    enum

    Source of events, either logs, audit trail, or Datadog events. Allowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events

    default: logs

    distinctFields

    [string]

    Field for which the cardinality is measured. Sent as an array.

    groupByFields

    [string]

    Fields to group by.

    hasOptionalGroupByFields

    boolean

    When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.

    index

    string

    This field is currently unstable and might be removed in a minor version upgrade. The index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.

    indexes

    [string]

    List of indexes to query when the dataSource is logs. Only used for scheduled rules, such as when the schedulingOptions field is present in the rule payload.

    metric

    string

    DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max aggregations. metrics field should be used instead.

    metrics

    [string]

    Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.

    name

    string

    Name of the query.

    query

    string

    Query to run on logs.

    referenceTables

    [object]

    Reference tables for the rule.

    checkPresence

    boolean

    Whether to include or exclude the matched values.

    columnName

    string

    The name of the column in the reference table.

    logFieldPath

    string

    The field in the log to match against the reference table.

    ruleQueryName

    string

    The name of the query to apply the reference table to.

    tableName

    string

    The name of the reference table.

    schedulingOptions

    object

    Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.

    rrule

    string

    Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.

    start

    string

    Start date for the schedule, in ISO 8601 format without timezone.

    timezone

    string

    Time zone of the start date, in the tz database format.

    tags

    [string]

    Tags for generated signals.

    thirdPartyCases

    [object]

    Cases for generating signals from third-party rules. Only available for third-party rules.

    customStatus

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    name

    string

    Name of the case.

    notifications

    [string]

    Notification targets for each rule case.

    query

    string

    A query to map a third party event to this case.

    status

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    type

    enum

    The rule type. Allowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration,application_security,api_security

    updateAuthorId

    int64

    User ID of the user who updated the rule.

    updatedAt

    int64

    The date the rule was last updated, in milliseconds.

    version

    int64

    The version of the rule.

    Option 2

    object

    Rule.

    cases

    [object]

    Cases for generating signals.

    actions

    [object]

    Action to perform for each rule case.

    options

    object

    Options for the rule action

    duration

    int64

    Duration of the action in seconds. 0 indicates no expiration.

    flaggedIPType

    enum

    Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: SUSPICIOUS,FLAGGED

    userBehaviorName

    string

    Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.

    type

    enum

    The action type. Allowed enum values: block_ip,block_user,user_behavior,flag_ip

    condition

    string

    A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

    customStatus

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    name

    string

    Name of the case.

    notifications

    [string]

    Notification targets for each rule case.

    status

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    createdAt

    int64

    When the rule was created, timestamp in milliseconds.

    creationAuthorId

    int64

    User ID of the user who created the rule.

    customMessage

    string

    Custom/Overridden message for generated signals (used in case of Default rule update).

    customName

    string

    Custom/Overridden name of the rule (used in case of Default rule update).

    deprecationDate

    int64

    When the rule will be deprecated, timestamp in milliseconds.

    filters

    [object]

    Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.

    action

    enum

    The type of filtering action. Allowed enum values: require,suppress

    query

    string

    Query for selecting logs to apply the filtering action.

    hasExtendedTitle

    boolean

    Whether the notifications include the triggering group-by values in their title.

    id

    string

    The ID of the rule.

    isDefault

    boolean

    Whether the rule is included by default.

    isDeleted

    boolean

    Whether the rule has been deleted.

    isEnabled

    boolean

    Whether the rule is enabled.

    message

    string

    Message for generated signals.

    name

    string

    The name of the rule.

    options

    object

    Options.

    complianceRuleOptions

    object

    Options for cloud_configuration rules. Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.

    complexRule

    boolean

    Whether the rule is a complex one. Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.

    regoRule

    object

    Rule details.

    policy [required]

    string

    The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/

    resourceTypes [required]

    [string]

    List of resource types that will be evaluated upon. Must have at least one element.

    resourceType

    string

    Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.

    decreaseCriticalityBasedOnEnv

    boolean

    If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO. The decrement is applied when the environment tag of the signal starts with staging, test or dev.

    detectionMethod

    enum

    The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    hardcodedEvaluatorType

    enum

    Hardcoded evaluator type. Allowed enum values: log4shell

    impossibleTravelOptions

    object

    Options on impossible travel detection method.

    baselineUserLocations

    boolean

    If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

    keepAlive

    enum

    Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    maxSignalDuration

    enum

    A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    newValueOptions

    object

    Options on new value detection method.

    forgetAfter

    enum

    The duration in days after which a learned value is forgotten. Allowed enum values: 1,2,7,14,21,28

    learningDuration

    enum

    The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: 0,1,7

    learningMethod

    enum

    The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: duration,threshold

    default: duration

    learningThreshold

    enum

    A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: 0,1

    sequenceDetectionOptions

    object

    Options on sequence detection method.

    stepTransitions

    [object]

    Transitions defining the allowed order of steps and their evaluation windows.

    child

    string

    Name of the child step.

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    parent

    string

    Name of the parent step.

    steps

    [object]

    Steps that define the conditions to be matched in sequence.

    condition

    string

    Condition referencing rule queries (e.g., a > 0).

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    name

    string

    Unique name identifying the step.

    thirdPartyRuleOptions

    object

    Options on third party detection method.

    defaultNotifications

    [string]

    Notification targets for the logs that do not correspond to any of the cases.

    defaultStatus

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    rootQueries

    [object]

    Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.

    groupByFields

    [string]

    Fields to group by.

    query

    string

    Query to run on logs.

    signalTitleTemplate

    string

    A template for the signal title; if omitted, the title is generated based on the case name.

    queries

    [object]

    Queries for selecting logs which are part of the rule.

    aggregation

    enum

    The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none

    correlatedByFields

    [string]

    Fields to correlate by.

    correlatedQueryIndex

    int32

    Index of the rule query used to retrieve the correlated field.

    defaultRuleId

    string

    Default Rule ID to match on signals.

    distinctFields

    [string]

    Field for which the cardinality is measured. Sent as an array.

    groupByFields

    [string]

    Fields to group by.

    metrics

    [string]

    Group of target fields to aggregate over.

    name

    string

    Name of the query.

    ruleId

    string

    Rule ID to match on signals.

    tags

    [string]

    Tags for generated signals.

    type

    enum

    The rule type. Allowed enum values: signal_correlation

    updateAuthorId

    int64

    User ID of the user who updated the rule.

    version

    int64

    The version of the rule.

    {
  "calculatedFields": [
    {
      "expression": "@request_end_timestamp - @request_start_timestamp",
      "name": "response_time"
    }
  ],
  "cases": [
    {
      "actions": [
        {
          "options": {
            "duration": 0,
            "flaggedIPType": "FLAGGED",
            "userBehaviorName": "string"
          },
          "type": "string"
        }
      ],
      "condition": "string",
      "customStatus": "critical",
      "name": "string",
      "notifications": [],
      "status": "critical"
    }
  ],
  "complianceSignalOptions": {
    "defaultActivationStatus": false,
    "defaultGroupByFields": [],
    "userActivationStatus": false,
    "userGroupByFields": []
  },
  "createdAt": "integer",
  "creationAuthorId": "integer",
  "customMessage": "string",
  "customName": "string",
  "defaultTags": [
    "security:attacks"
  ],
  "deprecationDate": "integer",
  "filters": [
    {
      "action": "string",
      "query": "string"
    }
  ],
  "groupSignalsBy": [
    "service"
  ],
  "hasExtendedTitle": false,
  "id": "string",
  "isDefault": false,
  "isDeleted": false,
  "isEnabled": false,
  "message": "string",
  "name": "string",
  "options": {
    "complianceRuleOptions": {
      "complexRule": false,
      "regoRule": {
        "policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n  # Logic that evaluates to true if the resource should be skipped\n  true\n} else = \"pass\" {\n  # Logic that evaluates to true if the resource is compliant\n  true\n} else = \"fail\" {\n  # Logic that evaluates to true if the resource is not compliant\n  true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n  some resource in input.resources[input.main_resource_type]\n  result := dd_output.format(resource, eval(resource))\n}",
        "resourceTypes": [
          "gcp_iam_service_account",
          "gcp_iam_policy"
        ]
      },
      "resourceType": "aws_acm"
    },
    "decreaseCriticalityBasedOnEnv": false,
    "detectionMethod": "string",
    "evaluationWindow": "integer",
    "hardcodedEvaluatorType": "string",
    "impossibleTravelOptions": {
      "baselineUserLocations": true
    },
    "keepAlive": "integer",
    "maxSignalDuration": "integer",
    "newValueOptions": {
      "forgetAfter": "integer",
      "learningDuration": "integer",
      "learningMethod": "string",
      "learningThreshold": "integer"
    },
    "sequenceDetectionOptions": {
      "stepTransitions": [
        {
          "child": "string",
          "evaluationWindow": "integer",
          "parent": "string"
        }
      ],
      "steps": [
        {
          "condition": "string",
          "evaluationWindow": "integer",
          "name": "string"
        }
      ]
    },
    "thirdPartyRuleOptions": {
      "defaultNotifications": [],
      "defaultStatus": "critical",
      "rootQueries": [
        {
          "groupByFields": [],
          "query": "source:cloudtrail"
        }
      ],
      "signalTitleTemplate": "string"
    }
  },
  "queries": [
    {
      "aggregation": "string",
      "customQueryExtension": "a > 3",
      "dataSource": "logs",
      "distinctFields": [],
      "groupByFields": [],
      "hasOptionalGroupByFields": false,
      "index": "string",
      "indexes": [],
      "metric": "string",
      "metrics": [],
      "name": "string",
      "query": "a > 3"
    }
  ],
  "referenceTables": [
    {
      "checkPresence": false,
      "columnName": "string",
      "logFieldPath": "string",
      "ruleQueryName": "string",
      "tableName": "string"
    }
  ],
  "schedulingOptions": {
    "rrule": "FREQ=HOURLY;INTERVAL=1;",
    "start": "2025-07-14T12:00:00",
    "timezone": "America/New_York"
  },
  "tags": [],
  "thirdPartyCases": [
    {
      "customStatus": "critical",
      "name": "string",
      "notifications": [],
      "query": "string",
      "status": "critical"
    }
  ],
  "type": "string",
  "updateAuthorId": "integer",
  "updatedAt": "integer",
  "version": "integer"
}

    Bad Request

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Not Authorized

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Too many requests

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Code Example

                              # Curl command
    curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "type": "cloud_configuration",
  "name": "Example-Security-Monitoring_cloud",
  "isEnabled": false,
  "cases": [
    {
      "status": "info",
      "notifications": [
        "channel"
      ]
    }
  ],
  "options": {
    "complianceRuleOptions": {
      "resourceType": "gcp_compute_disk",
      "complexRule": false,
      "regoRule": {
        "policy": "package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = \"skip\" if {\n\tiam_service_account_key.disabled\n} else = \"pass\" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n",
        "resourceTypes": [
          "gcp_compute_disk"
        ]
      }
    }
  },
  "message": "ddd",
  "tags": [
    "my:tag"
  ],
  "complianceSignalOptions": {
    "userActivationStatus": true,
    "userGroupByFields": [
      "@account_id"
    ]
  },
  "filters": [
    {
      "action": "require",
      "query": "resource_id:helo*"
    },
    {
      "action": "suppress",
      "query": "control:helo*"
    }
  ]
}
EOF
    
                        
                              # Curl command
    curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "name": "Example-Security-Monitoring",
  "queries": [
    {
      "query": "@test:true",
      "aggregation": "count",
      "groupByFields": [],
      "distinctFields": [],
      "metric": ""
    }
  ],
  "filters": [],
  "cases": [
    {
      "name": "",
      "status": "info",
      "condition": "a > 0",
      "notifications": []
    }
  ],
  "options": {
    "evaluationWindow": 900,
    "keepAlive": 3600,
    "maxSignalDuration": 86400
  },
  "message": "Test rule",
  "tags": [],
  "isEnabled": true,
  "type": "log_detection",
  "referenceTables": [
    {
      "tableName": "synthetics_test_reference_table_dont_delete",
      "columnName": "value",
      "logFieldPath": "testtag",
      "checkPresence": true,
      "ruleQueryName": "a"
    }
  ]
}
EOF
    
                        
                              # Curl command
    curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "name": "Example-Security-Monitoring",
  "type": "log_detection",
  "isEnabled": true,
  "queries": [
    {
      "aggregation": "count",
      "dataSource": "logs",
      "distinctFields": [],
      "groupByFields": [],
      "hasOptionalGroupByFields": false,
      "name": "",
      "query": "service:logs-rule-reducer source:paul test2"
    },
    {
      "aggregation": "count",
      "dataSource": "logs",
      "distinctFields": [],
      "groupByFields": [],
      "hasOptionalGroupByFields": false,
      "name": "",
      "query": "service:logs-rule-reducer source:paul test1"
    }
  ],
  "cases": [
    {
      "name": "",
      "status": "info",
      "notifications": [],
      "condition": "step_b > 0"
    }
  ],
  "message": "Logs and signals asdf",
  "options": {
    "detectionMethod": "sequence_detection",
    "evaluationWindow": 0,
    "keepAlive": 300,
    "maxSignalDuration": 600,
    "sequenceDetectionOptions": {
      "stepTransitions": [
        {
          "child": "step_b",
          "evaluationWindow": 900,
          "parent": "step_a"
        }
      ],
      "steps": [
        {
          "condition": "a > 0",
          "evaluationWindow": 60,
          "name": "step_a"
        },
        {
          "condition": "b > 0",
          "evaluationWindow": 60,
          "name": "step_b"
        }
      ]
    }
  },
  "tags": []
}
EOF
    
                        
    // Create a cloud_configuration rule returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringRuleCreatePayload{
		CloudConfigurationRuleCreatePayload: &datadogV2.CloudConfigurationRuleCreatePayload{
			Type:      datadogV2.CLOUDCONFIGURATIONRULETYPE_CLOUD_CONFIGURATION.Ptr(),
			Name:      "Example-Security-Monitoring_cloud",
			IsEnabled: false,
			Cases: []datadogV2.CloudConfigurationRuleCaseCreate{
				{
					Status: datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
					Notifications: []string{
						"channel",
					},
				},
			},
			Options: datadogV2.CloudConfigurationRuleOptions{
				ComplianceRuleOptions: datadogV2.CloudConfigurationComplianceRuleOptions{
					ResourceType: datadog.PtrString("gcp_compute_disk"),
					ComplexRule:  datadog.PtrBool(false),
					RegoRule: &datadogV2.CloudConfigurationRegoRule{
						Policy: `package datadog

import data.datadog.output as dd_output

import future.keywords.contains
import future.keywords.if
import future.keywords.in

milliseconds_in_a_day := ((1000 * 60) * 60) * 24

eval(iam_service_account_key) = "skip" if {
	iam_service_account_key.disabled
} else = "pass" if {
	(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"

# This part remains unchanged for all rules
results contains result if {
	some resource in input.resources[input.main_resource_type]
	result := dd_output.format(resource, eval(resource))
}
`,
						ResourceTypes: []string{
							"gcp_compute_disk",
						},
					},
				},
			},
			Message: "ddd",
			Tags: []string{
				"my:tag",
			},
			ComplianceSignalOptions: datadogV2.CloudConfigurationRuleComplianceSignalOptions{
				UserActivationStatus: *datadog.NewNullableBool(datadog.PtrBool(true)),
				UserGroupByFields: *datadog.NewNullableList(&[]string{
					"@account_id",
				}),
			},
			Filters: []datadogV2.SecurityMonitoringFilter{
				{
					Action: datadogV2.SECURITYMONITORINGFILTERACTION_REQUIRE.Ptr(),
					Query:  datadog.PtrString("resource_id:helo*"),
				},
				{
					Action: datadogV2.SECURITYMONITORINGFILTERACTION_SUPPRESS.Ptr(),
					Query:  datadog.PtrString("control:helo*"),
				},
			},
		}}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.CreateSecurityMonitoringRule(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityMonitoringRule`:\n%s\n", responseContent)
}

    // Create a detection rule returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringRuleCreatePayload{
		SecurityMonitoringStandardRuleCreatePayload: &datadogV2.SecurityMonitoringStandardRuleCreatePayload{
			Name: "Example-Security-Monitoring",
			Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{
				{
					Query:          datadog.PtrString("@test:true"),
					Aggregation:    datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),
					GroupByFields:  []string{},
					DistinctFields: []string{},
					Metric:         datadog.PtrString(""),
				},
			},
			Filters: []datadogV2.SecurityMonitoringFilter{},
			Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{
				{
					Name:          datadog.PtrString(""),
					Status:        datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
					Condition:     datadog.PtrString("a > 0"),
					Notifications: []string{},
				},
			},
			Options: datadogV2.SecurityMonitoringRuleOptions{
				EvaluationWindow:  datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(),
				KeepAlive:         datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ONE_HOUR.Ptr(),
				MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ONE_DAY.Ptr(),
			},
			Message:   "Test rule",
			Tags:      []string{},
			IsEnabled: true,
			Type:      datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(),
			ReferenceTables: []datadogV2.SecurityMonitoringReferenceTable{
				{
					TableName:     datadog.PtrString("synthetics_test_reference_table_dont_delete"),
					ColumnName:    datadog.PtrString("value"),
					LogFieldPath:  datadog.PtrString("testtag"),
					CheckPresence: datadog.PtrBool(true),
					RuleQueryName: datadog.PtrString("a"),
				},
			},
		}}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.CreateSecurityMonitoringRule(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityMonitoringRule`:\n%s\n", responseContent)
}

    // Create a detection rule with detection method 'sequence_detection' returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringRuleCreatePayload{
		SecurityMonitoringStandardRuleCreatePayload: &datadogV2.SecurityMonitoringStandardRuleCreatePayload{
			Name:      "Example-Security-Monitoring",
			Type:      datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(),
			IsEnabled: true,
			Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{
				{
					Aggregation:              datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),
					DataSource:               datadogV2.SECURITYMONITORINGSTANDARDDATASOURCE_LOGS.Ptr(),
					DistinctFields:           []string{},
					GroupByFields:            []string{},
					HasOptionalGroupByFields: datadog.PtrBool(false),
					Name:                     datadog.PtrString(""),
					Query:                    datadog.PtrString("service:logs-rule-reducer source:paul test2"),
				},
				{
					Aggregation:              datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),
					DataSource:               datadogV2.SECURITYMONITORINGSTANDARDDATASOURCE_LOGS.Ptr(),
					DistinctFields:           []string{},
					GroupByFields:            []string{},
					HasOptionalGroupByFields: datadog.PtrBool(false),
					Name:                     datadog.PtrString(""),
					Query:                    datadog.PtrString("service:logs-rule-reducer source:paul test1"),
				},
			},
			Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{
				{
					Name:          datadog.PtrString(""),
					Status:        datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
					Notifications: []string{},
					Condition:     datadog.PtrString("step_b > 0"),
				},
			},
			Message: "Logs and signals asdf",
			Options: datadogV2.SecurityMonitoringRuleOptions{
				DetectionMethod:   datadogV2.SECURITYMONITORINGRULEDETECTIONMETHOD_SEQUENCE_DETECTION.Ptr(),
				EvaluationWindow:  datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_ZERO_MINUTES.Ptr(),
				KeepAlive:         datadogV2.SECURITYMONITORINGRULEKEEPALIVE_FIVE_MINUTES.Ptr(),
				MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_TEN_MINUTES.Ptr(),
				SequenceDetectionOptions: &datadogV2.SecurityMonitoringRuleSequenceDetectionOptions{
					StepTransitions: []datadogV2.SecurityMonitoringRuleSequenceDetectionStepTransition{
						{
							Child:            datadog.PtrString("step_b"),
							EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(),
							Parent:           datadog.PtrString("step_a"),
						},
					},
					Steps: []datadogV2.SecurityMonitoringRuleSequenceDetectionStep{
						{
							Condition:        datadog.PtrString("a > 0"),
							EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_ONE_MINUTE.Ptr(),
							Name:             datadog.PtrString("step_a"),
						},
						{
							Condition:        datadog.PtrString("b > 0"),
							EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_ONE_MINUTE.Ptr(),
							Name:             datadog.PtrString("step_b"),
						},
					},
				},
			},
			Tags: []string{},
		}}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.CreateSecurityMonitoringRule(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityMonitoringRule`:\n%s\n", responseContent)
}

    Instructions

    First install the library and its dependencies and then save the example to main.go and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
    // Create a cloud_configuration rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.CloudConfigurationComplianceRuleOptions;
import com.datadog.api.client.v2.model.CloudConfigurationRegoRule;
import com.datadog.api.client.v2.model.CloudConfigurationRuleCaseCreate;
import com.datadog.api.client.v2.model.CloudConfigurationRuleComplianceSignalOptions;
import com.datadog.api.client.v2.model.CloudConfigurationRuleCreatePayload;
import com.datadog.api.client.v2.model.CloudConfigurationRuleOptions;
import com.datadog.api.client.v2.model.CloudConfigurationRuleType;
import com.datadog.api.client.v2.model.SecurityMonitoringFilter;
import com.datadog.api.client.v2.model.SecurityMonitoringFilterAction;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCreatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import java.util.Arrays;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringRuleCreatePayload body =
        new SecurityMonitoringRuleCreatePayload(
            new CloudConfigurationRuleCreatePayload()
                .type(CloudConfigurationRuleType.CLOUD_CONFIGURATION)
                .name("Example-Security-Monitoring_cloud")
                .isEnabled(false)
                .cases(
                    Collections.singletonList(
                        new CloudConfigurationRuleCaseCreate()
                            .status(SecurityMonitoringRuleSeverity.INFO)
                            .notifications(Collections.singletonList("channel"))))
                .options(
                    new CloudConfigurationRuleOptions()
                        .complianceRuleOptions(
                            new CloudConfigurationComplianceRuleOptions()
                                .resourceType("gcp_compute_disk")
                                .complexRule(false)
                                .regoRule(
                                    new CloudConfigurationRegoRule()
                                        .policy(
                                            """
package datadog

import data.datadog.output as dd_output

import future.keywords.contains
import future.keywords.if
import future.keywords.in

milliseconds_in_a_day := ((1000 * 60) * 60) * 24

eval(iam_service_account_key) = "skip" if {
	iam_service_account_key.disabled
} else = "pass" if {
	(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"

# This part remains unchanged for all rules
results contains result if {
	some resource in input.resources[input.main_resource_type]
	result := dd_output.format(resource, eval(resource))
}

""")
                                        .resourceTypes(
                                            Collections.singletonList("gcp_compute_disk")))))
                .message("ddd")
                .tags(Collections.singletonList("my:tag"))
                .complianceSignalOptions(
                    new CloudConfigurationRuleComplianceSignalOptions()
                        .userActivationStatus(true)
                        .userGroupByFields(Collections.singletonList("@account_id")))
                .filters(
                    Arrays.asList(
                        new SecurityMonitoringFilter()
                            .action(SecurityMonitoringFilterAction.REQUIRE)
                            .query("resource_id:helo*"),
                        new SecurityMonitoringFilter()
                            .action(SecurityMonitoringFilterAction.SUPPRESS)
                            .query("control:helo*"))));

    try {
      SecurityMonitoringRuleResponse result = apiInstance.createSecurityMonitoringRule(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#createSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

    // Create a detection rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringReferenceTable;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCreatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleCreatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringRuleCreatePayload body =
        new SecurityMonitoringRuleCreatePayload(
            new SecurityMonitoringStandardRuleCreatePayload()
                .name("Example-Security-Monitoring")
                .queries(
                    Collections.singletonList(
                        new SecurityMonitoringStandardRuleQuery()
                            .query("@test:true")
                            .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)
                            .metric("")))
                .cases(
                    Collections.singletonList(
                        new SecurityMonitoringRuleCaseCreate()
                            .name("")
                            .status(SecurityMonitoringRuleSeverity.INFO)
                            .condition("a > 0")))
                .options(
                    new SecurityMonitoringRuleOptions()
                        .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES)
                        .keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR)
                        .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.ONE_DAY))
                .message("Test rule")
                .isEnabled(true)
                .type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION)
                .referenceTables(
                    Collections.singletonList(
                        new SecurityMonitoringReferenceTable()
                            .tableName("synthetics_test_reference_table_dont_delete")
                            .columnName("value")
                            .logFieldPath("testtag")
                            .checkPresence(true)
                            .ruleQueryName("a"))));

    try {
      SecurityMonitoringRuleResponse result = apiInstance.createSecurityMonitoringRule(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#createSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

    // Create a detection rule with detection method 'sequence_detection' returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCreatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleDetectionMethod;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSequenceDetectionOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSequenceDetectionStep;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSequenceDetectionStepTransition;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardDataSource;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleCreatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;
import java.util.Arrays;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringRuleCreatePayload body =
        new SecurityMonitoringRuleCreatePayload(
            new SecurityMonitoringStandardRuleCreatePayload()
                .name("Example-Security-Monitoring")
                .type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION)
                .isEnabled(true)
                .queries(
                    Arrays.asList(
                        new SecurityMonitoringStandardRuleQuery()
                            .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)
                            .dataSource(SecurityMonitoringStandardDataSource.LOGS)
                            .hasOptionalGroupByFields(false)
                            .name("")
                            .query("service:logs-rule-reducer source:paul test2"),
                        new SecurityMonitoringStandardRuleQuery()
                            .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)
                            .dataSource(SecurityMonitoringStandardDataSource.LOGS)
                            .hasOptionalGroupByFields(false)
                            .name("")
                            .query("service:logs-rule-reducer source:paul test1")))
                .cases(
                    Collections.singletonList(
                        new SecurityMonitoringRuleCaseCreate()
                            .name("")
                            .status(SecurityMonitoringRuleSeverity.INFO)
                            .condition("step_b > 0")))
                .message("Logs and signals asdf")
                .options(
                    new SecurityMonitoringRuleOptions()
                        .detectionMethod(SecurityMonitoringRuleDetectionMethod.SEQUENCE_DETECTION)
                        .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES)
                        .keepAlive(SecurityMonitoringRuleKeepAlive.FIVE_MINUTES)
                        .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.TEN_MINUTES)
                        .sequenceDetectionOptions(
                            new SecurityMonitoringRuleSequenceDetectionOptions()
                                .stepTransitions(
                                    Collections.singletonList(
                                        new SecurityMonitoringRuleSequenceDetectionStepTransition()
                                            .child("step_b")
                                            .evaluationWindow(
                                                SecurityMonitoringRuleEvaluationWindow
                                                    .FIFTEEN_MINUTES)
                                            .parent("step_a")))
                                .steps(
                                    Arrays.asList(
                                        new SecurityMonitoringRuleSequenceDetectionStep()
                                            .condition("a > 0")
                                            .evaluationWindow(
                                                SecurityMonitoringRuleEvaluationWindow.ONE_MINUTE)
                                            .name("step_a"),
                                        new SecurityMonitoringRuleSequenceDetectionStep()
                                            .condition("b > 0")
                                            .evaluationWindow(
                                                SecurityMonitoringRuleEvaluationWindow.ONE_MINUTE)
                                            .name("step_b"))))));

    try {
      SecurityMonitoringRuleResponse result = apiInstance.createSecurityMonitoringRule(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#createSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

    Instructions

    First install the library and its dependencies and then save the example to Example.java and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
    """
Create a cloud_configuration rule returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.cloud_configuration_compliance_rule_options import (
    CloudConfigurationComplianceRuleOptions,
)
from datadog_api_client.v2.model.cloud_configuration_rego_rule import CloudConfigurationRegoRule
from datadog_api_client.v2.model.cloud_configuration_rule_case_create import CloudConfigurationRuleCaseCreate
from datadog_api_client.v2.model.cloud_configuration_rule_compliance_signal_options import (
    CloudConfigurationRuleComplianceSignalOptions,
)
from datadog_api_client.v2.model.cloud_configuration_rule_create_payload import CloudConfigurationRuleCreatePayload
from datadog_api_client.v2.model.cloud_configuration_rule_options import CloudConfigurationRuleOptions
from datadog_api_client.v2.model.cloud_configuration_rule_type import CloudConfigurationRuleType
from datadog_api_client.v2.model.security_monitoring_filter import SecurityMonitoringFilter
from datadog_api_client.v2.model.security_monitoring_filter_action import SecurityMonitoringFilterAction
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity

body = CloudConfigurationRuleCreatePayload(
    type=CloudConfigurationRuleType.CLOUD_CONFIGURATION,
    name="Example-Security-Monitoring_cloud",
    is_enabled=False,
    cases=[
        CloudConfigurationRuleCaseCreate(
            status=SecurityMonitoringRuleSeverity.INFO,
            notifications=[
                "channel",
            ],
        ),
    ],
    options=CloudConfigurationRuleOptions(
        compliance_rule_options=CloudConfigurationComplianceRuleOptions(
            resource_type="gcp_compute_disk",
            complex_rule=False,
            rego_rule=CloudConfigurationRegoRule(
                policy='package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = "skip" if {\n\tiam_service_account_key.disabled\n} else = "pass" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = "fail"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n',
                resource_types=[
                    "gcp_compute_disk",
                ],
            ),
        ),
    ),
    message="ddd",
    tags=[
        "my:tag",
    ],
    compliance_signal_options=CloudConfigurationRuleComplianceSignalOptions(
        user_activation_status=True,
        user_group_by_fields=[
            "@account_id",
        ],
    ),
    filters=[
        SecurityMonitoringFilter(
            action=SecurityMonitoringFilterAction.REQUIRE,
            query="resource_id:helo*",
        ),
        SecurityMonitoringFilter(
            action=SecurityMonitoringFilterAction.SUPPRESS,
            query="control:helo*",
        ),
    ],
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.create_security_monitoring_rule(body=body)

    print(response)

    """
Create a detection rule returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_reference_table import SecurityMonitoringReferenceTable
from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
    SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
    SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
    SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate
from datadog_api_client.v2.model.security_monitoring_standard_rule_create_payload import (
    SecurityMonitoringStandardRuleCreatePayload,
)
from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery

body = SecurityMonitoringStandardRuleCreatePayload(
    name="Example-Security-Monitoring",
    queries=[
        SecurityMonitoringStandardRuleQuery(
            query="@test:true",
            aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
            group_by_fields=[],
            distinct_fields=[],
            metric="",
        ),
    ],
    filters=[],
    cases=[
        SecurityMonitoringRuleCaseCreate(
            name="",
            status=SecurityMonitoringRuleSeverity.INFO,
            condition="a > 0",
            notifications=[],
        ),
    ],
    options=SecurityMonitoringRuleOptions(
        evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES,
        keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR,
        max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY,
    ),
    message="Test rule",
    tags=[],
    is_enabled=True,
    type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,
    reference_tables=[
        SecurityMonitoringReferenceTable(
            table_name="synthetics_test_reference_table_dont_delete",
            column_name="value",
            log_field_path="testtag",
            check_presence=True,
            rule_query_name="a",
        ),
    ],
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.create_security_monitoring_rule(body=body)

    print(response)

    """
Create a detection rule with detection method 'sequence_detection' returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
    SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
    SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
    SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_sequence_detection_options import (
    SecurityMonitoringRuleSequenceDetectionOptions,
)
from datadog_api_client.v2.model.security_monitoring_rule_sequence_detection_step import (
    SecurityMonitoringRuleSequenceDetectionStep,
)
from datadog_api_client.v2.model.security_monitoring_rule_sequence_detection_step_transition import (
    SecurityMonitoringRuleSequenceDetectionStepTransition,
)
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate
from datadog_api_client.v2.model.security_monitoring_standard_data_source import SecurityMonitoringStandardDataSource
from datadog_api_client.v2.model.security_monitoring_standard_rule_create_payload import (
    SecurityMonitoringStandardRuleCreatePayload,
)
from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery

body = SecurityMonitoringStandardRuleCreatePayload(
    name="Example-Security-Monitoring",
    type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,
    is_enabled=True,
    queries=[
        SecurityMonitoringStandardRuleQuery(
            aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
            data_source=SecurityMonitoringStandardDataSource.LOGS,
            distinct_fields=[],
            group_by_fields=[],
            has_optional_group_by_fields=False,
            name="",
            query="service:logs-rule-reducer source:paul test2",
        ),
        SecurityMonitoringStandardRuleQuery(
            aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
            data_source=SecurityMonitoringStandardDataSource.LOGS,
            distinct_fields=[],
            group_by_fields=[],
            has_optional_group_by_fields=False,
            name="",
            query="service:logs-rule-reducer source:paul test1",
        ),
    ],
    cases=[
        SecurityMonitoringRuleCaseCreate(
            name="",
            status=SecurityMonitoringRuleSeverity.INFO,
            notifications=[],
            condition="step_b > 0",
        ),
    ],
    message="Logs and signals asdf",
    options=SecurityMonitoringRuleOptions(
        detection_method=SecurityMonitoringRuleDetectionMethod.SEQUENCE_DETECTION,
        evaluation_window=SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES,
        keep_alive=SecurityMonitoringRuleKeepAlive.FIVE_MINUTES,
        max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.TEN_MINUTES,
        sequence_detection_options=SecurityMonitoringRuleSequenceDetectionOptions(
            step_transitions=[
                SecurityMonitoringRuleSequenceDetectionStepTransition(
                    child="step_b",
                    evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES,
                    parent="step_a",
                ),
            ],
            steps=[
                SecurityMonitoringRuleSequenceDetectionStep(
                    condition="a > 0",
                    evaluation_window=SecurityMonitoringRuleEvaluationWindow.ONE_MINUTE,
                    name="step_a",
                ),
                SecurityMonitoringRuleSequenceDetectionStep(
                    condition="b > 0",
                    evaluation_window=SecurityMonitoringRuleEvaluationWindow.ONE_MINUTE,
                    name="step_b",
                ),
            ],
        ),
    ),
    tags=[],
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.create_security_monitoring_rule(body=body)

    print(response)

    Instructions

    First install the library and its dependencies and then save the example to example.py and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
    # Create a cloud_configuration rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::CloudConfigurationRuleCreatePayload.new({
  type: DatadogAPIClient::V2::CloudConfigurationRuleType::CLOUD_CONFIGURATION,
  name: "Example-Security-Monitoring_cloud",
  is_enabled: false,
  cases: [
    DatadogAPIClient::V2::CloudConfigurationRuleCaseCreate.new({
      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
      notifications: [
        "channel",
      ],
    }),
  ],
  options: DatadogAPIClient::V2::CloudConfigurationRuleOptions.new({
    compliance_rule_options: DatadogAPIClient::V2::CloudConfigurationComplianceRuleOptions.new({
      resource_type: "gcp_compute_disk",
      complex_rule: false,
      rego_rule: DatadogAPIClient::V2::CloudConfigurationRegoRule.new({
        policy: 'package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = "skip" if {\n\tiam_service_account_key.disabled\n} else = "pass" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = "fail"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n',
        resource_types: [
          "gcp_compute_disk",
        ],
      }),
    }),
  }),
  message: "ddd",
  tags: [
    "my:tag",
  ],
  compliance_signal_options: DatadogAPIClient::V2::CloudConfigurationRuleComplianceSignalOptions.new({
    user_activation_status: true,
    user_group_by_fields: [
      "@account_id",
    ],
  }),
  filters: [
    DatadogAPIClient::V2::SecurityMonitoringFilter.new({
      action: DatadogAPIClient::V2::SecurityMonitoringFilterAction::REQUIRE,
      query: "resource_id:helo*",
    }),
    DatadogAPIClient::V2::SecurityMonitoringFilter.new({
      action: DatadogAPIClient::V2::SecurityMonitoringFilterAction::SUPPRESS,
      query: "control:helo*",
    }),
  ],
})
p api_instance.create_security_monitoring_rule(body)

    # Create a detection rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringStandardRuleCreatePayload.new({
  name: "Example-Security-Monitoring",
  queries: [
    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
      query: "@test:true",
      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
      group_by_fields: [],
      distinct_fields: [],
      metric: "",
    }),
  ],
  filters: [],
  cases: [
    DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
      name: "",
      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
      condition: "a > 0",
      notifications: [],
    }),
  ],
  options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
    evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
    keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ONE_HOUR,
    max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ONE_DAY,
  }),
  message: "Test rule",
  tags: [],
  is_enabled: true,
  type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION,
  reference_tables: [
    DatadogAPIClient::V2::SecurityMonitoringReferenceTable.new({
      table_name: "synthetics_test_reference_table_dont_delete",
      column_name: "value",
      log_field_path: "testtag",
      check_presence: true,
      rule_query_name: "a",
    }),
  ],
})
p api_instance.create_security_monitoring_rule(body)

    # Create a detection rule with detection method 'sequence_detection' returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringStandardRuleCreatePayload.new({
  name: "Example-Security-Monitoring",
  type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION,
  is_enabled: true,
  queries: [
    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
      data_source: DatadogAPIClient::V2::SecurityMonitoringStandardDataSource::LOGS,
      distinct_fields: [],
      group_by_fields: [],
      has_optional_group_by_fields: false,
      name: "",
      query: "service:logs-rule-reducer source:paul test2",
    }),
    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
      data_source: DatadogAPIClient::V2::SecurityMonitoringStandardDataSource::LOGS,
      distinct_fields: [],
      group_by_fields: [],
      has_optional_group_by_fields: false,
      name: "",
      query: "service:logs-rule-reducer source:paul test1",
    }),
  ],
  cases: [
    DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
      name: "",
      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
      notifications: [],
      condition: "step_b > 0",
    }),
  ],
  message: "Logs and signals asdf",
  options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
    detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::SEQUENCE_DETECTION,
    evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES,
    keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::FIVE_MINUTES,
    max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::TEN_MINUTES,
    sequence_detection_options: DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionOptions.new({
      step_transitions: [
        DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionStepTransition.new({
          child: "step_b",
          evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
          parent: "step_a",
        }),
      ],
      steps: [
        DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionStep.new({
          condition: "a > 0",
          evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE,
          name: "step_a",
        }),
        DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionStep.new({
          condition: "b > 0",
          evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE,
          name: "step_b",
        }),
      ],
    }),
  }),
  tags: [],
})
p api_instance.create_security_monitoring_rule(body)

    Instructions

    First install the library and its dependencies and then save the example to example.rb and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
    // Create a cloud_configuration rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::CloudConfigurationComplianceRuleOptions;
use datadog_api_client::datadogV2::model::CloudConfigurationRegoRule;
use datadog_api_client::datadogV2::model::CloudConfigurationRuleCaseCreate;
use datadog_api_client::datadogV2::model::CloudConfigurationRuleComplianceSignalOptions;
use datadog_api_client::datadogV2::model::CloudConfigurationRuleCreatePayload;
use datadog_api_client::datadogV2::model::CloudConfigurationRuleOptions;
use datadog_api_client::datadogV2::model::CloudConfigurationRuleType;
use datadog_api_client::datadogV2::model::SecurityMonitoringFilter;
use datadog_api_client::datadogV2::model::SecurityMonitoringFilterAction;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCreatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;

#[tokio::main]
async fn main() {
    let body =
        SecurityMonitoringRuleCreatePayload::CloudConfigurationRuleCreatePayload(
            Box::new(
                CloudConfigurationRuleCreatePayload::new(
                    vec![
                        CloudConfigurationRuleCaseCreate::new(
                            SecurityMonitoringRuleSeverity::INFO,
                        ).notifications(vec!["channel".to_string()])
                    ],
                    CloudConfigurationRuleComplianceSignalOptions::new()
                        .user_activation_status(Some(true))
                        .user_group_by_fields(Some(vec!["@account_id".to_string()])),
                    false,
                    "ddd".to_string(),
                    "Example-Security-Monitoring_cloud".to_string(),
                    CloudConfigurationRuleOptions::new(
                        CloudConfigurationComplianceRuleOptions::new()
                            .complex_rule(false)
                            .rego_rule(
                                CloudConfigurationRegoRule::new(
                                    r#"package datadog

import data.datadog.output as dd_output

import future.keywords.contains
import future.keywords.if
import future.keywords.in

milliseconds_in_a_day := ((1000 * 60) * 60) * 24

eval(iam_service_account_key) = "skip" if {
	iam_service_account_key.disabled
} else = "pass" if {
	(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"

# This part remains unchanged for all rules
results contains result if {
	some resource in input.resources[input.main_resource_type]
	result := dd_output.format(resource, eval(resource))
}
"#.to_string(),
                                    vec!["gcp_compute_disk".to_string()],
                                ),
                            )
                            .resource_type("gcp_compute_disk".to_string()),
                    ),
                )
                    .filters(
                        vec![
                            SecurityMonitoringFilter::new()
                                .action(SecurityMonitoringFilterAction::REQUIRE)
                                .query("resource_id:helo*".to_string()),
                            SecurityMonitoringFilter::new()
                                .action(SecurityMonitoringFilterAction::SUPPRESS)
                                .query("control:helo*".to_string())
                        ],
                    )
                    .tags(vec!["my:tag".to_string()])
                    .type_(CloudConfigurationRuleType::CLOUD_CONFIGURATION),
            ),
        );
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.create_security_monitoring_rule(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

    // Create a detection rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringReferenceTable;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCreatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleCreatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery;

#[tokio::main]
async fn main() {
    let body =
        SecurityMonitoringRuleCreatePayload::SecurityMonitoringStandardRuleCreatePayload(Box::new(
            SecurityMonitoringStandardRuleCreatePayload::new(
                vec![
                    SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO)
                        .condition("a > 0".to_string())
                        .name("".to_string())
                        .notifications(vec![]),
                ],
                true,
                "Test rule".to_string(),
                "Example-Security-Monitoring".to_string(),
                SecurityMonitoringRuleOptions::new()
                    .evaluation_window(SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES)
                    .keep_alive(SecurityMonitoringRuleKeepAlive::ONE_HOUR)
                    .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::ONE_DAY),
                vec![SecurityMonitoringStandardRuleQuery::new()
                    .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT)
                    .distinct_fields(vec![])
                    .group_by_fields(vec![])
                    .metric("".to_string())
                    .query("@test:true".to_string())],
            )
            .filters(vec![])
            .reference_tables(vec![SecurityMonitoringReferenceTable::new()
                .check_presence(true)
                .column_name("value".to_string())
                .log_field_path("testtag".to_string())
                .rule_query_name("a".to_string())
                .table_name("synthetics_test_reference_table_dont_delete".to_string())])
            .tags(vec![])
            .type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION),
        ));
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.create_security_monitoring_rule(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

    // Create a detection rule with detection method 'sequence_detection' returns "OK"
// response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCreatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleDetectionMethod;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSequenceDetectionOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSequenceDetectionStep;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSequenceDetectionStepTransition;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardDataSource;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleCreatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery;

#[tokio::main]
async fn main() {
    let body =
        SecurityMonitoringRuleCreatePayload::SecurityMonitoringStandardRuleCreatePayload(Box::new(
            SecurityMonitoringStandardRuleCreatePayload::new(
                vec![
                    SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO)
                        .condition("step_b > 0".to_string())
                        .name("".to_string())
                        .notifications(vec![]),
                ],
                true,
                "Logs and signals asdf".to_string(),
                "Example-Security-Monitoring".to_string(),
                SecurityMonitoringRuleOptions::new()
                    .detection_method(SecurityMonitoringRuleDetectionMethod::SEQUENCE_DETECTION)
                    .evaluation_window(SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES)
                    .keep_alive(SecurityMonitoringRuleKeepAlive::FIVE_MINUTES)
                    .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::TEN_MINUTES)
                    .sequence_detection_options(
                        SecurityMonitoringRuleSequenceDetectionOptions::new()
                            .step_transitions(vec![
                                SecurityMonitoringRuleSequenceDetectionStepTransition::new()
                                    .child("step_b".to_string())
                                    .evaluation_window(
                                        SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
                                    )
                                    .parent("step_a".to_string()),
                            ])
                            .steps(vec![
                                SecurityMonitoringRuleSequenceDetectionStep::new()
                                    .condition("a > 0".to_string())
                                    .evaluation_window(
                                        SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE,
                                    )
                                    .name("step_a".to_string()),
                                SecurityMonitoringRuleSequenceDetectionStep::new()
                                    .condition("b > 0".to_string())
                                    .evaluation_window(
                                        SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE,
                                    )
                                    .name("step_b".to_string()),
                            ]),
                    ),
                vec![
                    SecurityMonitoringStandardRuleQuery::new()
                        .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT)
                        .data_source(SecurityMonitoringStandardDataSource::LOGS)
                        .distinct_fields(vec![])
                        .group_by_fields(vec![])
                        .has_optional_group_by_fields(false)
                        .name("".to_string())
                        .query("service:logs-rule-reducer source:paul test2".to_string()),
                    SecurityMonitoringStandardRuleQuery::new()
                        .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT)
                        .data_source(SecurityMonitoringStandardDataSource::LOGS)
                        .distinct_fields(vec![])
                        .group_by_fields(vec![])
                        .has_optional_group_by_fields(false)
                        .name("".to_string())
                        .query("service:logs-rule-reducer source:paul test1".to_string()),
                ],
            )
            .tags(vec![])
            .type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION),
        ));
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.create_security_monitoring_rule(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

    Instructions

    First install the library and its dependencies and then save the example to src/main.rs and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
    /**
 * Create a cloud_configuration rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiCreateSecurityMonitoringRuleRequest = {
  body: {
    type: "cloud_configuration",
    name: "Example-Security-Monitoring_cloud",
    isEnabled: false,
    cases: [
      {
        status: "info",
        notifications: ["channel"],
      },
    ],
    options: {
      complianceRuleOptions: {
        resourceType: "gcp_compute_disk",
        complexRule: false,
        regoRule: {
          policy: `package datadog

import data.datadog.output as dd_output

import future.keywords.contains
import future.keywords.if
import future.keywords.in

milliseconds_in_a_day := ((1000 * 60) * 60) * 24

eval(iam_service_account_key) = "skip" if {
	iam_service_account_key.disabled
} else = "pass" if {
	(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"

# This part remains unchanged for all rules
results contains result if {
	some resource in input.resources[input.main_resource_type]
	result := dd_output.format(resource, eval(resource))
}
`,
          resourceTypes: ["gcp_compute_disk"],
        },
      },
    },
    message: "ddd",
    tags: ["my:tag"],
    complianceSignalOptions: {
      userActivationStatus: true,
      userGroupByFields: ["@account_id"],
    },
    filters: [
      {
        action: "require",
        query: "resource_id:helo*",
      },
      {
        action: "suppress",
        query: "control:helo*",
      },
    ],
  },
};

apiInstance
  .createSecurityMonitoringRule(params)
  .then((data: v2.SecurityMonitoringRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

    /**
 * Create a detection rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiCreateSecurityMonitoringRuleRequest = {
  body: {
    name: "Example-Security-Monitoring",
    queries: [
      {
        query: "@test:true",
        aggregation: "count",
        groupByFields: [],
        distinctFields: [],
        metric: "",
      },
    ],
    filters: [],
    cases: [
      {
        name: "",
        status: "info",
        condition: "a > 0",
        notifications: [],
      },
    ],
    options: {
      evaluationWindow: 900,
      keepAlive: 3600,
      maxSignalDuration: 86400,
    },
    message: "Test rule",
    tags: [],
    isEnabled: true,
    type: "log_detection",
    referenceTables: [
      {
        tableName: "synthetics_test_reference_table_dont_delete",
        columnName: "value",
        logFieldPath: "testtag",
        checkPresence: true,
        ruleQueryName: "a",
      },
    ],
  },
};

apiInstance
  .createSecurityMonitoringRule(params)
  .then((data: v2.SecurityMonitoringRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

    /**
 * Create a detection rule with detection method 'sequence_detection' returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiCreateSecurityMonitoringRuleRequest = {
  body: {
    name: "Example-Security-Monitoring",
    type: "log_detection",
    isEnabled: true,
    queries: [
      {
        aggregation: "count",
        dataSource: "logs",
        distinctFields: [],
        groupByFields: [],
        hasOptionalGroupByFields: false,
        name: "",
        query: "service:logs-rule-reducer source:paul test2",
      },
      {
        aggregation: "count",
        dataSource: "logs",
        distinctFields: [],
        groupByFields: [],
        hasOptionalGroupByFields: false,
        name: "",
        query: "service:logs-rule-reducer source:paul test1",
      },
    ],
    cases: [
      {
        name: "",
        status: "info",
        notifications: [],
        condition: "step_b > 0",
      },
    ],
    message: "Logs and signals asdf",
    options: {
      detectionMethod: "sequence_detection",
      evaluationWindow: 0,
      keepAlive: 300,
      maxSignalDuration: 600,
      sequenceDetectionOptions: {
        stepTransitions: [
          {
            child: "step_b",
            evaluationWindow: 900,
            parent: "step_a",
          },
        ],
        steps: [
          {
            condition: "a > 0",
            evaluationWindow: 60,
            name: "step_a",
          },
          {
            condition: "b > 0",
            evaluationWindow: 60,
            name: "step_b",
          },
        ],
      },
    },
    tags: [],
  },
};

apiInstance
  .createSecurityMonitoringRule(params)
  .then((data: v2.SecurityMonitoringRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

    Instructions

    First install the library and its dependencies and then save the example to example.ts and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

    Delete a custom framework

    DELETE https://api.ap1.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.ap2.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.datadoghq.eu/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.ddog-gov.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.us3.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.us5.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}

    Overview

    Delete a custom framework. This endpoint requires all of the following permissions:

  • security_monitoring_rules_read
  • security_monitoring_rules_write

    • OAuth apps require the security_monitoring_rules_read, security_monitoring_rules_write authorization scope to access this endpoint.

    Arguments

    Path Parameters

    Name

    Type

    Description

    handle [required]

    string

    The framework handle

    version [required]

    string

    The framework version

    Response

    OK

    Response object to delete a custom framework.

    Expand All

    Field

    Type

    Description

    data [required]

    object

    Metadata for custom frameworks.

    attributes

    object

    Framework without requirements.

    description

    string

    Framework Description

    handle [required]

    string

    Framework Handle

    icon_url

    string

    Framework Icon URL

    name [required]

    string

    Framework Name

    version [required]

    string

    Framework Version

    id

    string

    The ID of the custom framework.

    type

    enum

    The type of the resource. The value must be custom_framework. Allowed enum values: custom_framework

    default: custom_framework

    {
  "data": {
    "attributes": {
      "description": "this is a security description",
      "handle": "sec2",
      "icon_url": "https://example.com/icon.png",
      "name": "security-framework",
      "version": "2"
    },
    "id": "handle-version",
    "type": "custom_framework"
  }
}

    Bad Request

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Too many requests

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Bad Request

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Code Example

                      # Path parameters
    export handle="CHANGE_ME"
    export version="CHANGE_ME"
    # Curl command
    curl -X DELETE "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/${handle}/${version}" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
    
                
    """
Delete a custom framework returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.delete_custom_framework(
        handle="create-framework-new",
        version="10",
    )

    print(response)

    Instructions

    First install the library and its dependencies and then save the example to example.py and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
    # Delete a custom framework returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.delete_custom_framework("create-framework-new", "10")

    Instructions

    First install the library and its dependencies and then save the example to example.rb and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
    // Delete a custom framework returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.DeleteCustomFramework(ctx, "create-framework-new", "10")

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.DeleteCustomFramework`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.DeleteCustomFramework`:\n%s\n", responseContent)
}

    Instructions

    First install the library and its dependencies and then save the example to main.go and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
    // Delete a custom framework returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.DeleteCustomFrameworkResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    try {
      DeleteCustomFrameworkResponse result =
          apiInstance.deleteCustomFramework("create-framework-new", "10");
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#deleteCustomFramework");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

    Instructions

    First install the library and its dependencies and then save the example to Example.java and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
    // Delete a custom framework returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .delete_custom_framework("create-framework-new".to_string(), "10".to_string())
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

    Instructions

    First install the library and its dependencies and then save the example to src/main.rs and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
    /**
 * Delete a custom framework returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiDeleteCustomFrameworkRequest = {
  handle: "create-framework-new",
  version: "10",
};

apiInstance
  .deleteCustomFramework(params)
  .then((data: v2.DeleteCustomFrameworkResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

    Instructions

    First install the library and its dependencies and then save the example to example.ts and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

    Get a custom framework

    GET https://api.ap1.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.ap2.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.datadoghq.eu/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.ddog-gov.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.us3.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.us5.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}

    Overview

    Get a custom framework. This endpoint requires the security_monitoring_rules_read permission.

    OAuth apps require the security_monitoring_rules_read authorization scope to access this endpoint.

    Arguments

    Path Parameters

    Name

    Type

    Description

    handle [required]

    string

    The framework handle

    version [required]

    string

    The framework version

    Response

    OK

    Response object to get a custom framework.

    Expand All

    Field

    Type

    Description

    data [required]

    object

    Contains type and attributes for custom frameworks.

    attributes [required]

    object

    Full Framework Data Attributes.

    handle [required]

    string

    Framework Handle

    icon_url

    string

    Framework Icon URL

    name [required]

    string

    Framework Name

    requirements [required]

    [object]

    Framework Requirements

    controls [required]

    [object]

    Requirement Controls.

    name [required]

    string

    Control Name.

    rules_id [required]

    [string]

    Rule IDs.

    name [required]

    string

    Requirement Name.

    version [required]

    string

    Framework Version

    id [required]

    string

    The ID of the custom framework.

    type [required]

    enum

    The type of the resource. The value must be custom_framework. Allowed enum values: custom_framework

    default: custom_framework

    {
  "data": {
    "attributes": {
      "handle": "sec2",
      "icon_url": "https://example.com/icon.png",
      "name": "security-framework",
      "requirements": [
        {
          "controls": [
            {
              "name": "A1.2",
              "rules_id": [
                "def-000-abc"
              ]
            }
          ],
          "name": "criteria"
        }
      ],
      "version": "2"
    },
    "id": "handle-version",
    "type": "custom_framework"
  }
}

    Bad Request

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Too many requests

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Bad Request

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Code Example

                      # Path parameters
    export handle="CHANGE_ME"
    export version="CHANGE_ME"
    # Curl command
    curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/${handle}/${version}" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
    
                
    """
Get a custom framework returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.get_custom_framework(
        handle="create-framework-new",
        version="10",
    )

    print(response)

    Instructions

    First install the library and its dependencies and then save the example to example.py and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
    # Get a custom framework returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.get_custom_framework("create-framework-new", "10")

    Instructions

    First install the library and its dependencies and then save the example to example.rb and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
    // Get a custom framework returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.GetCustomFramework(ctx, "create-framework-new", "10")

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetCustomFramework`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetCustomFramework`:\n%s\n", responseContent)
}

    Instructions

    First install the library and its dependencies and then save the example to main.go and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
    // Get a custom framework returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.GetCustomFrameworkResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    try {
      GetCustomFrameworkResponse result =
          apiInstance.getCustomFramework("create-framework-new", "10");
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#getCustomFramework");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

    Instructions

    First install the library and its dependencies and then save the example to Example.java and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
    // Get a custom framework returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .get_custom_framework("create-framework-new".to_string(), "10".to_string())
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

    Instructions

    First install the library and its dependencies and then save the example to src/main.rs and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
    /**
 * Get a custom framework returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiGetCustomFrameworkRequest = {
  handle: "create-framework-new",
  version: "10",
};

apiInstance
  .getCustomFramework(params)
  .then((data: v2.GetCustomFrameworkResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

    Instructions

    First install the library and its dependencies and then save the example to example.ts and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

    List rules

    GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.ap2.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.datadoghq.eu/api/v2/security_monitoring/ruleshttps://api.ddog-gov.com/api/v2/security_monitoring/ruleshttps://api.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.us3.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.us5.datadoghq.com/api/v2/security_monitoring/rules

    Overview

    List rules. This endpoint requires the security_monitoring_rules_read permission.

    OAuth apps require the security_monitoring_rules_read authorization scope to access this endpoint.

    Arguments

    Query Strings

    Name

    Type

    Description

    page[size]

    integer

    Size for a given page. The maximum allowed value is 100.

    page[number]

    integer

    Specific page number to return.

    Response

    OK

    List of rules.

    Expand All

    Field

    Type

    Description

    data

    [ <oneOf>]

    Array containing the list of rules.

    Option 1

    object

    Rule.

    calculatedFields

    [object]

    Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.

    expression [required]

    string

    Expression.

    name [required]

    string

    Field name.

    cases

    [object]

    Cases for generating signals.

    actions

    [object]

    Action to perform for each rule case.

    options

    object

    Options for the rule action

    duration

    int64

    Duration of the action in seconds. 0 indicates no expiration.

    flaggedIPType

    enum

    Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: SUSPICIOUS,FLAGGED

    userBehaviorName

    string

    Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.

    type

    enum

    The action type. Allowed enum values: block_ip,block_user,user_behavior,flag_ip

    condition

    string

    A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

    customStatus

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    name

    string

    Name of the case.

    notifications

    [string]

    Notification targets for each rule case.

    status

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    complianceSignalOptions

    object

    How to generate compliance signals. Useful for cloud_configuration rules only.

    defaultActivationStatus

    boolean

    The default activation status.

    defaultGroupByFields

    [string]

    The default group by fields.

    userActivationStatus

    boolean

    Whether signals will be sent.

    userGroupByFields

    [string]

    Fields to use to group findings by when sending signals.

    createdAt

    int64

    When the rule was created, timestamp in milliseconds.

    creationAuthorId

    int64

    User ID of the user who created the rule.

    customMessage

    string

    Custom/Overridden message for generated signals (used in case of Default rule update).

    customName

    string

    Custom/Overridden name of the rule (used in case of Default rule update).

    defaultTags

    [string]

    Default Tags for default rules (included in tags)

    deprecationDate

    int64

    When the rule will be deprecated, timestamp in milliseconds.

    filters

    [object]

    Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.

    action

    enum

    The type of filtering action. Allowed enum values: require,suppress

    query

    string

    Query for selecting logs to apply the filtering action.

    groupSignalsBy

    [string]

    Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.

    hasExtendedTitle

    boolean

    Whether the notifications include the triggering group-by values in their title.

    id

    string

    The ID of the rule.

    isDefault

    boolean

    Whether the rule is included by default.

    isDeleted

    boolean

    Whether the rule has been deleted.

    isEnabled

    boolean

    Whether the rule is enabled.

    message

    string

    Message for generated signals.

    name

    string

    The name of the rule.

    options

    object

    Options.

    complianceRuleOptions

    object

    Options for cloud_configuration rules. Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.

    complexRule

    boolean

    Whether the rule is a complex one. Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.

    regoRule

    object

    Rule details.

    policy [required]

    string

    The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/

    resourceTypes [required]

    [string]

    List of resource types that will be evaluated upon. Must have at least one element.

    resourceType

    string

    Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.

    decreaseCriticalityBasedOnEnv

    boolean

    If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO. The decrement is applied when the environment tag of the signal starts with staging, test or dev.

    detectionMethod

    enum

    The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    hardcodedEvaluatorType

    enum

    Hardcoded evaluator type. Allowed enum values: log4shell

    impossibleTravelOptions

    object

    Options on impossible travel detection method.

    baselineUserLocations

    boolean

    If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

    keepAlive

    enum

    Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    maxSignalDuration

    enum

    A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    newValueOptions

    object

    Options on new value detection method.

    forgetAfter

    enum

    The duration in days after which a learned value is forgotten. Allowed enum values: 1,2,7,14,21,28

    learningDuration

    enum

    The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: 0,1,7

    learningMethod

    enum

    The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: duration,threshold

    default: duration

    learningThreshold

    enum

    A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: 0,1

    sequenceDetectionOptions

    object

    Options on sequence detection method.

    stepTransitions

    [object]

    Transitions defining the allowed order of steps and their evaluation windows.

    child

    string

    Name of the child step.

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    parent

    string

    Name of the parent step.

    steps

    [object]

    Steps that define the conditions to be matched in sequence.

    condition

    string

    Condition referencing rule queries (e.g., a > 0).

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    name

    string

    Unique name identifying the step.

    thirdPartyRuleOptions

    object

    Options on third party detection method.

    defaultNotifications

    [string]

    Notification targets for the logs that do not correspond to any of the cases.

    defaultStatus

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    rootQueries

    [object]

    Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.

    groupByFields

    [string]

    Fields to group by.

    query

    string

    Query to run on logs.

    signalTitleTemplate

    string

    A template for the signal title; if omitted, the title is generated based on the case name.

    queries

    [object]

    Queries for selecting logs which are part of the rule.

    aggregation

    enum

    The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none

    customQueryExtension

    string

    Query extension to append to the logs query.

    dataSource

    enum

    Source of events, either logs, audit trail, or Datadog events. Allowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events

    default: logs

    distinctFields

    [string]

    Field for which the cardinality is measured. Sent as an array.

    groupByFields

    [string]

    Fields to group by.

    hasOptionalGroupByFields

    boolean

    When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.

    index

    string

    This field is currently unstable and might be removed in a minor version upgrade. The index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.

    indexes

    [string]

    List of indexes to query when the dataSource is logs. Only used for scheduled rules, such as when the schedulingOptions field is present in the rule payload.

    metric

    string

    DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max aggregations. metrics field should be used instead.

    metrics

    [string]

    Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.

    name

    string

    Name of the query.

    query

    string

    Query to run on logs.

    referenceTables

    [object]

    Reference tables for the rule.

    checkPresence

    boolean

    Whether to include or exclude the matched values.

    columnName

    string

    The name of the column in the reference table.

    logFieldPath

    string

    The field in the log to match against the reference table.

    ruleQueryName

    string

    The name of the query to apply the reference table to.

    tableName

    string

    The name of the reference table.

    schedulingOptions

    object

    Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.

    rrule

    string

    Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.

    start

    string

    Start date for the schedule, in ISO 8601 format without timezone.

    timezone

    string

    Time zone of the start date, in the tz database format.

    tags

    [string]

    Tags for generated signals.

    thirdPartyCases

    [object]

    Cases for generating signals from third-party rules. Only available for third-party rules.

    customStatus

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    name

    string

    Name of the case.

    notifications

    [string]

    Notification targets for each rule case.

    query

    string

    A query to map a third party event to this case.

    status

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    type

    enum

    The rule type. Allowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration,application_security,api_security

    updateAuthorId

    int64

    User ID of the user who updated the rule.

    updatedAt

    int64

    The date the rule was last updated, in milliseconds.

    version

    int64

    The version of the rule.

    Option 2

    object

    Rule.

    cases

    [object]

    Cases for generating signals.

    actions

    [object]

    Action to perform for each rule case.

    options

    object

    Options for the rule action

    duration

    int64

    Duration of the action in seconds. 0 indicates no expiration.

    flaggedIPType

    enum

    Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: SUSPICIOUS,FLAGGED

    userBehaviorName

    string

    Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.

    type

    enum

    The action type. Allowed enum values: block_ip,block_user,user_behavior,flag_ip

    condition

    string

    A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

    customStatus

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    name

    string

    Name of the case.

    notifications

    [string]

    Notification targets for each rule case.

    status

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    createdAt

    int64

    When the rule was created, timestamp in milliseconds.

    creationAuthorId

    int64

    User ID of the user who created the rule.

    customMessage

    string

    Custom/Overridden message for generated signals (used in case of Default rule update).

    customName

    string

    Custom/Overridden name of the rule (used in case of Default rule update).

    deprecationDate

    int64

    When the rule will be deprecated, timestamp in milliseconds.

    filters

    [object]

    Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.

    action

    enum

    The type of filtering action. Allowed enum values: require,suppress

    query

    string

    Query for selecting logs to apply the filtering action.

    hasExtendedTitle

    boolean

    Whether the notifications include the triggering group-by values in their title.

    id

    string

    The ID of the rule.

    isDefault

    boolean

    Whether the rule is included by default.

    isDeleted

    boolean

    Whether the rule has been deleted.

    isEnabled

    boolean

    Whether the rule is enabled.

    message

    string

    Message for generated signals.

    name

    string

    The name of the rule.

    options

    object

    Options.

    complianceRuleOptions

    object

    Options for cloud_configuration rules. Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.

    complexRule

    boolean

    Whether the rule is a complex one. Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.

    regoRule

    object

    Rule details.

    policy [required]

    string

    The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/

    resourceTypes [required]

    [string]

    List of resource types that will be evaluated upon. Must have at least one element.

    resourceType

    string

    Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.

    decreaseCriticalityBasedOnEnv

    boolean

    If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO. The decrement is applied when the environment tag of the signal starts with staging, test or dev.

    detectionMethod

    enum

    The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    hardcodedEvaluatorType

    enum

    Hardcoded evaluator type. Allowed enum values: log4shell

    impossibleTravelOptions

    object

    Options on impossible travel detection method.

    baselineUserLocations

    boolean

    If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

    keepAlive

    enum

    Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    maxSignalDuration

    enum

    A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    newValueOptions

    object

    Options on new value detection method.

    forgetAfter

    enum

    The duration in days after which a learned value is forgotten. Allowed enum values: 1,2,7,14,21,28

    learningDuration

    enum

    The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: 0,1,7

    learningMethod

    enum

    The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: duration,threshold

    default: duration

    learningThreshold

    enum

    A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: 0,1

    sequenceDetectionOptions

    object

    Options on sequence detection method.

    stepTransitions

    [object]

    Transitions defining the allowed order of steps and their evaluation windows.

    child

    string

    Name of the child step.

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    parent

    string

    Name of the parent step.

    steps

    [object]

    Steps that define the conditions to be matched in sequence.

    condition

    string

    Condition referencing rule queries (e.g., a > 0).

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    name

    string

    Unique name identifying the step.

    thirdPartyRuleOptions

    object

    Options on third party detection method.

    defaultNotifications

    [string]

    Notification targets for the logs that do not correspond to any of the cases.

    defaultStatus

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    rootQueries

    [object]

    Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.

    groupByFields

    [string]

    Fields to group by.

    query

    string

    Query to run on logs.

    signalTitleTemplate

    string

    A template for the signal title; if omitted, the title is generated based on the case name.

    queries

    [object]

    Queries for selecting logs which are part of the rule.

    aggregation

    enum

    The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none

    correlatedByFields

    [string]

    Fields to correlate by.

    correlatedQueryIndex

    int32

    Index of the rule query used to retrieve the correlated field.

    defaultRuleId

    string

    Default Rule ID to match on signals.

    distinctFields

    [string]

    Field for which the cardinality is measured. Sent as an array.

    groupByFields

    [string]

    Fields to group by.

    metrics

    [string]

    Group of target fields to aggregate over.

    name

    string

    Name of the query.

    ruleId

    string

    Rule ID to match on signals.

    tags

    [string]

    Tags for generated signals.

    type

    enum

    The rule type. Allowed enum values: signal_correlation

    updateAuthorId

    int64

    User ID of the user who updated the rule.

    version

    int64

    The version of the rule.

    meta

    object

    Object describing meta attributes of response.

    page

    object

    Pagination object.

    total_count

    int64

    Total count.

    total_filtered_count

    int64

    Total count of elements matched by the filter.

    {
  "data": [
    {
      "calculatedFields": [
        {
          "expression": "@request_end_timestamp - @request_start_timestamp",
          "name": "response_time"
        }
      ],
      "cases": [
        {
          "actions": [
            {
              "options": {
                "duration": 0,
                "flaggedIPType": "FLAGGED",
                "userBehaviorName": "string"
              },
              "type": "string"
            }
          ],
          "condition": "string",
          "customStatus": "critical",
          "name": "string",
          "notifications": [],
          "status": "critical"
        }
      ],
      "complianceSignalOptions": {
        "defaultActivationStatus": false,
        "defaultGroupByFields": [],
        "userActivationStatus": false,
        "userGroupByFields": []
      },
      "createdAt": "integer",
      "creationAuthorId": "integer",
      "customMessage": "string",
      "customName": "string",
      "defaultTags": [
        "security:attacks"
      ],
      "deprecationDate": "integer",
      "filters": [
        {
          "action": "string",
          "query": "string"
        }
      ],
      "groupSignalsBy": [
        "service"
      ],
      "hasExtendedTitle": false,
      "id": "string",
      "isDefault": false,
      "isDeleted": false,
      "isEnabled": false,
      "message": "string",
      "name": "string",
      "options": {
        "complianceRuleOptions": {
          "complexRule": false,
          "regoRule": {
            "policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n  # Logic that evaluates to true if the resource should be skipped\n  true\n} else = \"pass\" {\n  # Logic that evaluates to true if the resource is compliant\n  true\n} else = \"fail\" {\n  # Logic that evaluates to true if the resource is not compliant\n  true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n  some resource in input.resources[input.main_resource_type]\n  result := dd_output.format(resource, eval(resource))\n}",
            "resourceTypes": [
              "gcp_iam_service_account",
              "gcp_iam_policy"
            ]
          },
          "resourceType": "aws_acm"
        },
        "decreaseCriticalityBasedOnEnv": false,
        "detectionMethod": "string",
        "evaluationWindow": "integer",
        "hardcodedEvaluatorType": "string",
        "impossibleTravelOptions": {
          "baselineUserLocations": true
        },
        "keepAlive": "integer",
        "maxSignalDuration": "integer",
        "newValueOptions": {
          "forgetAfter": "integer",
          "learningDuration": "integer",
          "learningMethod": "string",
          "learningThreshold": "integer"
        },
        "sequenceDetectionOptions": {
          "stepTransitions": [
            {
              "child": "string",
              "evaluationWindow": "integer",
              "parent": "string"
            }
          ],
          "steps": [
            {
              "condition": "string",
              "evaluationWindow": "integer",
              "name": "string"
            }
          ]
        },
        "thirdPartyRuleOptions": {
          "defaultNotifications": [],
          "defaultStatus": "critical",
          "rootQueries": [
            {
              "groupByFields": [],
              "query": "source:cloudtrail"
            }
          ],
          "signalTitleTemplate": "string"
        }
      },
      "queries": [
        {
          "aggregation": "string",
          "customQueryExtension": "a > 3",
          "dataSource": "logs",
          "distinctFields": [],
          "groupByFields": [],
          "hasOptionalGroupByFields": false,
          "index": "string",
          "indexes": [],
          "metric": "string",
          "metrics": [],
          "name": "string",
          "query": "a > 3"
        }
      ],
      "referenceTables": [
        {
          "checkPresence": false,
          "columnName": "string",
          "logFieldPath": "string",
          "ruleQueryName": "string",
          "tableName": "string"
        }
      ],
      "schedulingOptions": {
        "rrule": "FREQ=HOURLY;INTERVAL=1;",
        "start": "2025-07-14T12:00:00",
        "timezone": "America/New_York"
      },
      "tags": [],
      "thirdPartyCases": [
        {
          "customStatus": "critical",
          "name": "string",
          "notifications": [],
          "query": "string",
          "status": "critical"
        }
      ],
      "type": "string",
      "updateAuthorId": "integer",
      "updatedAt": "integer",
      "version": "integer"
    }
  ],
  "meta": {
    "page": {
      "total_count": "integer",
      "total_filtered_count": "integer"
    }
  }
}

    Bad Request

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Too many requests

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Code Example

                      # Curl command
    curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
    
                
    """
List rules returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.list_security_monitoring_rules()

    print(response)

    Instructions

    First install the library and its dependencies and then save the example to example.py and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
    # List rules returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.list_security_monitoring_rules()

    Instructions

    First install the library and its dependencies and then save the example to example.rb and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
    // List rules returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.ListSecurityMonitoringRules(ctx, *datadogV2.NewListSecurityMonitoringRulesOptionalParameters())

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListSecurityMonitoringRules`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListSecurityMonitoringRules`:\n%s\n", responseContent)
}

    Instructions

    First install the library and its dependencies and then save the example to main.go and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
    // List rules returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringListRulesResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    try {
      SecurityMonitoringListRulesResponse result = apiInstance.listSecurityMonitoringRules();
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#listSecurityMonitoringRules");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

    Instructions

    First install the library and its dependencies and then save the example to Example.java and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
    // List rules returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::ListSecurityMonitoringRulesOptionalParams;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .list_security_monitoring_rules(ListSecurityMonitoringRulesOptionalParams::default())
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

    Instructions

    First install the library and its dependencies and then save the example to src/main.rs and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
    /**
 * List rules returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

apiInstance
  .listSecurityMonitoringRules()
  .then((data: v2.SecurityMonitoringListRulesResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

    Instructions

    First install the library and its dependencies and then save the example to example.ts and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

    Update a custom framework

    PUT https://api.ap1.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.ap2.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.datadoghq.eu/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.ddog-gov.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.us3.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.us5.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}

    Overview

    Update a custom framework. This endpoint requires all of the following permissions:

  • security_monitoring_rules_read
  • security_monitoring_rules_write

    • OAuth apps require the security_monitoring_rules_read, security_monitoring_rules_write authorization scope to access this endpoint.

    Arguments

    Path Parameters

    Name

    Type

    Description

    handle [required]

    string

    The framework handle

    version [required]

    string

    The framework version

    Request

    Body Data (required)

    Expand All

    Field

    Type

    Description

    data [required]

    object

    Contains type and attributes for custom frameworks.

    attributes [required]

    object

    Framework Data Attributes.

    description

    string

    Framework Description

    handle [required]

    string

    Framework Handle

    icon_url

    string

    Framework Icon URL

    name [required]

    string

    Framework Name

    requirements [required]

    [object]

    Framework Requirements

    controls [required]

    [object]

    Requirement Controls.

    name [required]

    string

    Control Name.

    rules_id [required]

    [string]

    Rule IDs.

    name [required]

    string

    Requirement Name.

    version [required]

    string

    Framework Version

    type [required]

    enum

    The type of the resource. The value must be custom_framework. Allowed enum values: custom_framework

    default: custom_framework

    {
  "data": {
    "type": "custom_framework",
    "attributes": {
      "name": "name",
      "handle": "create-framework-new",
      "version": "10",
      "icon_url": "test-url",
      "requirements": [
        {
          "name": "requirement",
          "controls": [
            {
              "name": "control",
              "rules_id": [
                "def-000-be9"
              ]
            }
          ]
        }
      ]
    }
  }
}

    Response

    OK

    Response object to update a custom framework.

    Expand All

    Field

    Type

    Description

    data [required]

    object

    Contains type and attributes for custom frameworks.

    attributes [required]

    object

    Framework Handle and Version.

    handle

    string

    Framework Handle

    version

    string

    Framework Version

    id [required]

    string

    The ID of the custom framework.

    type [required]

    enum

    The type of the resource. The value must be custom_framework. Allowed enum values: custom_framework

    default: custom_framework

    {
  "data": {
    "attributes": {
      "handle": "sec2",
      "version": "2"
    },
    "id": "handle-version",
    "type": "custom_framework"
  }
}

    Bad Request

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Too many requests

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Bad Request

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Code Example

                              # Path parameters
    export handle="CHANGE_ME"
    export version="CHANGE_ME"
    # Curl command
    curl -X PUT "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/${handle}/${version}" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "type": "custom_framework",
    "attributes": {
      "name": "name",
      "handle": "create-framework-new",
      "version": "10",
      "icon_url": "test-url",
      "requirements": [
        {
          "name": "requirement",
          "controls": [
            {
              "name": "control",
              "rules_id": [
                "def-000-be9"
              ]
            }
          ]
        }
      ]
    }
  }
}
EOF
    
                        
    // Update a custom framework returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.UpdateCustomFrameworkRequest{
		Data: datadogV2.CustomFrameworkData{
			Type: datadogV2.CUSTOMFRAMEWORKTYPE_CUSTOM_FRAMEWORK,
			Attributes: datadogV2.CustomFrameworkDataAttributes{
				Name:    "name",
				Handle:  "create-framework-new",
				Version: "10",
				IconUrl: datadog.PtrString("test-url"),
				Requirements: []datadogV2.CustomFrameworkRequirement{
					{
						Name: "requirement",
						Controls: []datadogV2.CustomFrameworkControl{
							{
								Name: "control",
								RulesId: []string{
									"def-000-be9",
								},
							},
						},
					},
				},
			},
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.UpdateCustomFramework(ctx, "create-framework-new", "10", body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.UpdateCustomFramework`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.UpdateCustomFramework`:\n%s\n", responseContent)
}

    Instructions

    First install the library and its dependencies and then save the example to main.go and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
    // Update a custom framework returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.CustomFrameworkControl;
import com.datadog.api.client.v2.model.CustomFrameworkData;
import com.datadog.api.client.v2.model.CustomFrameworkDataAttributes;
import com.datadog.api.client.v2.model.CustomFrameworkRequirement;
import com.datadog.api.client.v2.model.CustomFrameworkType;
import com.datadog.api.client.v2.model.UpdateCustomFrameworkRequest;
import com.datadog.api.client.v2.model.UpdateCustomFrameworkResponse;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    UpdateCustomFrameworkRequest body =
        new UpdateCustomFrameworkRequest()
            .data(
                new CustomFrameworkData()
                    .type(CustomFrameworkType.CUSTOM_FRAMEWORK)
                    .attributes(
                        new CustomFrameworkDataAttributes()
                            .name("name")
                            .handle("create-framework-new")
                            .version("10")
                            .iconUrl("test-url")
                            .requirements(
                                Collections.singletonList(
                                    new CustomFrameworkRequirement()
                                        .name("requirement")
                                        .controls(
                                            Collections.singletonList(
                                                new CustomFrameworkControl()
                                                    .name("control")
                                                    .rulesId(
                                                        Collections.singletonList(
                                                            "def-000-be9"))))))));

    try {
      UpdateCustomFrameworkResponse result =
          apiInstance.updateCustomFramework("create-framework-new", "10", body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#updateCustomFramework");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

    Instructions

    First install the library and its dependencies and then save the example to Example.java and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
    """
Update a custom framework returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.custom_framework_control import CustomFrameworkControl
from datadog_api_client.v2.model.custom_framework_data import CustomFrameworkData
from datadog_api_client.v2.model.custom_framework_data_attributes import CustomFrameworkDataAttributes
from datadog_api_client.v2.model.custom_framework_requirement import CustomFrameworkRequirement
from datadog_api_client.v2.model.custom_framework_type import CustomFrameworkType
from datadog_api_client.v2.model.update_custom_framework_request import UpdateCustomFrameworkRequest

body = UpdateCustomFrameworkRequest(
    data=CustomFrameworkData(
        type=CustomFrameworkType.CUSTOM_FRAMEWORK,
        attributes=CustomFrameworkDataAttributes(
            name="name",
            handle="create-framework-new",
            version="10",
            icon_url="test-url",
            requirements=[
                CustomFrameworkRequirement(
                    name="requirement",
                    controls=[
                        CustomFrameworkControl(
                            name="control",
                            rules_id=[
                                "def-000-be9",
                            ],
                        ),
                    ],
                ),
            ],
        ),
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.update_custom_framework(handle="create-framework-new", version="10", body=body)

    print(response)

    Instructions

    First install the library and its dependencies and then save the example to example.py and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
    # Update a custom framework returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::UpdateCustomFrameworkRequest.new({
  data: DatadogAPIClient::V2::CustomFrameworkData.new({
    type: DatadogAPIClient::V2::CustomFrameworkType::CUSTOM_FRAMEWORK,
    attributes: DatadogAPIClient::V2::CustomFrameworkDataAttributes.new({
      name: "name",
      handle: "create-framework-new",
      version: "10",
      icon_url: "test-url",
      requirements: [
        DatadogAPIClient::V2::CustomFrameworkRequirement.new({
          name: "requirement",
          controls: [
            DatadogAPIClient::V2::CustomFrameworkControl.new({
              name: "control",
              rules_id: [
                "def-000-be9",
              ],
            }),
          ],
        }),
      ],
    }),
  }),
})
p api_instance.update_custom_framework("create-framework-new", "10", body)

    Instructions

    First install the library and its dependencies and then save the example to example.rb and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
    // Update a custom framework returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::CustomFrameworkControl;
use datadog_api_client::datadogV2::model::CustomFrameworkData;
use datadog_api_client::datadogV2::model::CustomFrameworkDataAttributes;
use datadog_api_client::datadogV2::model::CustomFrameworkRequirement;
use datadog_api_client::datadogV2::model::CustomFrameworkType;
use datadog_api_client::datadogV2::model::UpdateCustomFrameworkRequest;

#[tokio::main]
async fn main() {
    let body = UpdateCustomFrameworkRequest::new(CustomFrameworkData::new(
        CustomFrameworkDataAttributes::new(
            "create-framework-new".to_string(),
            "name".to_string(),
            vec![CustomFrameworkRequirement::new(
                vec![CustomFrameworkControl::new(
                    "control".to_string(),
                    vec!["def-000-be9".to_string()],
                )],
                "requirement".to_string(),
            )],
            "10".to_string(),
        )
        .icon_url("test-url".to_string()),
        CustomFrameworkType::CUSTOM_FRAMEWORK,
    ));
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .update_custom_framework("create-framework-new".to_string(), "10".to_string(), body)
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

    Instructions

    First install the library and its dependencies and then save the example to src/main.rs and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
    /**
 * Update a custom framework returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiUpdateCustomFrameworkRequest = {
  body: {
    data: {
      type: "custom_framework",
      attributes: {
        name: "name",
        handle: "create-framework-new",
        version: "10",
        iconUrl: "test-url",
        requirements: [
          {
            name: "requirement",
            controls: [
              {
                name: "control",
                rulesId: ["def-000-be9"],
              },
            ],
          },
        ],
      },
    },
  },
  handle: "create-framework-new",
  version: "10",
};

apiInstance
  .updateCustomFramework(params)
  .then((data: v2.UpdateCustomFrameworkResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

    Instructions

    First install the library and its dependencies and then save the example to example.ts and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

    Get a rule's details

    GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.ap2.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}https://api.ddog-gov.com/api/v2/security_monitoring/rules/{rule_id}https://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}

    Overview

    Get a rule’s details. This endpoint requires the security_monitoring_rules_read permission.

    OAuth apps require the security_monitoring_rules_read authorization scope to access this endpoint.

    Arguments

    Path Parameters

    Name

    Type

    Description

    rule_id [required]

    string

    The ID of the rule.

    Response

    OK

    Create a new rule.

    Expand All

    Field

    Type

    Description

    Option 1

    object

    Rule.

    calculatedFields

    [object]

    Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.

    expression [required]

    string

    Expression.

    name [required]

    string

    Field name.

    cases

    [object]

    Cases for generating signals.

    actions

    [object]

    Action to perform for each rule case.

    options

    object

    Options for the rule action

    duration

    int64

    Duration of the action in seconds. 0 indicates no expiration.

    flaggedIPType

    enum

    Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: SUSPICIOUS,FLAGGED

    userBehaviorName

    string

    Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.

    type

    enum

    The action type. Allowed enum values: block_ip,block_user,user_behavior,flag_ip

    condition

    string

    A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

    customStatus

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    name

    string

    Name of the case.

    notifications

    [string]

    Notification targets for each rule case.

    status

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    complianceSignalOptions

    object

    How to generate compliance signals. Useful for cloud_configuration rules only.

    defaultActivationStatus

    boolean

    The default activation status.

    defaultGroupByFields

    [string]

    The default group by fields.

    userActivationStatus

    boolean

    Whether signals will be sent.

    userGroupByFields

    [string]

    Fields to use to group findings by when sending signals.

    createdAt

    int64

    When the rule was created, timestamp in milliseconds.

    creationAuthorId

    int64

    User ID of the user who created the rule.

    customMessage

    string

    Custom/Overridden message for generated signals (used in case of Default rule update).

    customName

    string

    Custom/Overridden name of the rule (used in case of Default rule update).

    defaultTags

    [string]

    Default Tags for default rules (included in tags)

    deprecationDate

    int64

    When the rule will be deprecated, timestamp in milliseconds.

    filters

    [object]

    Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.

    action

    enum

    The type of filtering action. Allowed enum values: require,suppress

    query

    string

    Query for selecting logs to apply the filtering action.

    groupSignalsBy

    [string]

    Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.

    hasExtendedTitle

    boolean

    Whether the notifications include the triggering group-by values in their title.

    id

    string

    The ID of the rule.

    isDefault

    boolean

    Whether the rule is included by default.

    isDeleted

    boolean

    Whether the rule has been deleted.

    isEnabled

    boolean

    Whether the rule is enabled.

    message

    string

    Message for generated signals.

    name

    string

    The name of the rule.

    options

    object

    Options.

    complianceRuleOptions

    object

    Options for cloud_configuration rules. Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.

    complexRule

    boolean

    Whether the rule is a complex one. Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.

    regoRule

    object

    Rule details.

    policy [required]

    string

    The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/

    resourceTypes [required]

    [string]

    List of resource types that will be evaluated upon. Must have at least one element.

    resourceType

    string

    Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.

    decreaseCriticalityBasedOnEnv

    boolean

    If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO. The decrement is applied when the environment tag of the signal starts with staging, test or dev.

    detectionMethod

    enum

    The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    hardcodedEvaluatorType

    enum

    Hardcoded evaluator type. Allowed enum values: log4shell

    impossibleTravelOptions

    object

    Options on impossible travel detection method.

    baselineUserLocations

    boolean

    If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

    keepAlive

    enum

    Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    maxSignalDuration

    enum

    A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    newValueOptions

    object

    Options on new value detection method.

    forgetAfter

    enum

    The duration in days after which a learned value is forgotten. Allowed enum values: 1,2,7,14,21,28

    learningDuration

    enum

    The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: 0,1,7

    learningMethod

    enum

    The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: duration,threshold

    default: duration

    learningThreshold

    enum

    A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: 0,1

    sequenceDetectionOptions

    object

    Options on sequence detection method.

    stepTransitions

    [object]

    Transitions defining the allowed order of steps and their evaluation windows.

    child

    string

    Name of the child step.

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    parent

    string

    Name of the parent step.

    steps

    [object]

    Steps that define the conditions to be matched in sequence.

    condition

    string

    Condition referencing rule queries (e.g., a > 0).

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    name

    string

    Unique name identifying the step.

    thirdPartyRuleOptions

    object

    Options on third party detection method.

    defaultNotifications

    [string]

    Notification targets for the logs that do not correspond to any of the cases.

    defaultStatus

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    rootQueries

    [object]

    Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.

    groupByFields

    [string]

    Fields to group by.

    query

    string

    Query to run on logs.

    signalTitleTemplate

    string

    A template for the signal title; if omitted, the title is generated based on the case name.

    queries

    [object]

    Queries for selecting logs which are part of the rule.

    aggregation

    enum

    The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none

    customQueryExtension

    string

    Query extension to append to the logs query.

    dataSource

    enum

    Source of events, either logs, audit trail, or Datadog events. Allowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events

    default: logs

    distinctFields

    [string]

    Field for which the cardinality is measured. Sent as an array.

    groupByFields

    [string]

    Fields to group by.

    hasOptionalGroupByFields

    boolean

    When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.

    index

    string

    This field is currently unstable and might be removed in a minor version upgrade. The index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.

    indexes

    [string]

    List of indexes to query when the dataSource is logs. Only used for scheduled rules, such as when the schedulingOptions field is present in the rule payload.

    metric

    string

    DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max aggregations. metrics field should be used instead.

    metrics

    [string]

    Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.

    name

    string

    Name of the query.

    query

    string

    Query to run on logs.

    referenceTables

    [object]

    Reference tables for the rule.

    checkPresence

    boolean

    Whether to include or exclude the matched values.

    columnName

    string

    The name of the column in the reference table.

    logFieldPath

    string

    The field in the log to match against the reference table.

    ruleQueryName

    string

    The name of the query to apply the reference table to.

    tableName

    string

    The name of the reference table.

    schedulingOptions

    object

    Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.

    rrule

    string

    Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.

    start

    string

    Start date for the schedule, in ISO 8601 format without timezone.

    timezone

    string

    Time zone of the start date, in the tz database format.

    tags

    [string]

    Tags for generated signals.

    thirdPartyCases

    [object]

    Cases for generating signals from third-party rules. Only available for third-party rules.

    customStatus

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    name

    string

    Name of the case.

    notifications

    [string]

    Notification targets for each rule case.

    query

    string

    A query to map a third party event to this case.

    status

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    type

    enum

    The rule type. Allowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration,application_security,api_security

    updateAuthorId

    int64

    User ID of the user who updated the rule.

    updatedAt

    int64

    The date the rule was last updated, in milliseconds.

    version

    int64

    The version of the rule.

    Option 2

    object

    Rule.

    cases

    [object]

    Cases for generating signals.

    actions

    [object]

    Action to perform for each rule case.

    options

    object

    Options for the rule action

    duration

    int64

    Duration of the action in seconds. 0 indicates no expiration.

    flaggedIPType

    enum

    Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: SUSPICIOUS,FLAGGED

    userBehaviorName

    string

    Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.

    type

    enum

    The action type. Allowed enum values: block_ip,block_user,user_behavior,flag_ip

    condition

    string

    A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

    customStatus

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    name

    string

    Name of the case.

    notifications

    [string]

    Notification targets for each rule case.

    status

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    createdAt

    int64

    When the rule was created, timestamp in milliseconds.

    creationAuthorId

    int64

    User ID of the user who created the rule.

    customMessage

    string

    Custom/Overridden message for generated signals (used in case of Default rule update).

    customName

    string

    Custom/Overridden name of the rule (used in case of Default rule update).

    deprecationDate

    int64

    When the rule will be deprecated, timestamp in milliseconds.

    filters

    [object]

    Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.

    action

    enum

    The type of filtering action. Allowed enum values: require,suppress

    query

    string

    Query for selecting logs to apply the filtering action.

    hasExtendedTitle

    boolean

    Whether the notifications include the triggering group-by values in their title.

    id

    string

    The ID of the rule.

    isDefault

    boolean

    Whether the rule is included by default.

    isDeleted

    boolean

    Whether the rule has been deleted.

    isEnabled

    boolean

    Whether the rule is enabled.

    message

    string

    Message for generated signals.

    name

    string

    The name of the rule.

    options

    object

    Options.

    complianceRuleOptions

    object

    Options for cloud_configuration rules. Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.

    complexRule

    boolean

    Whether the rule is a complex one. Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.

    regoRule

    object

    Rule details.

    policy [required]

    string

    The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/

    resourceTypes [required]

    [string]

    List of resource types that will be evaluated upon. Must have at least one element.

    resourceType

    string

    Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.

    decreaseCriticalityBasedOnEnv

    boolean

    If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO. The decrement is applied when the environment tag of the signal starts with staging, test or dev.

    detectionMethod

    enum

    The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    hardcodedEvaluatorType

    enum

    Hardcoded evaluator type. Allowed enum values: log4shell

    impossibleTravelOptions

    object

    Options on impossible travel detection method.

    baselineUserLocations

    boolean

    If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

    keepAlive

    enum

    Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    maxSignalDuration

    enum

    A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    newValueOptions

    object

    Options on new value detection method.

    forgetAfter

    enum

    The duration in days after which a learned value is forgotten. Allowed enum values: 1,2,7,14,21,28

    learningDuration

    enum

    The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: 0,1,7

    learningMethod

    enum

    The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: duration,threshold

    default: duration

    learningThreshold

    enum

    A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: 0,1

    sequenceDetectionOptions

    object

    Options on sequence detection method.

    stepTransitions

    [object]

    Transitions defining the allowed order of steps and their evaluation windows.

    child

    string

    Name of the child step.

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    parent

    string

    Name of the parent step.

    steps

    [object]

    Steps that define the conditions to be matched in sequence.

    condition

    string

    Condition referencing rule queries (e.g., a > 0).

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    name

    string

    Unique name identifying the step.

    thirdPartyRuleOptions

    object

    Options on third party detection method.

    defaultNotifications

    [string]

    Notification targets for the logs that do not correspond to any of the cases.

    defaultStatus

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    rootQueries

    [object]

    Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.

    groupByFields

    [string]

    Fields to group by.

    query

    string

    Query to run on logs.

    signalTitleTemplate

    string

    A template for the signal title; if omitted, the title is generated based on the case name.

    queries

    [object]

    Queries for selecting logs which are part of the rule.

    aggregation

    enum

    The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none

    correlatedByFields

    [string]

    Fields to correlate by.

    correlatedQueryIndex

    int32

    Index of the rule query used to retrieve the correlated field.

    defaultRuleId

    string

    Default Rule ID to match on signals.

    distinctFields

    [string]

    Field for which the cardinality is measured. Sent as an array.

    groupByFields

    [string]

    Fields to group by.

    metrics

    [string]

    Group of target fields to aggregate over.

    name

    string

    Name of the query.

    ruleId

    string

    Rule ID to match on signals.

    tags

    [string]

    Tags for generated signals.

    type

    enum

    The rule type. Allowed enum values: signal_correlation

    updateAuthorId

    int64

    User ID of the user who updated the rule.

    version

    int64

    The version of the rule.

    {
  "calculatedFields": [
    {
      "expression": "@request_end_timestamp - @request_start_timestamp",
      "name": "response_time"
    }
  ],
  "cases": [
    {
      "actions": [
        {
          "options": {
            "duration": 0,
            "flaggedIPType": "FLAGGED",
            "userBehaviorName": "string"
          },
          "type": "string"
        }
      ],
      "condition": "string",
      "customStatus": "critical",
      "name": "string",
      "notifications": [],
      "status": "critical"
    }
  ],
  "complianceSignalOptions": {
    "defaultActivationStatus": false,
    "defaultGroupByFields": [],
    "userActivationStatus": false,
    "userGroupByFields": []
  },
  "createdAt": "integer",
  "creationAuthorId": "integer",
  "customMessage": "string",
  "customName": "string",
  "defaultTags": [
    "security:attacks"
  ],
  "deprecationDate": "integer",
  "filters": [
    {
      "action": "string",
      "query": "string"
    }
  ],
  "groupSignalsBy": [
    "service"
  ],
  "hasExtendedTitle": false,
  "id": "string",
  "isDefault": false,
  "isDeleted": false,
  "isEnabled": false,
  "message": "string",
  "name": "string",
  "options": {
    "complianceRuleOptions": {
      "complexRule": false,
      "regoRule": {
        "policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n  # Logic that evaluates to true if the resource should be skipped\n  true\n} else = \"pass\" {\n  # Logic that evaluates to true if the resource is compliant\n  true\n} else = \"fail\" {\n  # Logic that evaluates to true if the resource is not compliant\n  true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n  some resource in input.resources[input.main_resource_type]\n  result := dd_output.format(resource, eval(resource))\n}",
        "resourceTypes": [
          "gcp_iam_service_account",
          "gcp_iam_policy"
        ]
      },
      "resourceType": "aws_acm"
    },
    "decreaseCriticalityBasedOnEnv": false,
    "detectionMethod": "string",
    "evaluationWindow": "integer",
    "hardcodedEvaluatorType": "string",
    "impossibleTravelOptions": {
      "baselineUserLocations": true
    },
    "keepAlive": "integer",
    "maxSignalDuration": "integer",
    "newValueOptions": {
      "forgetAfter": "integer",
      "learningDuration": "integer",
      "learningMethod": "string",
      "learningThreshold": "integer"
    },
    "sequenceDetectionOptions": {
      "stepTransitions": [
        {
          "child": "string",
          "evaluationWindow": "integer",
          "parent": "string"
        }
      ],
      "steps": [
        {
          "condition": "string",
          "evaluationWindow": "integer",
          "name": "string"
        }
      ]
    },
    "thirdPartyRuleOptions": {
      "defaultNotifications": [],
      "defaultStatus": "critical",
      "rootQueries": [
        {
          "groupByFields": [],
          "query": "source:cloudtrail"
        }
      ],
      "signalTitleTemplate": "string"
    }
  },
  "queries": [
    {
      "aggregation": "string",
      "customQueryExtension": "a > 3",
      "dataSource": "logs",
      "distinctFields": [],
      "groupByFields": [],
      "hasOptionalGroupByFields": false,
      "index": "string",
      "indexes": [],
      "metric": "string",
      "metrics": [],
      "name": "string",
      "query": "a > 3"
    }
  ],
  "referenceTables": [
    {
      "checkPresence": false,
      "columnName": "string",
      "logFieldPath": "string",
      "ruleQueryName": "string",
      "tableName": "string"
    }
  ],
  "schedulingOptions": {
    "rrule": "FREQ=HOURLY;INTERVAL=1;",
    "start": "2025-07-14T12:00:00",
    "timezone": "America/New_York"
  },
  "tags": [],
  "thirdPartyCases": [
    {
      "customStatus": "critical",
      "name": "string",
      "notifications": [],
      "query": "string",
      "status": "critical"
    }
  ],
  "type": "string",
  "updateAuthorId": "integer",
  "updatedAt": "integer",
  "version": "integer"
}

    Not Found

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Too many requests

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Code Example

                      # Path parameters
    export rule_id="CHANGE_ME"
    # Curl command
    curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
    
                
    """
Get a rule's details returns "OK" response
"""

from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

# there is a valid "security_rule" in the system
SECURITY_RULE_ID = environ["SECURITY_RULE_ID"]

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.get_security_monitoring_rule(
        rule_id=SECURITY_RULE_ID,
    )

    print(response)

    Instructions

    First install the library and its dependencies and then save the example to example.py and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
    # Get a rule's details returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

# there is a valid "security_rule" in the system
SECURITY_RULE_ID = ENV["SECURITY_RULE_ID"]
p api_instance.get_security_monitoring_rule(SECURITY_RULE_ID)

    Instructions

    First install the library and its dependencies and then save the example to example.rb and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
    // Get a rule's details returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	// there is a valid "security_rule" in the system
	SecurityRuleID := os.Getenv("SECURITY_RULE_ID")

	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.GetSecurityMonitoringRule(ctx, SecurityRuleID)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSecurityMonitoringRule`:\n%s\n", responseContent)
}

    Instructions

    First install the library and its dependencies and then save the example to main.go and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
    // Get a rule's details returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    // there is a valid "security_rule" in the system
    String SECURITY_RULE_ID = System.getenv("SECURITY_RULE_ID");

    try {
      SecurityMonitoringRuleResponse result =
          apiInstance.getSecurityMonitoringRule(SECURITY_RULE_ID);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#getSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

    Instructions

    First install the library and its dependencies and then save the example to Example.java and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
    // Get a rule's details returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    // there is a valid "security_rule" in the system
    let security_rule_id = std::env::var("SECURITY_RULE_ID").unwrap();
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .get_security_monitoring_rule(security_rule_id.clone())
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

    Instructions

    First install the library and its dependencies and then save the example to src/main.rs and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
    /**
 * Get a rule's details returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

// there is a valid "security_rule" in the system
const SECURITY_RULE_ID = process.env.SECURITY_RULE_ID as string;

const params: v2.SecurityMonitoringApiGetSecurityMonitoringRuleRequest = {
  ruleId: SECURITY_RULE_ID,
};

apiInstance
  .getSecurityMonitoringRule(params)
  .then((data: v2.SecurityMonitoringRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

    Instructions

    First install the library and its dependencies and then save the example to example.ts and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

    Modify the triage assignee of a security signal

    PATCH https://api.ap1.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/assigneehttps://api.ap2.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/assigneehttps://api.datadoghq.eu/api/v1/security_analytics/signals/{signal_id}/assigneehttps://api.ddog-gov.com/api/v1/security_analytics/signals/{signal_id}/assigneehttps://api.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/assigneehttps://api.us3.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/assigneehttps://api.us5.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/assignee

    Overview

    This endpoint is deprecated - Modify the triage assignee of a security signal. This endpoint requires the security_monitoring_signals_write permission.

    Arguments

    Path Parameters

    Name

    Type

    Description

    signal_id [required]

    string

    The ID of the signal.

    Request

    Body Data (required)

    Attributes describing the signal update.

    Expand All

    Field

    Type

    Description

    assignee [required]

    string

    The UUID of the user being assigned. Use empty string to return signal to unassigned.

    version

    int64

    Version of the updated signal. If server side version is higher, update will be rejected.

    {
  "assignee": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
}

    Response

    OK

    Updated signal data following a successfully performed update.

    Expand All

    Field

    Type

    Description

    status

    string

    Status of the response.

    {
  "status": "string"
}

    Bad Request

    Error response object.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    Array of errors returned by the API.

    {
  "errors": [
    "Bad Request"
  ]
}

    Forbidden

    Error response object.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    Array of errors returned by the API.

    {
  "errors": [
    "Bad Request"
  ]
}

    Not Found

    Error response object.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    Array of errors returned by the API.

    {
  "errors": [
    "Bad Request"
  ]
}

    Too many requests

    Error response object.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    Array of errors returned by the API.

    {
  "errors": [
    "Bad Request"
  ]
}

    Code Example

                              # Path parameters
    export signal_id="CHANGE_ME"
    # Curl command
    curl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v1/security_analytics/signals/${signal_id}/assignee" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "assignee": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
}
EOF
    
                        
    // Modify the triage assignee of a security signal returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV1"
)

func main() {
	body := datadogV1.SignalAssigneeUpdateRequest{
		Assignee: "773b045d-ccf8-4808-bd3b-955ef6a8c940",
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV1.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.EditSecurityMonitoringSignalAssignee(ctx, "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.EditSecurityMonitoringSignalAssignee`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.EditSecurityMonitoringSignalAssignee`:\n%s\n", responseContent)
}

    Instructions

    First install the library and its dependencies and then save the example to main.go and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"
    // Modify the triage assignee of a security signal returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v1.api.SecurityMonitoringApi;
import com.datadog.api.client.v1.model.SignalAssigneeUpdateRequest;
import com.datadog.api.client.v1.model.SuccessfulSignalUpdateResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SignalAssigneeUpdateRequest body =
        new SignalAssigneeUpdateRequest().assignee("773b045d-ccf8-4808-bd3b-955ef6a8c940");

    try {
      SuccessfulSignalUpdateResponse result =
          apiInstance.editSecurityMonitoringSignalAssignee(
              "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#editSecurityMonitoringSignalAssignee");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

    Instructions

    First install the library and its dependencies and then save the example to Example.java and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"
    """
Modify the triage assignee of a security signal returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v1.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v1.model.signal_assignee_update_request import SignalAssigneeUpdateRequest

body = SignalAssigneeUpdateRequest(
    assignee="773b045d-ccf8-4808-bd3b-955ef6a8c940",
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.edit_security_monitoring_signal_assignee(
        signal_id="AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body=body
    )

    print(response)

    Instructions

    First install the library and its dependencies and then save the example to example.py and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"
    # Modify the triage assignee of a security signal returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V1::SecurityMonitoringAPI.new

body = DatadogAPIClient::V1::SignalAssigneeUpdateRequest.new({
  assignee: "773b045d-ccf8-4808-bd3b-955ef6a8c940",
})
p api_instance.edit_security_monitoring_signal_assignee("AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body)

    Instructions

    First install the library and its dependencies and then save the example to example.rb and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"
    // Modify the triage assignee of a security signal returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV1::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV1::model::SignalAssigneeUpdateRequest;

#[tokio::main]
async fn main() {
    let body = SignalAssigneeUpdateRequest::new("773b045d-ccf8-4808-bd3b-955ef6a8c940".to_string());
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .edit_security_monitoring_signal_assignee(
            "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE".to_string(),
            body,
        )
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

    Instructions

    First install the library and its dependencies and then save the example to src/main.rs and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" cargo run
    /**
 * Modify the triage assignee of a security signal returns "OK" response
 */

import { client, v1 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v1.SecurityMonitoringApi(configuration);

const params: v1.SecurityMonitoringApiEditSecurityMonitoringSignalAssigneeRequest =
  {
    body: {
      assignee: "773b045d-ccf8-4808-bd3b-955ef6a8c940",
    },
    signalId: "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE",
  };

apiInstance
  .editSecurityMonitoringSignalAssignee(params)
  .then((data: v1.SuccessfulSignalUpdateResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

    Instructions

    First install the library and its dependencies and then save the example to example.ts and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"

    PATCH https://api.ap1.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/assigneehttps://api.ap2.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/assigneehttps://api.datadoghq.eu/api/v2/security_monitoring/signals/{signal_id}/assigneehttps://api.ddog-gov.com/api/v2/security_monitoring/signals/{signal_id}/assigneehttps://api.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/assigneehttps://api.us3.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/assigneehttps://api.us5.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/assignee

    Overview

    Modify the triage assignee of a security signal. This endpoint requires the security_monitoring_signals_write permission.

    Arguments

    Path Parameters

    Name

    Type

    Description

    signal_id [required]

    string

    The ID of the signal.

    Request

    Body Data (required)

    Attributes describing the signal update.

    Expand All

    Field

    Type

    Description

    data [required]

    object

    Data containing the patch for changing the assignee of a signal.

    attributes [required]

    object

    Attributes describing the new assignee of a security signal.

    assignee [required]

    object

    Object representing a given user entity.

    handle

    string

    The handle for this user account.

    icon

    string

    Gravatar icon associated to the user.

    id

    int64

    Numerical ID assigned by Datadog to this user account.

    name

    string

    The name for this user account.

    uuid [required]

    string

    UUID assigned by Datadog to this user account.

    version

    int64

    Version of the updated signal. If server side version is higher, update will be rejected.

    {
  "data": {
    "attributes": {
      "assignee": {
        "uuid": ""
      }
    }
  }
}

    Response

    OK

    The response returned after all triage operations, containing the updated signal triage data.

    Expand All

    Field

    Type

    Description

    data [required]

    object

    Data containing the updated triage attributes of the signal.

    attributes

    object

    Attributes describing a triage state update operation over a security signal.

    archive_comment

    string

    Optional comment to display on archived signals.

    archive_comment_timestamp

    int64

    Timestamp of the last edit to the comment.

    archive_comment_user

    object

    Object representing a given user entity.

    handle

    string

    The handle for this user account.

    icon

    string

    Gravatar icon associated to the user.

    id

    int64

    Numerical ID assigned by Datadog to this user account.

    name

    string

    The name for this user account.

    uuid [required]

    string

    UUID assigned by Datadog to this user account.

    archive_reason

    enum

    Reason a signal is archived. Allowed enum values: none,false_positive,testing_or_maintenance,investigated_case_opened,true_positive_benign,true_positive_malicious,other

    assignee [required]

    object

    Object representing a given user entity.

    handle

    string

    The handle for this user account.

    icon

    string

    Gravatar icon associated to the user.

    id

    int64

    Numerical ID assigned by Datadog to this user account.

    name

    string

    The name for this user account.

    uuid [required]

    string

    UUID assigned by Datadog to this user account.

    incident_ids [required]

    [integer]

    Array of incidents that are associated with this signal.

    state [required]

    enum

    The new triage state of the signal. Allowed enum values: open,archived,under_review

    state_update_timestamp

    int64

    Timestamp of the last update to the signal state.

    state_update_user

    object

    Object representing a given user entity.

    handle

    string

    The handle for this user account.

    icon

    string

    Gravatar icon associated to the user.

    id

    int64

    Numerical ID assigned by Datadog to this user account.

    name

    string

    The name for this user account.

    uuid [required]

    string

    UUID assigned by Datadog to this user account.

    id

    string

    The unique ID of the security signal.

    type

    enum

    The type of event. Allowed enum values: signal_metadata

    default: signal_metadata

    {
  "data": {
    "attributes": {
      "archive_comment": "string",
      "archive_comment_timestamp": "integer",
      "archive_comment_user": {
        "handle": "string",
        "icon": "/path/to/matching/gravatar/icon",
        "id": "integer",
        "name": "string",
        "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
      },
      "archive_reason": "string",
      "assignee": {
        "handle": "string",
        "icon": "/path/to/matching/gravatar/icon",
        "id": "integer",
        "name": "string",
        "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
      },
      "incident_ids": [
        2066
      ],
      "state": "open",
      "state_update_timestamp": "integer",
      "state_update_user": {
        "handle": "string",
        "icon": "/path/to/matching/gravatar/icon",
        "id": "integer",
        "name": "string",
        "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
      }
    },
    "id": "string",
    "type": "signal_metadata"
  }
}

    Bad Request

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Forbidden

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Not Found

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Too many requests

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Code Example

                              # Path parameters
    export signal_id="CHANGE_ME"
    # Curl command
    curl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/${signal_id}/assignee" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "assignee": {
        "uuid": ""
      }
    }
  }
}
EOF
    
                        
    // Modify the triage assignee of a security signal returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringSignalAssigneeUpdateRequest{
		Data: datadogV2.SecurityMonitoringSignalAssigneeUpdateData{
			Attributes: datadogV2.SecurityMonitoringSignalAssigneeUpdateAttributes{
				Assignee: datadogV2.SecurityMonitoringTriageUser{
					Uuid: "",
				},
			},
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.EditSecurityMonitoringSignalAssignee(ctx, "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.EditSecurityMonitoringSignalAssignee`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.EditSecurityMonitoringSignalAssignee`:\n%s\n", responseContent)
}

    Instructions

    First install the library and its dependencies and then save the example to main.go and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"
    // Modify the triage assignee of a security signal returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalAssigneeUpdateAttributes;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalAssigneeUpdateData;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalAssigneeUpdateRequest;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalTriageUpdateResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringTriageUser;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringSignalAssigneeUpdateRequest body =
        new SecurityMonitoringSignalAssigneeUpdateRequest()
            .data(
                new SecurityMonitoringSignalAssigneeUpdateData()
                    .attributes(
                        new SecurityMonitoringSignalAssigneeUpdateAttributes()
                            .assignee(new SecurityMonitoringTriageUser().uuid(""))));

    try {
      SecurityMonitoringSignalTriageUpdateResponse result =
          apiInstance.editSecurityMonitoringSignalAssignee(
              "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#editSecurityMonitoringSignalAssignee");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

    Instructions

    First install the library and its dependencies and then save the example to Example.java and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"
    """
Modify the triage assignee of a security signal returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_signal_assignee_update_attributes import (
    SecurityMonitoringSignalAssigneeUpdateAttributes,
)
from datadog_api_client.v2.model.security_monitoring_signal_assignee_update_data import (
    SecurityMonitoringSignalAssigneeUpdateData,
)
from datadog_api_client.v2.model.security_monitoring_signal_assignee_update_request import (
    SecurityMonitoringSignalAssigneeUpdateRequest,
)
from datadog_api_client.v2.model.security_monitoring_triage_user import SecurityMonitoringTriageUser

body = SecurityMonitoringSignalAssigneeUpdateRequest(
    data=SecurityMonitoringSignalAssigneeUpdateData(
        attributes=SecurityMonitoringSignalAssigneeUpdateAttributes(
            assignee=SecurityMonitoringTriageUser(
                uuid="",
            ),
        ),
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.edit_security_monitoring_signal_assignee(
        signal_id="AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body=body
    )

    print(response)

    Instructions

    First install the library and its dependencies and then save the example to example.py and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"
    # Modify the triage assignee of a security signal returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringSignalAssigneeUpdateRequest.new({
  data: DatadogAPIClient::V2::SecurityMonitoringSignalAssigneeUpdateData.new({
    attributes: DatadogAPIClient::V2::SecurityMonitoringSignalAssigneeUpdateAttributes.new({
      assignee: DatadogAPIClient::V2::SecurityMonitoringTriageUser.new({
        uuid: "",
      }),
    }),
  }),
})
p api_instance.edit_security_monitoring_signal_assignee("AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body)

    Instructions

    First install the library and its dependencies and then save the example to example.rb and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"
    // Modify the triage assignee of a security signal returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalAssigneeUpdateAttributes;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalAssigneeUpdateData;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalAssigneeUpdateRequest;
use datadog_api_client::datadogV2::model::SecurityMonitoringTriageUser;

#[tokio::main]
async fn main() {
    let body = SecurityMonitoringSignalAssigneeUpdateRequest::new(
        SecurityMonitoringSignalAssigneeUpdateData::new(
            SecurityMonitoringSignalAssigneeUpdateAttributes::new(
                SecurityMonitoringTriageUser::new("".to_string()),
            ),
        ),
    );
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .edit_security_monitoring_signal_assignee(
            "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE".to_string(),
            body,
        )
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

    Instructions

    First install the library and its dependencies and then save the example to src/main.rs and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" cargo run
    /**
 * Modify the triage assignee of a security signal returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiEditSecurityMonitoringSignalAssigneeRequest =
  {
    body: {
      data: {
        attributes: {
          assignee: {
            uuid: "",
          },
        },
      },
    },
    signalId: "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE",
  };

apiInstance
  .editSecurityMonitoringSignalAssignee(params)
  .then((data: v2.SecurityMonitoringSignalTriageUpdateResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

    Instructions

    First install the library and its dependencies and then save the example to example.ts and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"

    Update an existing rule

    PUT https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.ap2.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}https://api.ddog-gov.com/api/v2/security_monitoring/rules/{rule_id}https://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}

    Overview

    Update an existing rule. When updating cases, queries or options, the whole field must be included. For example, when modifying a query all queries must be included. Default rules can only be updated to be enabled, to change notifications, or to update the tags (default tags cannot be removed). This endpoint requires the security_monitoring_rules_write permission.

    OAuth apps require the security_monitoring_rules_write authorization scope to access this endpoint.

    Arguments

    Path Parameters

    Name

    Type

    Description

    rule_id [required]

    string

    The ID of the rule.

    Request

    Body Data (required)

    Expand All

    Field

    Type

    Description

    calculatedFields

    [object]

    Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.

    expression [required]

    string

    Expression.

    name [required]

    string

    Field name.

    cases

    [object]

    Cases for generating signals.

    actions

    [object]

    Action to perform for each rule case.

    options

    object

    Options for the rule action

    duration

    int64

    Duration of the action in seconds. 0 indicates no expiration.

    flaggedIPType

    enum

    Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: SUSPICIOUS,FLAGGED

    userBehaviorName

    string

    Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.

    type

    enum

    The action type. Allowed enum values: block_ip,block_user,user_behavior,flag_ip

    condition

    string

    A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

    customStatus

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    name

    string

    Name of the case.

    notifications

    [string]

    Notification targets for each rule case.

    status

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    complianceSignalOptions

    object

    How to generate compliance signals. Useful for cloud_configuration rules only.

    defaultActivationStatus

    boolean

    The default activation status.

    defaultGroupByFields

    [string]

    The default group by fields.

    userActivationStatus

    boolean

    Whether signals will be sent.

    userGroupByFields

    [string]

    Fields to use to group findings by when sending signals.

    customMessage

    string

    Custom/Overridden Message for generated signals (used in case of Default rule update).

    customName

    string

    Custom/Overridden name (used in case of Default rule update).

    filters

    [object]

    Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.

    action

    enum

    The type of filtering action. Allowed enum values: require,suppress

    query

    string

    Query for selecting logs to apply the filtering action.

    groupSignalsBy

    [string]

    Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.

    hasExtendedTitle

    boolean

    Whether the notifications include the triggering group-by values in their title.

    isEnabled

    boolean

    Whether the rule is enabled.

    message

    string

    Message for generated signals.

    name

    string

    Name of the rule.

    options

    object

    Options.

    complianceRuleOptions

    object

    Options for cloud_configuration rules. Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.

    complexRule

    boolean

    Whether the rule is a complex one. Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.

    regoRule

    object

    Rule details.

    policy [required]

    string

    The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/

    resourceTypes [required]

    [string]

    List of resource types that will be evaluated upon. Must have at least one element.

    resourceType

    string

    Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.

    decreaseCriticalityBasedOnEnv

    boolean

    If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO. The decrement is applied when the environment tag of the signal starts with staging, test or dev.

    detectionMethod

    enum

    The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    hardcodedEvaluatorType

    enum

    Hardcoded evaluator type. Allowed enum values: log4shell

    impossibleTravelOptions

    object

    Options on impossible travel detection method.

    baselineUserLocations

    boolean

    If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

    keepAlive

    enum

    Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    maxSignalDuration

    enum

    A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    newValueOptions

    object

    Options on new value detection method.

    forgetAfter

    enum

    The duration in days after which a learned value is forgotten. Allowed enum values: 1,2,7,14,21,28

    learningDuration

    enum

    The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: 0,1,7

    learningMethod

    enum

    The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: duration,threshold

    default: duration

    learningThreshold

    enum

    A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: 0,1

    sequenceDetectionOptions

    object

    Options on sequence detection method.

    stepTransitions

    [object]

    Transitions defining the allowed order of steps and their evaluation windows.

    child

    string

    Name of the child step.

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    parent

    string

    Name of the parent step.

    steps

    [object]

    Steps that define the conditions to be matched in sequence.

    condition

    string

    Condition referencing rule queries (e.g., a > 0).

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    name

    string

    Unique name identifying the step.

    thirdPartyRuleOptions

    object

    Options on third party detection method.

    defaultNotifications

    [string]

    Notification targets for the logs that do not correspond to any of the cases.

    defaultStatus

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    rootQueries

    [object]

    Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.

    groupByFields

    [string]

    Fields to group by.

    query

    string

    Query to run on logs.

    signalTitleTemplate

    string

    A template for the signal title; if omitted, the title is generated based on the case name.

    queries

    [ <oneOf>]

    Queries for selecting logs which are part of the rule.

    Option 1

    object

    Query for matching rule.

    aggregation

    enum

    The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none

    customQueryExtension

    string

    Query extension to append to the logs query.

    dataSource

    enum

    Source of events, either logs, audit trail, or Datadog events. Allowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events

    default: logs

    distinctFields

    [string]

    Field for which the cardinality is measured. Sent as an array.

    groupByFields

    [string]

    Fields to group by.

    hasOptionalGroupByFields

    boolean

    When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.

    index

    string

    This field is currently unstable and might be removed in a minor version upgrade. The index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.

    indexes

    [string]

    List of indexes to query when the dataSource is logs. Only used for scheduled rules, such as when the schedulingOptions field is present in the rule payload.

    metric

    string

    DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max aggregations. metrics field should be used instead.

    metrics

    [string]

    Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.

    name

    string

    Name of the query.

    query

    string

    Query to run on logs.

    Option 2

    object

    Query for matching rule on signals.

    aggregation

    enum

    The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none

    correlatedByFields

    [string]

    Fields to group by.

    correlatedQueryIndex

    int32

    Index of the rule query used to retrieve the correlated field.

    metrics

    [string]

    Group of target fields to aggregate over.

    name

    string

    Name of the query.

    ruleId [required]

    string

    Rule ID to match on signals.

    referenceTables

    [object]

    Reference tables for the rule.

    checkPresence

    boolean

    Whether to include or exclude the matched values.

    columnName

    string

    The name of the column in the reference table.

    logFieldPath

    string

    The field in the log to match against the reference table.

    ruleQueryName

    string

    The name of the query to apply the reference table to.

    tableName

    string

    The name of the reference table.

    schedulingOptions

    object

    Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.

    rrule

    string

    Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.

    start

    string

    Start date for the schedule, in ISO 8601 format without timezone.

    timezone

    string

    Time zone of the start date, in the tz database format.

    tags

    [string]

    Tags for generated signals.

    thirdPartyCases

    [object]

    Cases for generating signals from third-party rules. Only available for third-party rules.

    customStatus

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    name

    string

    Name of the case.

    notifications

    [string]

    Notification targets for each rule case.

    query

    string

    A query to map a third party event to this case.

    status

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    version

    int32

    The version of the rule being updated.

    {
  "name": "Example-Security-Monitoring_cloud_updated",
  "isEnabled": false,
  "cases": [
    {
      "status": "info",
      "notifications": []
    }
  ],
  "options": {
    "complianceRuleOptions": {
      "resourceType": "gcp_compute_disk",
      "regoRule": {
        "policy": "package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = \"skip\" if {\n\tiam_service_account_key.disabled\n} else = \"pass\" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n",
        "resourceTypes": [
          "gcp_compute_disk"
        ]
      }
    }
  },
  "message": "ddd",
  "tags": [],
  "complianceSignalOptions": {
    "userActivationStatus": false,
    "userGroupByFields": []
  }
}
    {
  "name": "Example-Security-Monitoring-Updated",
  "queries": [
    {
      "query": "@test:true",
      "aggregation": "count",
      "groupByFields": [],
      "distinctFields": [],
      "metrics": []
    }
  ],
  "filters": [],
  "cases": [
    {
      "name": "",
      "status": "info",
      "condition": "a > 0",
      "notifications": []
    }
  ],
  "options": {
    "evaluationWindow": 900,
    "keepAlive": 3600,
    "maxSignalDuration": 86400
  },
  "message": "Test rule",
  "tags": [],
  "isEnabled": true
}

    Response

    OK

    Create a new rule.

    Expand All

    Field

    Type

    Description

    Option 1

    object

    Rule.

    calculatedFields

    [object]

    Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.

    expression [required]

    string

    Expression.

    name [required]

    string

    Field name.

    cases

    [object]

    Cases for generating signals.

    actions

    [object]

    Action to perform for each rule case.

    options

    object

    Options for the rule action

    duration

    int64

    Duration of the action in seconds. 0 indicates no expiration.

    flaggedIPType

    enum

    Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: SUSPICIOUS,FLAGGED

    userBehaviorName

    string

    Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.

    type

    enum

    The action type. Allowed enum values: block_ip,block_user,user_behavior,flag_ip

    condition

    string

    A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

    customStatus

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    name

    string

    Name of the case.

    notifications

    [string]

    Notification targets for each rule case.

    status

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    complianceSignalOptions

    object

    How to generate compliance signals. Useful for cloud_configuration rules only.

    defaultActivationStatus

    boolean

    The default activation status.

    defaultGroupByFields

    [string]

    The default group by fields.

    userActivationStatus

    boolean

    Whether signals will be sent.

    userGroupByFields

    [string]

    Fields to use to group findings by when sending signals.

    createdAt

    int64

    When the rule was created, timestamp in milliseconds.

    creationAuthorId

    int64

    User ID of the user who created the rule.

    customMessage

    string

    Custom/Overridden message for generated signals (used in case of Default rule update).

    customName

    string

    Custom/Overridden name of the rule (used in case of Default rule update).

    defaultTags

    [string]

    Default Tags for default rules (included in tags)

    deprecationDate

    int64

    When the rule will be deprecated, timestamp in milliseconds.

    filters

    [object]

    Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.

    action

    enum

    The type of filtering action. Allowed enum values: require,suppress

    query

    string

    Query for selecting logs to apply the filtering action.

    groupSignalsBy

    [string]

    Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.

    hasExtendedTitle

    boolean

    Whether the notifications include the triggering group-by values in their title.

    id

    string

    The ID of the rule.

    isDefault

    boolean

    Whether the rule is included by default.

    isDeleted

    boolean

    Whether the rule has been deleted.

    isEnabled

    boolean

    Whether the rule is enabled.

    message

    string

    Message for generated signals.

    name

    string

    The name of the rule.

    options

    object

    Options.

    complianceRuleOptions

    object

    Options for cloud_configuration rules. Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.

    complexRule

    boolean

    Whether the rule is a complex one. Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.

    regoRule

    object

    Rule details.

    policy [required]

    string

    The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/

    resourceTypes [required]

    [string]

    List of resource types that will be evaluated upon. Must have at least one element.

    resourceType

    string

    Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.

    decreaseCriticalityBasedOnEnv

    boolean

    If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO. The decrement is applied when the environment tag of the signal starts with staging, test or dev.

    detectionMethod

    enum

    The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    hardcodedEvaluatorType

    enum

    Hardcoded evaluator type. Allowed enum values: log4shell

    impossibleTravelOptions

    object

    Options on impossible travel detection method.

    baselineUserLocations

    boolean

    If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

    keepAlive

    enum

    Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    maxSignalDuration

    enum

    A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    newValueOptions

    object

    Options on new value detection method.

    forgetAfter

    enum

    The duration in days after which a learned value is forgotten. Allowed enum values: 1,2,7,14,21,28

    learningDuration

    enum

    The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: 0,1,7

    learningMethod

    enum

    The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: duration,threshold

    default: duration

    learningThreshold

    enum

    A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: 0,1

    sequenceDetectionOptions

    object

    Options on sequence detection method.

    stepTransitions

    [object]

    Transitions defining the allowed order of steps and their evaluation windows.

    child

    string

    Name of the child step.

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    parent

    string

    Name of the parent step.

    steps

    [object]

    Steps that define the conditions to be matched in sequence.

    condition

    string

    Condition referencing rule queries (e.g., a > 0).

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    name

    string

    Unique name identifying the step.

    thirdPartyRuleOptions

    object

    Options on third party detection method.

    defaultNotifications

    [string]

    Notification targets for the logs that do not correspond to any of the cases.

    defaultStatus

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    rootQueries

    [object]

    Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.

    groupByFields

    [string]

    Fields to group by.

    query

    string

    Query to run on logs.

    signalTitleTemplate

    string

    A template for the signal title; if omitted, the title is generated based on the case name.

    queries

    [object]

    Queries for selecting logs which are part of the rule.

    aggregation

    enum

    The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none

    customQueryExtension

    string

    Query extension to append to the logs query.

    dataSource

    enum

    Source of events, either logs, audit trail, or Datadog events. Allowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events

    default: logs

    distinctFields

    [string]

    Field for which the cardinality is measured. Sent as an array.

    groupByFields

    [string]

    Fields to group by.

    hasOptionalGroupByFields

    boolean

    When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.

    index

    string

    This field is currently unstable and might be removed in a minor version upgrade. The index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.

    indexes

    [string]

    List of indexes to query when the dataSource is logs. Only used for scheduled rules, such as when the schedulingOptions field is present in the rule payload.

    metric

    string

    DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max aggregations. metrics field should be used instead.

    metrics

    [string]

    Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.

    name

    string

    Name of the query.

    query

    string

    Query to run on logs.

    referenceTables

    [object]

    Reference tables for the rule.

    checkPresence

    boolean

    Whether to include or exclude the matched values.

    columnName

    string

    The name of the column in the reference table.

    logFieldPath

    string

    The field in the log to match against the reference table.

    ruleQueryName

    string

    The name of the query to apply the reference table to.

    tableName

    string

    The name of the reference table.

    schedulingOptions

    object

    Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.

    rrule

    string

    Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.

    start

    string

    Start date for the schedule, in ISO 8601 format without timezone.

    timezone

    string

    Time zone of the start date, in the tz database format.

    tags

    [string]

    Tags for generated signals.

    thirdPartyCases

    [object]

    Cases for generating signals from third-party rules. Only available for third-party rules.

    customStatus

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    name

    string

    Name of the case.

    notifications

    [string]

    Notification targets for each rule case.

    query

    string

    A query to map a third party event to this case.

    status

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    type

    enum

    The rule type. Allowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration,application_security,api_security

    updateAuthorId

    int64

    User ID of the user who updated the rule.

    updatedAt

    int64

    The date the rule was last updated, in milliseconds.

    version

    int64

    The version of the rule.

    Option 2

    object

    Rule.

    cases

    [object]

    Cases for generating signals.

    actions

    [object]

    Action to perform for each rule case.

    options

    object

    Options for the rule action

    duration

    int64

    Duration of the action in seconds. 0 indicates no expiration.

    flaggedIPType

    enum

    Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: SUSPICIOUS,FLAGGED

    userBehaviorName

    string

    Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.

    type

    enum

    The action type. Allowed enum values: block_ip,block_user,user_behavior,flag_ip

    condition

    string

    A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

    customStatus

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    name

    string

    Name of the case.

    notifications

    [string]

    Notification targets for each rule case.

    status

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    createdAt

    int64

    When the rule was created, timestamp in milliseconds.

    creationAuthorId

    int64

    User ID of the user who created the rule.

    customMessage

    string

    Custom/Overridden message for generated signals (used in case of Default rule update).

    customName

    string

    Custom/Overridden name of the rule (used in case of Default rule update).

    deprecationDate

    int64

    When the rule will be deprecated, timestamp in milliseconds.

    filters

    [object]

    Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.

    action

    enum

    The type of filtering action. Allowed enum values: require,suppress

    query

    string

    Query for selecting logs to apply the filtering action.

    hasExtendedTitle

    boolean

    Whether the notifications include the triggering group-by values in their title.

    id

    string

    The ID of the rule.

    isDefault

    boolean

    Whether the rule is included by default.

    isDeleted

    boolean

    Whether the rule has been deleted.

    isEnabled

    boolean

    Whether the rule is enabled.

    message

    string

    Message for generated signals.

    name

    string

    The name of the rule.

    options

    object

    Options.

    complianceRuleOptions

    object

    Options for cloud_configuration rules. Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.

    complexRule

    boolean

    Whether the rule is a complex one. Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.

    regoRule

    object

    Rule details.

    policy [required]

    string

    The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/

    resourceTypes [required]

    [string]

    List of resource types that will be evaluated upon. Must have at least one element.

    resourceType

    string

    Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.

    decreaseCriticalityBasedOnEnv

    boolean

    If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO. The decrement is applied when the environment tag of the signal starts with staging, test or dev.

    detectionMethod

    enum

    The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    hardcodedEvaluatorType

    enum

    Hardcoded evaluator type. Allowed enum values: log4shell

    impossibleTravelOptions

    object

    Options on impossible travel detection method.

    baselineUserLocations

    boolean

    If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

    keepAlive

    enum

    Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    maxSignalDuration

    enum

    A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    newValueOptions

    object

    Options on new value detection method.

    forgetAfter

    enum

    The duration in days after which a learned value is forgotten. Allowed enum values: 1,2,7,14,21,28

    learningDuration

    enum

    The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: 0,1,7

    learningMethod

    enum

    The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: duration,threshold

    default: duration

    learningThreshold

    enum

    A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: 0,1

    sequenceDetectionOptions

    object

    Options on sequence detection method.

    stepTransitions

    [object]

    Transitions defining the allowed order of steps and their evaluation windows.

    child

    string

    Name of the child step.

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    parent

    string

    Name of the parent step.

    steps

    [object]

    Steps that define the conditions to be matched in sequence.

    condition

    string

    Condition referencing rule queries (e.g., a > 0).

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    name

    string

    Unique name identifying the step.

    thirdPartyRuleOptions

    object

    Options on third party detection method.

    defaultNotifications

    [string]

    Notification targets for the logs that do not correspond to any of the cases.

    defaultStatus

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    rootQueries

    [object]

    Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.

    groupByFields

    [string]

    Fields to group by.

    query

    string

    Query to run on logs.

    signalTitleTemplate

    string

    A template for the signal title; if omitted, the title is generated based on the case name.

    queries

    [object]

    Queries for selecting logs which are part of the rule.

    aggregation

    enum

    The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none

    correlatedByFields

    [string]

    Fields to correlate by.

    correlatedQueryIndex

    int32

    Index of the rule query used to retrieve the correlated field.

    defaultRuleId

    string

    Default Rule ID to match on signals.

    distinctFields

    [string]

    Field for which the cardinality is measured. Sent as an array.

    groupByFields

    [string]

    Fields to group by.

    metrics

    [string]

    Group of target fields to aggregate over.

    name

    string

    Name of the query.

    ruleId

    string

    Rule ID to match on signals.

    tags

    [string]

    Tags for generated signals.

    type

    enum

    The rule type. Allowed enum values: signal_correlation

    updateAuthorId

    int64

    User ID of the user who updated the rule.

    version

    int64

    The version of the rule.

    {
  "calculatedFields": [
    {
      "expression": "@request_end_timestamp - @request_start_timestamp",
      "name": "response_time"
    }
  ],
  "cases": [
    {
      "actions": [
        {
          "options": {
            "duration": 0,
            "flaggedIPType": "FLAGGED",
            "userBehaviorName": "string"
          },
          "type": "string"
        }
      ],
      "condition": "string",
      "customStatus": "critical",
      "name": "string",
      "notifications": [],
      "status": "critical"
    }
  ],
  "complianceSignalOptions": {
    "defaultActivationStatus": false,
    "defaultGroupByFields": [],
    "userActivationStatus": false,
    "userGroupByFields": []
  },
  "createdAt": "integer",
  "creationAuthorId": "integer",
  "customMessage": "string",
  "customName": "string",
  "defaultTags": [
    "security:attacks"
  ],
  "deprecationDate": "integer",
  "filters": [
    {
      "action": "string",
      "query": "string"
    }
  ],
  "groupSignalsBy": [
    "service"
  ],
  "hasExtendedTitle": false,
  "id": "string",
  "isDefault": false,
  "isDeleted": false,
  "isEnabled": false,
  "message": "string",
  "name": "string",
  "options": {
    "complianceRuleOptions": {
      "complexRule": false,
      "regoRule": {
        "policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n  # Logic that evaluates to true if the resource should be skipped\n  true\n} else = \"pass\" {\n  # Logic that evaluates to true if the resource is compliant\n  true\n} else = \"fail\" {\n  # Logic that evaluates to true if the resource is not compliant\n  true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n  some resource in input.resources[input.main_resource_type]\n  result := dd_output.format(resource, eval(resource))\n}",
        "resourceTypes": [
          "gcp_iam_service_account",
          "gcp_iam_policy"
        ]
      },
      "resourceType": "aws_acm"
    },
    "decreaseCriticalityBasedOnEnv": false,
    "detectionMethod": "string",
    "evaluationWindow": "integer",
    "hardcodedEvaluatorType": "string",
    "impossibleTravelOptions": {
      "baselineUserLocations": true
    },
    "keepAlive": "integer",
    "maxSignalDuration": "integer",
    "newValueOptions": {
      "forgetAfter": "integer",
      "learningDuration": "integer",
      "learningMethod": "string",
      "learningThreshold": "integer"
    },
    "sequenceDetectionOptions": {
      "stepTransitions": [
        {
          "child": "string",
          "evaluationWindow": "integer",
          "parent": "string"
        }
      ],
      "steps": [
        {
          "condition": "string",
          "evaluationWindow": "integer",
          "name": "string"
        }
      ]
    },
    "thirdPartyRuleOptions": {
      "defaultNotifications": [],
      "defaultStatus": "critical",
      "rootQueries": [
        {
          "groupByFields": [],
          "query": "source:cloudtrail"
        }
      ],
      "signalTitleTemplate": "string"
    }
  },
  "queries": [
    {
      "aggregation": "string",
      "customQueryExtension": "a > 3",
      "dataSource": "logs",
      "distinctFields": [],
      "groupByFields": [],
      "hasOptionalGroupByFields": false,
      "index": "string",
      "indexes": [],
      "metric": "string",
      "metrics": [],
      "name": "string",
      "query": "a > 3"
    }
  ],
  "referenceTables": [
    {
      "checkPresence": false,
      "columnName": "string",
      "logFieldPath": "string",
      "ruleQueryName": "string",
      "tableName": "string"
    }
  ],
  "schedulingOptions": {
    "rrule": "FREQ=HOURLY;INTERVAL=1;",
    "start": "2025-07-14T12:00:00",
    "timezone": "America/New_York"
  },
  "tags": [],
  "thirdPartyCases": [
    {
      "customStatus": "critical",
      "name": "string",
      "notifications": [],
      "query": "string",
      "status": "critical"
    }
  ],
  "type": "string",
  "updateAuthorId": "integer",
  "updatedAt": "integer",
  "version": "integer"
}

    Bad Request

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Concurrent Modification

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Not Authorized

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Not Found

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Too many requests

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Code Example

                              # Path parameters
    export rule_id="CHANGE_ME"
    # Curl command
    curl -X PUT "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "name": "Example-Security-Monitoring_cloud_updated",
  "isEnabled": false,
  "cases": [
    {
      "status": "info",
      "notifications": []
    }
  ],
  "options": {
    "complianceRuleOptions": {
      "resourceType": "gcp_compute_disk",
      "regoRule": {
        "policy": "package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = \"skip\" if {\n\tiam_service_account_key.disabled\n} else = \"pass\" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n",
        "resourceTypes": [
          "gcp_compute_disk"
        ]
      }
    }
  },
  "message": "ddd",
  "tags": [],
  "complianceSignalOptions": {
    "userActivationStatus": false,
    "userGroupByFields": []
  }
}
EOF
    
                        
                              # Path parameters
    export rule_id="CHANGE_ME"
    # Curl command
    curl -X PUT "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "name": "Example-Security-Monitoring-Updated",
  "queries": [
    {
      "query": "@test:true",
      "aggregation": "count",
      "groupByFields": [],
      "distinctFields": [],
      "metrics": []
    }
  ],
  "filters": [],
  "cases": [
    {
      "name": "",
      "status": "info",
      "condition": "a > 0",
      "notifications": []
    }
  ],
  "options": {
    "evaluationWindow": 900,
    "keepAlive": 3600,
    "maxSignalDuration": 86400
  },
  "message": "Test rule",
  "tags": [],
  "isEnabled": true
}
EOF
    
                        
    // Update a cloud configuration rule's details returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	// there is a valid "cloud_configuration_rule" in the system
	CloudConfigurationRuleID := os.Getenv("CLOUD_CONFIGURATION_RULE_ID")

	body := datadogV2.SecurityMonitoringRuleUpdatePayload{
		Name:      datadog.PtrString("Example-Security-Monitoring_cloud_updated"),
		IsEnabled: datadog.PtrBool(false),
		Cases: []datadogV2.SecurityMonitoringRuleCase{
			{
				Status:        datadogV2.SECURITYMONITORINGRULESEVERITY_INFO.Ptr(),
				Notifications: []string{},
			},
		},
		Options: &datadogV2.SecurityMonitoringRuleOptions{
			ComplianceRuleOptions: &datadogV2.CloudConfigurationComplianceRuleOptions{
				ResourceType: datadog.PtrString("gcp_compute_disk"),
				RegoRule: &datadogV2.CloudConfigurationRegoRule{
					Policy: `package datadog

import data.datadog.output as dd_output

import future.keywords.contains
import future.keywords.if
import future.keywords.in

milliseconds_in_a_day := ((1000 * 60) * 60) * 24

eval(iam_service_account_key) = "skip" if {
	iam_service_account_key.disabled
} else = "pass" if {
	(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"

# This part remains unchanged for all rules
results contains result if {
	some resource in input.resources[input.main_resource_type]
	result := dd_output.format(resource, eval(resource))
}
`,
					ResourceTypes: []string{
						"gcp_compute_disk",
					},
				},
			},
		},
		Message: datadog.PtrString("ddd"),
		Tags:    []string{},
		ComplianceSignalOptions: &datadogV2.CloudConfigurationRuleComplianceSignalOptions{
			UserActivationStatus: *datadog.NewNullableBool(datadog.PtrBool(false)),
			UserGroupByFields:    *datadog.NewNullableList(&[]string{}),
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.UpdateSecurityMonitoringRule(ctx, CloudConfigurationRuleID, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.UpdateSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.UpdateSecurityMonitoringRule`:\n%s\n", responseContent)
}

    // Update an existing rule returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	// there is a valid "security_rule" in the system
	SecurityRuleID := os.Getenv("SECURITY_RULE_ID")

	body := datadogV2.SecurityMonitoringRuleUpdatePayload{
		Name: datadog.PtrString("Example-Security-Monitoring-Updated"),
		Queries: []datadogV2.SecurityMonitoringRuleQuery{
			datadogV2.SecurityMonitoringRuleQuery{
				SecurityMonitoringStandardRuleQuery: &datadogV2.SecurityMonitoringStandardRuleQuery{
					Query:          datadog.PtrString("@test:true"),
					Aggregation:    datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),
					GroupByFields:  []string{},
					DistinctFields: []string{},
					Metrics:        []string{},
				}},
		},
		Filters: []datadogV2.SecurityMonitoringFilter{},
		Cases: []datadogV2.SecurityMonitoringRuleCase{
			{
				Name:          datadog.PtrString(""),
				Status:        datadogV2.SECURITYMONITORINGRULESEVERITY_INFO.Ptr(),
				Condition:     datadog.PtrString("a > 0"),
				Notifications: []string{},
			},
		},
		Options: &datadogV2.SecurityMonitoringRuleOptions{
			EvaluationWindow:  datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(),
			KeepAlive:         datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ONE_HOUR.Ptr(),
			MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ONE_DAY.Ptr(),
		},
		Message:   datadog.PtrString("Test rule"),
		Tags:      []string{},
		IsEnabled: datadog.PtrBool(true),
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.UpdateSecurityMonitoringRule(ctx, SecurityRuleID, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.UpdateSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.UpdateSecurityMonitoringRule`:\n%s\n", responseContent)
}

    Instructions

    First install the library and its dependencies and then save the example to main.go and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
    // Update a cloud configuration rule's details returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.CloudConfigurationComplianceRuleOptions;
import com.datadog.api.client.v2.model.CloudConfigurationRegoRule;
import com.datadog.api.client.v2.model.CloudConfigurationRuleComplianceSignalOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCase;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleUpdatePayload;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    // there is a valid "cloud_configuration_rule" in the system
    String CLOUD_CONFIGURATION_RULE_ID = System.getenv("CLOUD_CONFIGURATION_RULE_ID");

    SecurityMonitoringRuleUpdatePayload body =
        new SecurityMonitoringRuleUpdatePayload()
            .name("Example-Security-Monitoring_cloud_updated")
            .isEnabled(false)
            .cases(
                Collections.singletonList(
                    new SecurityMonitoringRuleCase().status(SecurityMonitoringRuleSeverity.INFO)))
            .options(
                new SecurityMonitoringRuleOptions()
                    .complianceRuleOptions(
                        new CloudConfigurationComplianceRuleOptions()
                            .resourceType("gcp_compute_disk")
                            .regoRule(
                                new CloudConfigurationRegoRule()
                                    .policy(
                                        """
package datadog

import data.datadog.output as dd_output

import future.keywords.contains
import future.keywords.if
import future.keywords.in

milliseconds_in_a_day := ((1000 * 60) * 60) * 24

eval(iam_service_account_key) = "skip" if {
	iam_service_account_key.disabled
} else = "pass" if {
	(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"

# This part remains unchanged for all rules
results contains result if {
	some resource in input.resources[input.main_resource_type]
	result := dd_output.format(resource, eval(resource))
}

""")
                                    .resourceTypes(Collections.singletonList("gcp_compute_disk")))))
            .message("ddd")
            .complianceSignalOptions(
                new CloudConfigurationRuleComplianceSignalOptions().userActivationStatus(false));

    try {
      SecurityMonitoringRuleResponse result =
          apiInstance.updateSecurityMonitoringRule(CLOUD_CONFIGURATION_RULE_ID, body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#updateSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

    // Update an existing rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCase;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQuery;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleUpdatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    // there is a valid "security_rule" in the system
    String SECURITY_RULE_ID = System.getenv("SECURITY_RULE_ID");

    SecurityMonitoringRuleUpdatePayload body =
        new SecurityMonitoringRuleUpdatePayload()
            .name("Example-Security-Monitoring-Updated")
            .queries(
                Collections.singletonList(
                    new SecurityMonitoringRuleQuery(
                        new SecurityMonitoringStandardRuleQuery()
                            .query("@test:true")
                            .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT))))
            .cases(
                Collections.singletonList(
                    new SecurityMonitoringRuleCase()
                        .name("")
                        .status(SecurityMonitoringRuleSeverity.INFO)
                        .condition("a > 0")))
            .options(
                new SecurityMonitoringRuleOptions()
                    .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES)
                    .keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR)
                    .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.ONE_DAY))
            .message("Test rule")
            .isEnabled(true);

    try {
      SecurityMonitoringRuleResponse result =
          apiInstance.updateSecurityMonitoringRule(SECURITY_RULE_ID, body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#updateSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

    Instructions

    First install the library and its dependencies and then save the example to Example.java and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
    """
Update a cloud configuration rule's details returns "OK" response
"""

from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.cloud_configuration_compliance_rule_options import (
    CloudConfigurationComplianceRuleOptions,
)
from datadog_api_client.v2.model.cloud_configuration_rego_rule import CloudConfigurationRegoRule
from datadog_api_client.v2.model.cloud_configuration_rule_compliance_signal_options import (
    CloudConfigurationRuleComplianceSignalOptions,
)
from datadog_api_client.v2.model.security_monitoring_rule_case import SecurityMonitoringRuleCase
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_update_payload import SecurityMonitoringRuleUpdatePayload

# there is a valid "cloud_configuration_rule" in the system
CLOUD_CONFIGURATION_RULE_ID = environ["CLOUD_CONFIGURATION_RULE_ID"]

body = SecurityMonitoringRuleUpdatePayload(
    name="Example-Security-Monitoring_cloud_updated",
    is_enabled=False,
    cases=[
        SecurityMonitoringRuleCase(
            status=SecurityMonitoringRuleSeverity.INFO,
            notifications=[],
        ),
    ],
    options=SecurityMonitoringRuleOptions(
        compliance_rule_options=CloudConfigurationComplianceRuleOptions(
            resource_type="gcp_compute_disk",
            rego_rule=CloudConfigurationRegoRule(
                policy='package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = "skip" if {\n\tiam_service_account_key.disabled\n} else = "pass" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = "fail"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n',
                resource_types=[
                    "gcp_compute_disk",
                ],
            ),
        ),
    ),
    message="ddd",
    tags=[],
    compliance_signal_options=CloudConfigurationRuleComplianceSignalOptions(
        user_activation_status=False,
        user_group_by_fields=[],
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.update_security_monitoring_rule(rule_id=CLOUD_CONFIGURATION_RULE_ID, body=body)

    print(response)

    """
Update an existing rule returns "OK" response
"""

from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_case import SecurityMonitoringRuleCase
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
    SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
    SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
    SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_update_payload import SecurityMonitoringRuleUpdatePayload
from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery

# there is a valid "security_rule" in the system
SECURITY_RULE_ID = environ["SECURITY_RULE_ID"]

body = SecurityMonitoringRuleUpdatePayload(
    name="Example-Security-Monitoring-Updated",
    queries=[
        SecurityMonitoringStandardRuleQuery(
            query="@test:true",
            aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
            group_by_fields=[],
            distinct_fields=[],
            metrics=[],
        ),
    ],
    filters=[],
    cases=[
        SecurityMonitoringRuleCase(
            name="",
            status=SecurityMonitoringRuleSeverity.INFO,
            condition="a > 0",
            notifications=[],
        ),
    ],
    options=SecurityMonitoringRuleOptions(
        evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES,
        keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR,
        max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY,
    ),
    message="Test rule",
    tags=[],
    is_enabled=True,
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.update_security_monitoring_rule(rule_id=SECURITY_RULE_ID, body=body)

    print(response)

    Instructions

    First install the library and its dependencies and then save the example to example.py and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
    # Update a cloud configuration rule's details returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

# there is a valid "cloud_configuration_rule" in the system
CLOUD_CONFIGURATION_RULE_ID = ENV["CLOUD_CONFIGURATION_RULE_ID"]

body = DatadogAPIClient::V2::SecurityMonitoringRuleUpdatePayload.new({
  name: "Example-Security-Monitoring_cloud_updated",
  is_enabled: false,
  cases: [
    DatadogAPIClient::V2::SecurityMonitoringRuleCase.new({
      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
      notifications: [],
    }),
  ],
  options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
    compliance_rule_options: DatadogAPIClient::V2::CloudConfigurationComplianceRuleOptions.new({
      resource_type: "gcp_compute_disk",
      rego_rule: DatadogAPIClient::V2::CloudConfigurationRegoRule.new({
        policy: 'package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = "skip" if {\n\tiam_service_account_key.disabled\n} else = "pass" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = "fail"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n',
        resource_types: [
          "gcp_compute_disk",
        ],
      }),
    }),
  }),
  message: "ddd",
  tags: [],
  compliance_signal_options: DatadogAPIClient::V2::CloudConfigurationRuleComplianceSignalOptions.new({
    user_activation_status: false,
    user_group_by_fields: [],
  }),
})
p api_instance.update_security_monitoring_rule(CLOUD_CONFIGURATION_RULE_ID, body)

    # Update an existing rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

# there is a valid "security_rule" in the system
SECURITY_RULE_ID = ENV["SECURITY_RULE_ID"]

body = DatadogAPIClient::V2::SecurityMonitoringRuleUpdatePayload.new({
  name: "Example-Security-Monitoring-Updated",
  queries: [
    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
      query: "@test:true",
      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
      group_by_fields: [],
      distinct_fields: [],
      metrics: [],
    }),
  ],
  filters: [],
  cases: [
    DatadogAPIClient::V2::SecurityMonitoringRuleCase.new({
      name: "",
      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
      condition: "a > 0",
      notifications: [],
    }),
  ],
  options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
    evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
    keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ONE_HOUR,
    max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ONE_DAY,
  }),
  message: "Test rule",
  tags: [],
  is_enabled: true,
})
p api_instance.update_security_monitoring_rule(SECURITY_RULE_ID, body)

    Instructions

    First install the library and its dependencies and then save the example to example.rb and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
    // Update a cloud configuration rule's details returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::CloudConfigurationComplianceRuleOptions;
use datadog_api_client::datadogV2::model::CloudConfigurationRegoRule;
use datadog_api_client::datadogV2::model::CloudConfigurationRuleComplianceSignalOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCase;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleUpdatePayload;

#[tokio::main]
async fn main() {
    // there is a valid "cloud_configuration_rule" in the system
    let cloud_configuration_rule_id = std::env::var("CLOUD_CONFIGURATION_RULE_ID").unwrap();
    let body =
        SecurityMonitoringRuleUpdatePayload::new()
            .cases(
                vec![
                    SecurityMonitoringRuleCase::new()
                        .notifications(vec![])
                        .status(SecurityMonitoringRuleSeverity::INFO)
                ],
            )
            .compliance_signal_options(
                CloudConfigurationRuleComplianceSignalOptions::new()
                    .user_activation_status(Some(false))
                    .user_group_by_fields(Some(vec![])),
            )
            .is_enabled(false)
            .message("ddd".to_string())
            .name("Example-Security-Monitoring_cloud_updated".to_string())
            .options(
                SecurityMonitoringRuleOptions
                ::new().compliance_rule_options(
                    CloudConfigurationComplianceRuleOptions::new()
                        .rego_rule(
                            CloudConfigurationRegoRule::new(
                                r#"package datadog

import data.datadog.output as dd_output

import future.keywords.contains
import future.keywords.if
import future.keywords.in

milliseconds_in_a_day := ((1000 * 60) * 60) * 24

eval(iam_service_account_key) = "skip" if {
	iam_service_account_key.disabled
} else = "pass" if {
	(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"

# This part remains unchanged for all rules
results contains result if {
	some resource in input.resources[input.main_resource_type]
	result := dd_output.format(resource, eval(resource))
}
"#.to_string(),
                                vec!["gcp_compute_disk".to_string()],
                            ),
                        )
                        .resource_type("gcp_compute_disk".to_string()),
                ),
            )
            .tags(vec![]);
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .update_security_monitoring_rule(cloud_configuration_rule_id.clone(), body)
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

    // Update an existing rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCase;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQuery;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleUpdatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery;

#[tokio::main]
async fn main() {
    // there is a valid "security_rule" in the system
    let security_rule_id = std::env::var("SECURITY_RULE_ID").unwrap();
    let body = SecurityMonitoringRuleUpdatePayload::new()
        .cases(vec![SecurityMonitoringRuleCase::new()
            .condition("a > 0".to_string())
            .name("".to_string())
            .notifications(vec![])
            .status(SecurityMonitoringRuleSeverity::INFO)])
        .filters(vec![])
        .is_enabled(true)
        .message("Test rule".to_string())
        .name("Example-Security-Monitoring-Updated".to_string())
        .options(
            SecurityMonitoringRuleOptions::new()
                .evaluation_window(SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES)
                .keep_alive(SecurityMonitoringRuleKeepAlive::ONE_HOUR)
                .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::ONE_DAY),
        )
        .queries(vec![
            SecurityMonitoringRuleQuery::SecurityMonitoringStandardRuleQuery(Box::new(
                SecurityMonitoringStandardRuleQuery::new()
                    .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT)
                    .distinct_fields(vec![])
                    .group_by_fields(vec![])
                    .metrics(vec![])
                    .query("@test:true".to_string()),
            )),
        ])
        .tags(vec![]);
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .update_security_monitoring_rule(security_rule_id.clone(), body)
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

    Instructions

    First install the library and its dependencies and then save the example to src/main.rs and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
    /**
 * Update a cloud configuration rule's details returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

// there is a valid "cloud_configuration_rule" in the system
const CLOUD_CONFIGURATION_RULE_ID = process.env
  .CLOUD_CONFIGURATION_RULE_ID as string;

const params: v2.SecurityMonitoringApiUpdateSecurityMonitoringRuleRequest = {
  body: {
    name: "Example-Security-Monitoring_cloud_updated",
    isEnabled: false,
    cases: [
      {
        status: "info",
        notifications: [],
      },
    ],
    options: {
      complianceRuleOptions: {
        resourceType: "gcp_compute_disk",
        regoRule: {
          policy: `package datadog

import data.datadog.output as dd_output

import future.keywords.contains
import future.keywords.if
import future.keywords.in

milliseconds_in_a_day := ((1000 * 60) * 60) * 24

eval(iam_service_account_key) = "skip" if {
	iam_service_account_key.disabled
} else = "pass" if {
	(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"

# This part remains unchanged for all rules
results contains result if {
	some resource in input.resources[input.main_resource_type]
	result := dd_output.format(resource, eval(resource))
}
`,
          resourceTypes: ["gcp_compute_disk"],
        },
      },
    },
    message: "ddd",
    tags: [],
    complianceSignalOptions: {
      userActivationStatus: false,
      userGroupByFields: [],
    },
  },
  ruleId: CLOUD_CONFIGURATION_RULE_ID,
};

apiInstance
  .updateSecurityMonitoringRule(params)
  .then((data: v2.SecurityMonitoringRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

    /**
 * Update an existing rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

// there is a valid "security_rule" in the system
const SECURITY_RULE_ID = process.env.SECURITY_RULE_ID as string;

const params: v2.SecurityMonitoringApiUpdateSecurityMonitoringRuleRequest = {
  body: {
    name: "Example-Security-Monitoring-Updated",
    queries: [
      {
        query: "@test:true",
        aggregation: "count",
        groupByFields: [],
        distinctFields: [],
        metrics: [],
      },
    ],
    filters: [],
    cases: [
      {
        name: "",
        status: "info",
        condition: "a > 0",
        notifications: [],
      },
    ],
    options: {
      evaluationWindow: 900,
      keepAlive: 3600,
      maxSignalDuration: 86400,
    },
    message: "Test rule",
    tags: [],
    isEnabled: true,
  },
  ruleId: SECURITY_RULE_ID,
};

apiInstance
  .updateSecurityMonitoringRule(params)
  .then((data: v2.SecurityMonitoringRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

    Instructions

    First install the library and its dependencies and then save the example to example.ts and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

    Delete an existing rule

    DELETE https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.ap2.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}https://api.ddog-gov.com/api/v2/security_monitoring/rules/{rule_id}https://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}

    Overview

    Delete an existing rule. Default rules cannot be deleted. This endpoint requires the security_monitoring_rules_write permission.

    OAuth apps require the security_monitoring_rules_write authorization scope to access this endpoint.

    Arguments

    Path Parameters

    Name

    Type

    Description

    rule_id [required]

    string

    The ID of the rule.

    Response

    OK

    Not Authorized

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Not Found

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Too many requests

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Code Example

                      # Path parameters
    export rule_id="CHANGE_ME"
    # Curl command
    curl -X DELETE "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
    
                
    """
Delete an existing rule returns "OK" response
"""

from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

# there is a valid "security_rule" in the system
SECURITY_RULE_ID = environ["SECURITY_RULE_ID"]

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    api_instance.delete_security_monitoring_rule(
        rule_id=SECURITY_RULE_ID,
    )

    Instructions

    First install the library and its dependencies and then save the example to example.py and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
    # Delete an existing rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

# there is a valid "security_rule" in the system
SECURITY_RULE_ID = ENV["SECURITY_RULE_ID"]
api_instance.delete_security_monitoring_rule(SECURITY_RULE_ID)

    Instructions

    First install the library and its dependencies and then save the example to example.rb and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
    // Delete an existing rule returns "OK" response

package main

import (
	"context"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	// there is a valid "security_rule" in the system
	SecurityRuleID := os.Getenv("SECURITY_RULE_ID")

	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	r, err := api.DeleteSecurityMonitoringRule(ctx, SecurityRuleID)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.DeleteSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}
}

    Instructions

    First install the library and its dependencies and then save the example to main.go and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
    // Delete an existing rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    // there is a valid "security_rule" in the system
    String SECURITY_RULE_ID = System.getenv("SECURITY_RULE_ID");

    try {
      apiInstance.deleteSecurityMonitoringRule(SECURITY_RULE_ID);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#deleteSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

    Instructions

    First install the library and its dependencies and then save the example to Example.java and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
    // Delete an existing rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    // there is a valid "security_rule" in the system
    let security_rule_id = std::env::var("SECURITY_RULE_ID").unwrap();
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .delete_security_monitoring_rule(security_rule_id.clone())
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

    Instructions

    First install the library and its dependencies and then save the example to src/main.rs and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
    /**
 * Delete an existing rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

// there is a valid "security_rule" in the system
const SECURITY_RULE_ID = process.env.SECURITY_RULE_ID as string;

const params: v2.SecurityMonitoringApiDeleteSecurityMonitoringRuleRequest = {
  ruleId: SECURITY_RULE_ID,
};

apiInstance
  .deleteSecurityMonitoringRule(params)
  .then((data: any) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

    Instructions

    First install the library and its dependencies and then save the example to example.ts and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

    Test an existing rule

    POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/testhttps://api.ap2.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/testhttps://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}/testhttps://api.ddog-gov.com/api/v2/security_monitoring/rules/{rule_id}/testhttps://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/testhttps://api.us3.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/testhttps://api.us5.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/test

    Overview

    Test an existing rule. This endpoint requires the security_monitoring_rules_write permission.

    OAuth apps require the security_monitoring_rules_write authorization scope to access this endpoint.

    Arguments

    Path Parameters

    Name

    Type

    Description

    rule_id [required]

    string

    The ID of the rule.

    Request

    Body Data (required)

    Expand All

    Field

    Type

    Description

    rule

     <oneOf>

    Test a rule.

    Option 1

    object

    The payload of a rule to test

    calculatedFields

    [object]

    Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.

    expression [required]

    string

    Expression.

    name [required]

    string

    Field name.

    cases [required]

    [object]

    Cases for generating signals.

    actions

    [object]

    Action to perform for each rule case.

    options

    object

    Options for the rule action

    duration

    int64

    Duration of the action in seconds. 0 indicates no expiration.

    flaggedIPType

    enum

    Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: SUSPICIOUS,FLAGGED

    userBehaviorName

    string

    Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.

    type

    enum

    The action type. Allowed enum values: block_ip,block_user,user_behavior,flag_ip

    condition

    string

    A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

    name

    string

    Name of the case.

    notifications

    [string]

    Notification targets.

    status [required]

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    filters

    [object]

    Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.

    action

    enum

    The type of filtering action. Allowed enum values: require,suppress

    query

    string

    Query for selecting logs to apply the filtering action.

    groupSignalsBy

    [string]

    Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.

    hasExtendedTitle

    boolean

    Whether the notifications include the triggering group-by values in their title.

    isEnabled [required]

    boolean

    Whether the rule is enabled.

    message [required]

    string

    Message for generated signals.

    name [required]

    string

    The name of the rule.

    options [required]

    object

    Options.

    complianceRuleOptions

    object

    Options for cloud_configuration rules. Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.

    complexRule

    boolean

    Whether the rule is a complex one. Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.

    regoRule

    object

    Rule details.

    policy [required]

    string

    The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/

    resourceTypes [required]

    [string]

    List of resource types that will be evaluated upon. Must have at least one element.

    resourceType

    string

    Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.

    decreaseCriticalityBasedOnEnv

    boolean

    If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO. The decrement is applied when the environment tag of the signal starts with staging, test or dev.

    detectionMethod

    enum

    The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    hardcodedEvaluatorType

    enum

    Hardcoded evaluator type. Allowed enum values: log4shell

    impossibleTravelOptions

    object

    Options on impossible travel detection method.

    baselineUserLocations

    boolean

    If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

    keepAlive

    enum

    Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    maxSignalDuration

    enum

    A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    newValueOptions

    object

    Options on new value detection method.

    forgetAfter

    enum

    The duration in days after which a learned value is forgotten. Allowed enum values: 1,2,7,14,21,28

    learningDuration

    enum

    The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: 0,1,7

    learningMethod

    enum

    The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: duration,threshold

    default: duration

    learningThreshold

    enum

    A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: 0,1

    sequenceDetectionOptions

    object

    Options on sequence detection method.

    stepTransitions

    [object]

    Transitions defining the allowed order of steps and their evaluation windows.

    child

    string

    Name of the child step.

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    parent

    string

    Name of the parent step.

    steps

    [object]

    Steps that define the conditions to be matched in sequence.

    condition

    string

    Condition referencing rule queries (e.g., a > 0).

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    name

    string

    Unique name identifying the step.

    thirdPartyRuleOptions

    object

    Options on third party detection method.

    defaultNotifications

    [string]

    Notification targets for the logs that do not correspond to any of the cases.

    defaultStatus

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    rootQueries

    [object]

    Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.

    groupByFields

    [string]

    Fields to group by.

    query

    string

    Query to run on logs.

    signalTitleTemplate

    string

    A template for the signal title; if omitted, the title is generated based on the case name.

    queries [required]

    [object]

    Queries for selecting logs which are part of the rule.

    aggregation

    enum

    The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none

    customQueryExtension

    string

    Query extension to append to the logs query.

    dataSource

    enum

    Source of events, either logs, audit trail, or Datadog events. Allowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events

    default: logs

    distinctFields

    [string]

    Field for which the cardinality is measured. Sent as an array.

    groupByFields

    [string]

    Fields to group by.

    hasOptionalGroupByFields

    boolean

    When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.

    index

    string

    This field is currently unstable and might be removed in a minor version upgrade. The index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.

    indexes

    [string]

    List of indexes to query when the dataSource is logs. Only used for scheduled rules, such as when the schedulingOptions field is present in the rule payload.

    metric

    string

    DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max aggregations. metrics field should be used instead.

    metrics

    [string]

    Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.

    name

    string

    Name of the query.

    query

    string

    Query to run on logs.

    referenceTables

    [object]

    Reference tables for the rule.

    checkPresence

    boolean

    Whether to include or exclude the matched values.

    columnName

    string

    The name of the column in the reference table.

    logFieldPath

    string

    The field in the log to match against the reference table.

    ruleQueryName

    string

    The name of the query to apply the reference table to.

    tableName

    string

    The name of the reference table.

    schedulingOptions

    object

    Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.

    rrule

    string

    Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.

    start

    string

    Start date for the schedule, in ISO 8601 format without timezone.

    timezone

    string

    Time zone of the start date, in the tz database format.

    tags

    [string]

    Tags for generated signals.

    thirdPartyCases

    [object]

    Cases for generating signals from third-party rules. Only available for third-party rules.

    name

    string

    Name of the case.

    notifications

    [string]

    Notification targets for each case.

    query

    string

    A query to map a third party event to this case.

    status [required]

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    type

    enum

    The rule type. Allowed enum values: log_detection

    ruleQueryPayloads

    [object]

    Data payloads used to test rules query with the expected result.

    expectedResult

    boolean

    Expected result of the test.

    index

    int64

    Index of the query under test.

    payload

    object

    Payload used to test the rule query.

    ddsource

    string

    Source of the payload.

    ddtags

    string

    Tags associated with your data.

    hostname

    string

    The name of the originating host of the log.

    message

    string

    The message of the payload.

    service

    string

    The name of the application or service generating the data.

    {
  "rule": {
    "calculatedFields": [
      {
        "expression": "@request_end_timestamp - @request_start_timestamp",
        "name": "response_time"
      }
    ],
    "cases": [
      {
        "actions": [
          {
            "options": {
              "duration": 0,
              "flaggedIPType": "FLAGGED",
              "userBehaviorName": "string"
            },
            "type": "string"
          }
        ],
        "condition": "string",
        "name": "string",
        "notifications": [],
        "status": "critical"
      }
    ],
    "filters": [
      {
        "action": "string",
        "query": "string"
      }
    ],
    "groupSignalsBy": [
      "service"
    ],
    "hasExtendedTitle": true,
    "isEnabled": true,
    "message": "",
    "name": "My security monitoring rule.",
    "options": {
      "complianceRuleOptions": {
        "complexRule": false,
        "regoRule": {
          "policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n  # Logic that evaluates to true if the resource should be skipped\n  true\n} else = \"pass\" {\n  # Logic that evaluates to true if the resource is compliant\n  true\n} else = \"fail\" {\n  # Logic that evaluates to true if the resource is not compliant\n  true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n  some resource in input.resources[input.main_resource_type]\n  result := dd_output.format(resource, eval(resource))\n}",
          "resourceTypes": [
            "gcp_iam_service_account",
            "gcp_iam_policy"
          ]
        },
        "resourceType": "aws_acm"
      },
      "decreaseCriticalityBasedOnEnv": false,
      "detectionMethod": "string",
      "evaluationWindow": "integer",
      "hardcodedEvaluatorType": "string",
      "impossibleTravelOptions": {
        "baselineUserLocations": true
      },
      "keepAlive": "integer",
      "maxSignalDuration": "integer",
      "newValueOptions": {
        "forgetAfter": "integer",
        "learningDuration": "integer",
        "learningMethod": "string",
        "learningThreshold": "integer"
      },
      "sequenceDetectionOptions": {
        "stepTransitions": [
          {
            "child": "string",
            "evaluationWindow": "integer",
            "parent": "string"
          }
        ],
        "steps": [
          {
            "condition": "string",
            "evaluationWindow": "integer",
            "name": "string"
          }
        ]
      },
      "thirdPartyRuleOptions": {
        "defaultNotifications": [],
        "defaultStatus": "critical",
        "rootQueries": [
          {
            "groupByFields": [],
            "query": "source:cloudtrail"
          }
        ],
        "signalTitleTemplate": "string"
      }
    },
    "queries": [
      {
        "aggregation": "string",
        "customQueryExtension": "a > 3",
        "dataSource": "logs",
        "distinctFields": [],
        "groupByFields": [],
        "hasOptionalGroupByFields": false,
        "index": "string",
        "indexes": [],
        "metric": "string",
        "metrics": [],
        "name": "string",
        "query": "a > 3"
      }
    ],
    "referenceTables": [
      {
        "checkPresence": false,
        "columnName": "string",
        "logFieldPath": "string",
        "ruleQueryName": "string",
        "tableName": "string"
      }
    ],
    "schedulingOptions": {
      "rrule": "FREQ=HOURLY;INTERVAL=1;",
      "start": "2025-07-14T12:00:00",
      "timezone": "America/New_York"
    },
    "tags": [
      "env:prod",
      "team:security"
    ],
    "thirdPartyCases": [
      {
        "name": "string",
        "notifications": [],
        "query": "string",
        "status": "critical"
      }
    ],
    "type": "string"
  },
  "ruleQueryPayloads": [
    {
      "expectedResult": true,
      "index": 0,
      "payload": {
        "ddsource": "nginx",
        "ddtags": "env:staging,version:5.1",
        "hostname": "i-012345678",
        "message": "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World",
        "service": "payment"
      }
    }
  ]
}

    Response

    OK

    Result of the test of the rule queries.

    Expand All

    Field

    Type

    Description

    results

    [boolean]

    Assert results are returned in the same order as the rule query payloads. For each payload, it returns True if the result matched the expected result, False otherwise.

    {
  "results": []
}

    Bad Request

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Concurrent Modification

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Not Authorized

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Not Found

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Too many requests

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Code Example

                      # Path parameters
    export rule_id="CHANGE_ME"
    # Curl command
    curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}/test" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "rule": {
    "calculatedFields": [
      {
        "expression": "@request_end_timestamp - @request_start_timestamp",
        "name": "response_time"
      }
    ],
    "cases": [
      {
        "status": "critical"
      }
    ],
    "options": {
      "complianceRuleOptions": {
        "regoRule": {
          "policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n  # Logic that evaluates to true if the resource should be skipped\n  true\n} else = \"pass\" {\n  # Logic that evaluates to true if the resource is compliant\n  true\n} else = \"fail\" {\n  # Logic that evaluates to true if the resource is not compliant\n  true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n  some resource in input.resources[input.main_resource_type]\n  result := dd_output.format(resource, eval(resource))\n}",
          "resourceTypes": [
            "gcp_iam_service_account",
            "gcp_iam_policy"
          ]
        }
      }
    },
    "thirdPartyCases": [
      {
        "status": "critical"
      }
    ]
  }
}
EOF
    
                
    """
Test an existing rule returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_query_payload import SecurityMonitoringRuleQueryPayload
from datadog_api_client.v2.model.security_monitoring_rule_query_payload_data import (
    SecurityMonitoringRuleQueryPayloadData,
)
from datadog_api_client.v2.model.security_monitoring_rule_test_request import SecurityMonitoringRuleTestRequest

body = SecurityMonitoringRuleTestRequest(
    rule_query_payloads=[
        SecurityMonitoringRuleQueryPayload(
            expected_result=True,
            index=0,
            payload=SecurityMonitoringRuleQueryPayloadData(
                ddsource="nginx",
                ddtags="env:staging,version:5.1",
                hostname="i-012345678",
                message="2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World",
                service="payment",
            ),
        ),
    ],
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.test_existing_security_monitoring_rule(rule_id="rule_id", body=body)

    print(response)

    Instructions

    First install the library and its dependencies and then save the example to example.py and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
    # Test an existing rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringRuleTestRequest.new({
  rule_query_payloads: [
    DatadogAPIClient::V2::SecurityMonitoringRuleQueryPayload.new({
      expected_result: true,
      index: 0,
      payload: DatadogAPIClient::V2::SecurityMonitoringRuleQueryPayloadData.new({
        ddsource: "nginx",
        ddtags: "env:staging,version:5.1",
        hostname: "i-012345678",
        message: "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World",
        service: "payment",
      }),
    }),
  ],
})
p api_instance.test_existing_security_monitoring_rule("rule_id", body)

    Instructions

    First install the library and its dependencies and then save the example to example.rb and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
    // Test an existing rule returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringRuleTestRequest{
		RuleQueryPayloads: []datadogV2.SecurityMonitoringRuleQueryPayload{
			{
				ExpectedResult: datadog.PtrBool(true),
				Index:          datadog.PtrInt64(0),
				Payload: &datadogV2.SecurityMonitoringRuleQueryPayloadData{
					Ddsource: datadog.PtrString("nginx"),
					Ddtags:   datadog.PtrString("env:staging,version:5.1"),
					Hostname: datadog.PtrString("i-012345678"),
					Message:  datadog.PtrString("2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World"),
					Service:  datadog.PtrString("payment"),
				},
			},
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.TestExistingSecurityMonitoringRule(ctx, "rule_id", body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.TestExistingSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.TestExistingSecurityMonitoringRule`:\n%s\n", responseContent)
}

    Instructions

    First install the library and its dependencies and then save the example to main.go and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
    // Test an existing rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryPayload;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryPayloadData;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTestRequest;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTestResponse;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringRuleTestRequest body =
        new SecurityMonitoringRuleTestRequest()
            .ruleQueryPayloads(
                Collections.singletonList(
                    new SecurityMonitoringRuleQueryPayload()
                        .expectedResult(true)
                        .index(0L)
                        .payload(
                            new SecurityMonitoringRuleQueryPayloadData()
                                .ddsource("nginx")
                                .ddtags("env:staging,version:5.1")
                                .hostname("i-012345678")
                                .message(
                                    "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello"
                                        + " World")
                                .service("payment"))));

    try {
      SecurityMonitoringRuleTestResponse result =
          apiInstance.testExistingSecurityMonitoringRule("rule_id", body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#testExistingSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

    Instructions

    First install the library and its dependencies and then save the example to Example.java and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
    // Test an existing rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryPayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryPayloadData;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTestRequest;

#[tokio::main]
async fn main() {
    let body = SecurityMonitoringRuleTestRequest::new().rule_query_payloads(vec![
        SecurityMonitoringRuleQueryPayload::new()
            .expected_result(true)
            .index(0)
            .payload(
                SecurityMonitoringRuleQueryPayloadData::new()
                    .ddsource("nginx".to_string())
                    .ddtags("env:staging,version:5.1".to_string())
                    .hostname("i-012345678".to_string())
                    .message(
                        "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World"
                            .to_string(),
                    )
                    .service("payment".to_string()),
            ),
    ]);
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .test_existing_security_monitoring_rule("rule_id".to_string(), body)
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

    Instructions

    First install the library and its dependencies and then save the example to src/main.rs and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
    /**
 * Test an existing rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiTestExistingSecurityMonitoringRuleRequest =
  {
    body: {
      ruleQueryPayloads: [
        {
          expectedResult: true,
          index: 0,
          payload: {
            ddsource: "nginx",
            ddtags: "env:staging,version:5.1",
            hostname: "i-012345678",
            message:
              "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World",
            service: "payment",
          },
        },
      ],
    },
    ruleId: "rule_id",
  };

apiInstance
  .testExistingSecurityMonitoringRule(params)
  .then((data: v2.SecurityMonitoringRuleTestResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

    Instructions

    First install the library and its dependencies and then save the example to example.ts and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

    Test a rule

    POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/testhttps://api.ap2.datadoghq.com/api/v2/security_monitoring/rules/testhttps://api.datadoghq.eu/api/v2/security_monitoring/rules/testhttps://api.ddog-gov.com/api/v2/security_monitoring/rules/testhttps://api.datadoghq.com/api/v2/security_monitoring/rules/testhttps://api.us3.datadoghq.com/api/v2/security_monitoring/rules/testhttps://api.us5.datadoghq.com/api/v2/security_monitoring/rules/test

    Overview

    Test a rule. This endpoint requires the security_monitoring_rules_write permission.

    OAuth apps require the security_monitoring_rules_write authorization scope to access this endpoint.

    Request

    Body Data (required)

    Expand All

    Field

    Type

    Description

    rule

     <oneOf>

    Test a rule.

    Option 1

    object

    The payload of a rule to test

    calculatedFields

    [object]

    Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.

    expression [required]

    string

    Expression.

    name [required]

    string

    Field name.

    cases [required]

    [object]

    Cases for generating signals.

    actions

    [object]

    Action to perform for each rule case.

    options

    object

    Options for the rule action

    duration

    int64

    Duration of the action in seconds. 0 indicates no expiration.

    flaggedIPType

    enum

    Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: SUSPICIOUS,FLAGGED

    userBehaviorName

    string

    Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.

    type

    enum

    The action type. Allowed enum values: block_ip,block_user,user_behavior,flag_ip

    condition

    string

    A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

    name

    string

    Name of the case.

    notifications

    [string]

    Notification targets.

    status [required]

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    filters

    [object]

    Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.

    action

    enum

    The type of filtering action. Allowed enum values: require,suppress

    query

    string

    Query for selecting logs to apply the filtering action.

    groupSignalsBy

    [string]

    Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.

    hasExtendedTitle

    boolean

    Whether the notifications include the triggering group-by values in their title.

    isEnabled [required]

    boolean

    Whether the rule is enabled.

    message [required]

    string

    Message for generated signals.

    name [required]

    string

    The name of the rule.

    options [required]

    object

    Options.

    complianceRuleOptions

    object

    Options for cloud_configuration rules. Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.

    complexRule

    boolean

    Whether the rule is a complex one. Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.

    regoRule

    object

    Rule details.

    policy [required]

    string

    The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/

    resourceTypes [required]

    [string]

    List of resource types that will be evaluated upon. Must have at least one element.

    resourceType

    string

    Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.

    decreaseCriticalityBasedOnEnv

    boolean

    If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO. The decrement is applied when the environment tag of the signal starts with staging, test or dev.

    detectionMethod

    enum

    The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    hardcodedEvaluatorType

    enum

    Hardcoded evaluator type. Allowed enum values: log4shell

    impossibleTravelOptions

    object

    Options on impossible travel detection method.

    baselineUserLocations

    boolean

    If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

    keepAlive

    enum

    Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    maxSignalDuration

    enum

    A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    newValueOptions

    object

    Options on new value detection method.

    forgetAfter

    enum

    The duration in days after which a learned value is forgotten. Allowed enum values: 1,2,7,14,21,28

    learningDuration

    enum

    The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: 0,1,7

    learningMethod

    enum

    The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: duration,threshold

    default: duration

    learningThreshold

    enum

    A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: 0,1

    sequenceDetectionOptions

    object

    Options on sequence detection method.

    stepTransitions

    [object]

    Transitions defining the allowed order of steps and their evaluation windows.

    child

    string

    Name of the child step.

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    parent

    string

    Name of the parent step.

    steps

    [object]

    Steps that define the conditions to be matched in sequence.

    condition

    string

    Condition referencing rule queries (e.g., a > 0).

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    name

    string

    Unique name identifying the step.

    thirdPartyRuleOptions

    object

    Options on third party detection method.

    defaultNotifications

    [string]

    Notification targets for the logs that do not correspond to any of the cases.

    defaultStatus

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    rootQueries

    [object]

    Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.

    groupByFields

    [string]

    Fields to group by.

    query

    string

    Query to run on logs.

    signalTitleTemplate

    string

    A template for the signal title; if omitted, the title is generated based on the case name.

    queries [required]

    [object]

    Queries for selecting logs which are part of the rule.

    aggregation

    enum

    The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none

    customQueryExtension

    string

    Query extension to append to the logs query.

    dataSource

    enum

    Source of events, either logs, audit trail, or Datadog events. Allowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events

    default: logs

    distinctFields

    [string]

    Field for which the cardinality is measured. Sent as an array.

    groupByFields

    [string]

    Fields to group by.

    hasOptionalGroupByFields

    boolean

    When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.

    index

    string

    This field is currently unstable and might be removed in a minor version upgrade. The index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.

    indexes

    [string]

    List of indexes to query when the dataSource is logs. Only used for scheduled rules, such as when the schedulingOptions field is present in the rule payload.

    metric

    string

    DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max aggregations. metrics field should be used instead.

    metrics

    [string]

    Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.

    name

    string

    Name of the query.

    query

    string

    Query to run on logs.

    referenceTables

    [object]

    Reference tables for the rule.

    checkPresence

    boolean

    Whether to include or exclude the matched values.

    columnName

    string

    The name of the column in the reference table.

    logFieldPath

    string

    The field in the log to match against the reference table.

    ruleQueryName

    string

    The name of the query to apply the reference table to.

    tableName

    string

    The name of the reference table.

    schedulingOptions

    object

    Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.

    rrule

    string

    Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.

    start

    string

    Start date for the schedule, in ISO 8601 format without timezone.

    timezone

    string

    Time zone of the start date, in the tz database format.

    tags

    [string]

    Tags for generated signals.

    thirdPartyCases

    [object]

    Cases for generating signals from third-party rules. Only available for third-party rules.

    name

    string

    Name of the case.

    notifications

    [string]

    Notification targets for each case.

    query

    string

    A query to map a third party event to this case.

    status [required]

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    type

    enum

    The rule type. Allowed enum values: log_detection

    ruleQueryPayloads

    [object]

    Data payloads used to test rules query with the expected result.

    expectedResult

    boolean

    Expected result of the test.

    index

    int64

    Index of the query under test.

    payload

    object

    Payload used to test the rule query.

    ddsource

    string

    Source of the payload.

    ddtags

    string

    Tags associated with your data.

    hostname

    string

    The name of the originating host of the log.

    message

    string

    The message of the payload.

    service

    string

    The name of the application or service generating the data.

    {
  "rule": {
    "cases": [
      {
        "name": "",
        "status": "info",
        "notifications": [],
        "condition": "a > 0"
      }
    ],
    "hasExtendedTitle": true,
    "isEnabled": true,
    "message": "My security monitoring rule message.",
    "name": "My security monitoring rule.",
    "options": {
      "decreaseCriticalityBasedOnEnv": false,
      "detectionMethod": "threshold",
      "evaluationWindow": 0,
      "keepAlive": 0,
      "maxSignalDuration": 0
    },
    "queries": [
      {
        "query": "source:source_here",
        "groupByFields": [
          "@userIdentity.assumed_role"
        ],
        "distinctFields": [],
        "aggregation": "count",
        "name": ""
      }
    ],
    "tags": [
      "env:prod",
      "team:security"
    ],
    "type": "log_detection"
  },
  "ruleQueryPayloads": [
    {
      "expectedResult": true,
      "index": 0,
      "payload": {
        "ddsource": "source_here",
        "ddtags": "env:staging,version:5.1",
        "hostname": "i-012345678",
        "message": "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World",
        "service": "payment",
        "userIdentity": {
          "assumed_role": "fake assumed_role"
        }
      }
    }
  ]
}

    Response

    OK

    Result of the test of the rule queries.

    Expand All

    Field

    Type

    Description

    results

    [boolean]

    Assert results are returned in the same order as the rule query payloads. For each payload, it returns True if the result matched the expected result, False otherwise.

    {
  "results": []
}

    Bad Request

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Concurrent Modification

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Not Authorized

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Not Found

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Too many requests

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Code Example

                              # Curl command
    curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/test" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "rule": {
    "cases": [
      {
        "name": "",
        "status": "info",
        "notifications": [],
        "condition": "a > 0"
      }
    ],
    "hasExtendedTitle": true,
    "isEnabled": true,
    "message": "My security monitoring rule message.",
    "name": "My security monitoring rule.",
    "options": {
      "decreaseCriticalityBasedOnEnv": false,
      "detectionMethod": "threshold",
      "evaluationWindow": 0,
      "keepAlive": 0,
      "maxSignalDuration": 0
    },
    "queries": [
      {
        "query": "source:source_here",
        "groupByFields": [
          "@userIdentity.assumed_role"
        ],
        "distinctFields": [],
        "aggregation": "count",
        "name": ""
      }
    ],
    "tags": [
      "env:prod",
      "team:security"
    ],
    "type": "log_detection"
  },
  "ruleQueryPayloads": [
    {
      "expectedResult": true,
      "index": 0,
      "payload": {
        "ddsource": "source_here",
        "ddtags": "env:staging,version:5.1",
        "hostname": "i-012345678",
        "message": "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World",
        "service": "payment",
        "userIdentity": {
          "assumed_role": "fake assumed_role"
        }
      }
    }
  ]
}
EOF
    
                        
    // Test a rule returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringRuleTestRequest{
		Rule: &datadogV2.SecurityMonitoringRuleTestPayload{
			SecurityMonitoringStandardRuleTestPayload: &datadogV2.SecurityMonitoringStandardRuleTestPayload{
				Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{
					{
						Name:          datadog.PtrString(""),
						Status:        datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
						Notifications: []string{},
						Condition:     datadog.PtrString("a > 0"),
					},
				},
				HasExtendedTitle: datadog.PtrBool(true),
				IsEnabled:        true,
				Message:          "My security monitoring rule message.",
				Name:             "My security monitoring rule.",
				Options: datadogV2.SecurityMonitoringRuleOptions{
					DecreaseCriticalityBasedOnEnv: datadog.PtrBool(false),
					DetectionMethod:               datadogV2.SECURITYMONITORINGRULEDETECTIONMETHOD_THRESHOLD.Ptr(),
					EvaluationWindow:              datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_ZERO_MINUTES.Ptr(),
					KeepAlive:                     datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ZERO_MINUTES.Ptr(),
					MaxSignalDuration:             datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ZERO_MINUTES.Ptr(),
				},
				Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{
					{
						Query: datadog.PtrString("source:source_here"),
						GroupByFields: []string{
							"@userIdentity.assumed_role",
						},
						DistinctFields: []string{},
						Aggregation:    datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),
						Name:           datadog.PtrString(""),
					},
				},
				Tags: []string{
					"env:prod",
					"team:security",
				},
				Type: datadogV2.SECURITYMONITORINGRULETYPETEST_LOG_DETECTION.Ptr(),
			}},
		RuleQueryPayloads: []datadogV2.SecurityMonitoringRuleQueryPayload{
			{
				ExpectedResult: datadog.PtrBool(true),
				Index:          datadog.PtrInt64(0),
				Payload: &datadogV2.SecurityMonitoringRuleQueryPayloadData{
					Ddsource: datadog.PtrString("source_here"),
					Ddtags:   datadog.PtrString("env:staging,version:5.1"),
					Hostname: datadog.PtrString("i-012345678"),
					Message:  datadog.PtrString("2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World"),
					Service:  datadog.PtrString("payment"),
				},
			},
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.TestSecurityMonitoringRule(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.TestSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.TestSecurityMonitoringRule`:\n%s\n", responseContent)
}

    Instructions

    First install the library and its dependencies and then save the example to main.go and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
    // Test a rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleDetectionMethod;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryPayload;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryPayloadData;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTestPayload;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTestRequest;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTestResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeTest;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleTestPayload;
import java.util.Arrays;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringRuleTestRequest body =
        new SecurityMonitoringRuleTestRequest()
            .rule(
                new SecurityMonitoringRuleTestPayload(
                    new SecurityMonitoringStandardRuleTestPayload()
                        .cases(
                            Collections.singletonList(
                                new SecurityMonitoringRuleCaseCreate()
                                    .name("")
                                    .status(SecurityMonitoringRuleSeverity.INFO)
                                    .condition("a > 0")))
                        .hasExtendedTitle(true)
                        .isEnabled(true)
                        .message("My security monitoring rule message.")
                        .name("My security monitoring rule.")
                        .options(
                            new SecurityMonitoringRuleOptions()
                                .decreaseCriticalityBasedOnEnv(false)
                                .detectionMethod(SecurityMonitoringRuleDetectionMethod.THRESHOLD)
                                .evaluationWindow(
                                    SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES)
                                .keepAlive(SecurityMonitoringRuleKeepAlive.ZERO_MINUTES)
                                .maxSignalDuration(
                                    SecurityMonitoringRuleMaxSignalDuration.ZERO_MINUTES))
                        .queries(
                            Collections.singletonList(
                                new SecurityMonitoringStandardRuleQuery()
                                    .query("source:source_here")
                                    .groupByFields(
                                        Collections.singletonList("@userIdentity.assumed_role"))
                                    .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)
                                    .name("")))
                        .tags(Arrays.asList("env:prod", "team:security"))
                        .type(SecurityMonitoringRuleTypeTest.LOG_DETECTION)))
            .ruleQueryPayloads(
                Collections.singletonList(
                    new SecurityMonitoringRuleQueryPayload()
                        .expectedResult(true)
                        .index(0L)
                        .payload(
                            new SecurityMonitoringRuleQueryPayloadData()
                                .ddsource("source_here")
                                .ddtags("env:staging,version:5.1")
                                .hostname("i-012345678")
                                .message(
                                    "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello"
                                        + " World")
                                .service("payment"))));

    try {
      SecurityMonitoringRuleTestResponse result = apiInstance.testSecurityMonitoringRule(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#testSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

    Instructions

    First install the library and its dependencies and then save the example to Example.java and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
    """
Test a rule returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
    SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
    SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
    SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_query_payload import SecurityMonitoringRuleQueryPayload
from datadog_api_client.v2.model.security_monitoring_rule_query_payload_data import (
    SecurityMonitoringRuleQueryPayloadData,
)
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_test_request import SecurityMonitoringRuleTestRequest
from datadog_api_client.v2.model.security_monitoring_rule_type_test import SecurityMonitoringRuleTypeTest
from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery
from datadog_api_client.v2.model.security_monitoring_standard_rule_test_payload import (
    SecurityMonitoringStandardRuleTestPayload,
)

body = SecurityMonitoringRuleTestRequest(
    rule=SecurityMonitoringStandardRuleTestPayload(
        cases=[
            SecurityMonitoringRuleCaseCreate(
                name="",
                status=SecurityMonitoringRuleSeverity.INFO,
                notifications=[],
                condition="a > 0",
            ),
        ],
        has_extended_title=True,
        is_enabled=True,
        message="My security monitoring rule message.",
        name="My security monitoring rule.",
        options=SecurityMonitoringRuleOptions(
            decrease_criticality_based_on_env=False,
            detection_method=SecurityMonitoringRuleDetectionMethod.THRESHOLD,
            evaluation_window=SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES,
            keep_alive=SecurityMonitoringRuleKeepAlive.ZERO_MINUTES,
            max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ZERO_MINUTES,
        ),
        queries=[
            SecurityMonitoringStandardRuleQuery(
                query="source:source_here",
                group_by_fields=[
                    "@userIdentity.assumed_role",
                ],
                distinct_fields=[],
                aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
                name="",
            ),
        ],
        tags=[
            "env:prod",
            "team:security",
        ],
        type=SecurityMonitoringRuleTypeTest.LOG_DETECTION,
    ),
    rule_query_payloads=[
        SecurityMonitoringRuleQueryPayload(
            expected_result=True,
            index=0,
            payload=SecurityMonitoringRuleQueryPayloadData(
                ddsource="source_here",
                ddtags="env:staging,version:5.1",
                hostname="i-012345678",
                message="2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World",
                service="payment",
                user_identity=dict([("assumed_role", "fake assumed_role")]),
            ),
        ),
    ],
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.test_security_monitoring_rule(body=body)

    print(response)

    Instructions

    First install the library and its dependencies and then save the example to example.py and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
    # Test a rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringRuleTestRequest.new({
  rule: DatadogAPIClient::V2::SecurityMonitoringStandardRuleTestPayload.new({
    cases: [
      DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
        name: "",
        status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
        notifications: [],
        condition: "a > 0",
      }),
    ],
    has_extended_title: true,
    is_enabled: true,
    message: "My security monitoring rule message.",
    name: "My security monitoring rule.",
    options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
      decrease_criticality_based_on_env: false,
      detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::THRESHOLD,
      evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES,
      keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ZERO_MINUTES,
      max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ZERO_MINUTES,
    }),
    queries: [
      DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
        query: "source:source_here",
        group_by_fields: [
          "@userIdentity.assumed_role",
        ],
        distinct_fields: [],
        aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
        name: "",
      }),
    ],
    tags: [
      "env:prod",
      "team:security",
    ],
    type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeTest::LOG_DETECTION,
  }),
  rule_query_payloads: [
    DatadogAPIClient::V2::SecurityMonitoringRuleQueryPayload.new({
      expected_result: true,
      index: 0,
      payload: DatadogAPIClient::V2::SecurityMonitoringRuleQueryPayloadData.new({
        ddsource: "source_here",
        ddtags: "env:staging,version:5.1",
        hostname: "i-012345678",
        message: "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World",
        service: "payment",
      }),
    }),
  ],
})
p api_instance.test_security_monitoring_rule(body)

    Instructions

    First install the library and its dependencies and then save the example to example.rb and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
    // Test a rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleDetectionMethod;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryPayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryPayloadData;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTestPayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTestRequest;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeTest;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleTestPayload;

#[tokio::main]
async fn main() {
    let body = SecurityMonitoringRuleTestRequest::new()
        .rule(
            SecurityMonitoringRuleTestPayload::SecurityMonitoringStandardRuleTestPayload(Box::new(
                SecurityMonitoringStandardRuleTestPayload::new(
                    vec![SecurityMonitoringRuleCaseCreate::new(
                        SecurityMonitoringRuleSeverity::INFO,
                    )
                    .condition("a > 0".to_string())
                    .name("".to_string())
                    .notifications(vec![])],
                    true,
                    "My security monitoring rule message.".to_string(),
                    "My security monitoring rule.".to_string(),
                    SecurityMonitoringRuleOptions::new()
                        .decrease_criticality_based_on_env(false)
                        .detection_method(SecurityMonitoringRuleDetectionMethod::THRESHOLD)
                        .evaluation_window(SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES)
                        .keep_alive(SecurityMonitoringRuleKeepAlive::ZERO_MINUTES)
                        .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::ZERO_MINUTES),
                    vec![SecurityMonitoringStandardRuleQuery::new()
                        .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT)
                        .distinct_fields(vec![])
                        .group_by_fields(vec!["@userIdentity.assumed_role".to_string()])
                        .name("".to_string())
                        .query("source:source_here".to_string())],
                )
                .has_extended_title(true)
                .tags(vec!["env:prod".to_string(), "team:security".to_string()])
                .type_(SecurityMonitoringRuleTypeTest::LOG_DETECTION),
            )),
        )
        .rule_query_payloads(vec![SecurityMonitoringRuleQueryPayload::new()
            .expected_result(true)
            .index(0)
            .payload(
                SecurityMonitoringRuleQueryPayloadData::new()
                    .ddsource("source_here".to_string())
                    .ddtags("env:staging,version:5.1".to_string())
                    .hostname("i-012345678".to_string())
                    .message(
                        "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World"
                            .to_string(),
                    )
                    .service("payment".to_string()),
            )]);
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.test_security_monitoring_rule(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

    Instructions

    First install the library and its dependencies and then save the example to src/main.rs and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
    /**
 * Test a rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiTestSecurityMonitoringRuleRequest = {
  body: {
    rule: {
      cases: [
        {
          name: "",
          status: "info",
          notifications: [],
          condition: "a > 0",
        },
      ],
      hasExtendedTitle: true,
      isEnabled: true,
      message: "My security monitoring rule message.",
      name: "My security monitoring rule.",
      options: {
        decreaseCriticalityBasedOnEnv: false,
        detectionMethod: "threshold",
        evaluationWindow: 0,
        keepAlive: 0,
        maxSignalDuration: 0,
      },
      queries: [
        {
          query: "source:source_here",
          groupByFields: ["@userIdentity.assumed_role"],
          distinctFields: [],
          aggregation: "count",
          name: "",
        },
      ],
      tags: ["env:prod", "team:security"],
      type: "log_detection",
    },
    ruleQueryPayloads: [
      {
        expectedResult: true,
        index: 0,
        payload: {
          ddsource: "source_here",
          ddtags: "env:staging,version:5.1",
          hostname: "i-012345678",
          message:
            "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World",
          service: "payment",
        },
      },
    ],
  },
};

apiInstance
  .testSecurityMonitoringRule(params)
  .then((data: v2.SecurityMonitoringRuleTestResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

    Instructions

    First install the library and its dependencies and then save the example to example.ts and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

    Validate a detection rule

    POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/validationhttps://api.ap2.datadoghq.com/api/v2/security_monitoring/rules/validationhttps://api.datadoghq.eu/api/v2/security_monitoring/rules/validationhttps://api.ddog-gov.com/api/v2/security_monitoring/rules/validationhttps://api.datadoghq.com/api/v2/security_monitoring/rules/validationhttps://api.us3.datadoghq.com/api/v2/security_monitoring/rules/validationhttps://api.us5.datadoghq.com/api/v2/security_monitoring/rules/validation

    Overview

    Validate a detection rule. This endpoint requires the security_monitoring_rules_write permission.

    OAuth apps require the security_monitoring_rules_write authorization scope to access this endpoint.

    Request

    Body Data (required)

    Expand All

    Field

    Type

    Description

    Option 1

    object

    The payload of a rule.

    calculatedFields

    [object]

    Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.

    expression [required]

    string

    Expression.

    name [required]

    string

    Field name.

    cases [required]

    [object]

    Cases for generating signals.

    actions

    [object]

    Action to perform for each rule case.

    options

    object

    Options for the rule action

    duration

    int64

    Duration of the action in seconds. 0 indicates no expiration.

    flaggedIPType

    enum

    Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: SUSPICIOUS,FLAGGED

    userBehaviorName

    string

    Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.

    type

    enum

    The action type. Allowed enum values: block_ip,block_user,user_behavior,flag_ip

    condition

    string

    A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

    name

    string

    Name of the case.

    notifications

    [string]

    Notification targets.

    status [required]

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    customMessage

    string

    Custom/Overridden message for generated signals (used in case of Default rule update).

    customName

    string

    Custom/Overridden name of the rule (used in case of Default rule update).

    filters

    [object]

    Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.

    action

    enum

    The type of filtering action. Allowed enum values: require,suppress

    query

    string

    Query for selecting logs to apply the filtering action.

    groupSignalsBy

    [string]

    Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.

    hasExtendedTitle

    boolean

    Whether the notifications include the triggering group-by values in their title.

    isEnabled [required]

    boolean

    Whether the rule is enabled.

    message [required]

    string

    Message for generated signals.

    name [required]

    string

    The name of the rule.

    options [required]

    object

    Options.

    complianceRuleOptions

    object

    Options for cloud_configuration rules. Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.

    complexRule

    boolean

    Whether the rule is a complex one. Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.

    regoRule

    object

    Rule details.

    policy [required]

    string

    The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/

    resourceTypes [required]

    [string]

    List of resource types that will be evaluated upon. Must have at least one element.

    resourceType

    string

    Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.

    decreaseCriticalityBasedOnEnv

    boolean

    If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO. The decrement is applied when the environment tag of the signal starts with staging, test or dev.

    detectionMethod

    enum

    The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    hardcodedEvaluatorType

    enum

    Hardcoded evaluator type. Allowed enum values: log4shell

    impossibleTravelOptions

    object

    Options on impossible travel detection method.

    baselineUserLocations

    boolean

    If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

    keepAlive

    enum

    Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    maxSignalDuration

    enum

    A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    newValueOptions

    object

    Options on new value detection method.

    forgetAfter

    enum

    The duration in days after which a learned value is forgotten. Allowed enum values: 1,2,7,14,21,28

    learningDuration

    enum

    The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: 0,1,7

    learningMethod

    enum

    The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: duration,threshold

    default: duration

    learningThreshold

    enum

    A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: 0,1

    sequenceDetectionOptions

    object

    Options on sequence detection method.

    stepTransitions

    [object]

    Transitions defining the allowed order of steps and their evaluation windows.

    child

    string

    Name of the child step.

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    parent

    string

    Name of the parent step.

    steps

    [object]

    Steps that define the conditions to be matched in sequence.

    condition

    string

    Condition referencing rule queries (e.g., a > 0).

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    name

    string

    Unique name identifying the step.

    thirdPartyRuleOptions

    object

    Options on third party detection method.

    defaultNotifications

    [string]

    Notification targets for the logs that do not correspond to any of the cases.

    defaultStatus

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    rootQueries

    [object]

    Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.

    groupByFields

    [string]

    Fields to group by.

    query

    string

    Query to run on logs.

    signalTitleTemplate

    string

    A template for the signal title; if omitted, the title is generated based on the case name.

    queries [required]

    [object]

    Queries for selecting logs which are part of the rule.

    aggregation

    enum

    The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none

    customQueryExtension

    string

    Query extension to append to the logs query.

    dataSource

    enum

    Source of events, either logs, audit trail, or Datadog events. Allowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events

    default: logs

    distinctFields

    [string]

    Field for which the cardinality is measured. Sent as an array.

    groupByFields

    [string]

    Fields to group by.

    hasOptionalGroupByFields

    boolean

    When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.

    index

    string

    This field is currently unstable and might be removed in a minor version upgrade. The index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.

    indexes

    [string]

    List of indexes to query when the dataSource is logs. Only used for scheduled rules, such as when the schedulingOptions field is present in the rule payload.

    metric

    string

    DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max aggregations. metrics field should be used instead.

    metrics

    [string]

    Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.

    name

    string

    Name of the query.

    query

    string

    Query to run on logs.

    referenceTables

    [object]

    Reference tables for the rule.

    checkPresence

    boolean

    Whether to include or exclude the matched values.

    columnName

    string

    The name of the column in the reference table.

    logFieldPath

    string

    The field in the log to match against the reference table.

    ruleQueryName

    string

    The name of the query to apply the reference table to.

    tableName

    string

    The name of the reference table.

    schedulingOptions

    object

    Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.

    rrule

    string

    Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.

    start

    string

    Start date for the schedule, in ISO 8601 format without timezone.

    timezone

    string

    Time zone of the start date, in the tz database format.

    tags

    [string]

    Tags for generated signals.

    thirdPartyCases

    [object]

    Cases for generating signals from third-party rules. Only available for third-party rules.

    name

    string

    Name of the case.

    notifications

    [string]

    Notification targets for each case.

    query

    string

    A query to map a third party event to this case.

    status [required]

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    type

    enum

    The rule type. Allowed enum values: api_security,application_security,log_detection,workload_security

    Option 2

    object

    The payload of a signal correlation rule.

    cases [required]

    [object]

    Cases for generating signals.

    actions

    [object]

    Action to perform for each rule case.

    options

    object

    Options for the rule action

    duration

    int64

    Duration of the action in seconds. 0 indicates no expiration.

    flaggedIPType

    enum

    Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: SUSPICIOUS,FLAGGED

    userBehaviorName

    string

    Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.

    type

    enum

    The action type. Allowed enum values: block_ip,block_user,user_behavior,flag_ip

    condition

    string

    A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

    name

    string

    Name of the case.

    notifications

    [string]

    Notification targets.

    status [required]

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    customMessage

    string

    Custom/Overridden message for generated signals (used in case of Default rule update).

    customName

    string

    Custom/Overridden name of the rule (used in case of Default rule update).

    filters

    [object]

    Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.

    action

    enum

    The type of filtering action. Allowed enum values: require,suppress

    query

    string

    Query for selecting logs to apply the filtering action.

    hasExtendedTitle

    boolean

    Whether the notifications include the triggering group-by values in their title.

    isEnabled [required]

    boolean

    Whether the rule is enabled.

    message [required]

    string

    Message for generated signals.

    name [required]

    string

    The name of the rule.

    options [required]

    object

    Options.

    complianceRuleOptions

    object

    Options for cloud_configuration rules. Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.

    complexRule

    boolean

    Whether the rule is a complex one. Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.

    regoRule

    object

    Rule details.

    policy [required]

    string

    The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/

    resourceTypes [required]

    [string]

    List of resource types that will be evaluated upon. Must have at least one element.

    resourceType

    string

    Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.

    decreaseCriticalityBasedOnEnv

    boolean

    If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO. The decrement is applied when the environment tag of the signal starts with staging, test or dev.

    detectionMethod

    enum

    The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    hardcodedEvaluatorType

    enum

    Hardcoded evaluator type. Allowed enum values: log4shell

    impossibleTravelOptions

    object

    Options on impossible travel detection method.

    baselineUserLocations

    boolean

    If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

    keepAlive

    enum

    Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    maxSignalDuration

    enum

    A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    newValueOptions

    object

    Options on new value detection method.

    forgetAfter

    enum

    The duration in days after which a learned value is forgotten. Allowed enum values: 1,2,7,14,21,28

    learningDuration

    enum

    The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: 0,1,7

    learningMethod

    enum

    The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: duration,threshold

    default: duration

    learningThreshold

    enum

    A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: 0,1

    sequenceDetectionOptions

    object

    Options on sequence detection method.

    stepTransitions

    [object]

    Transitions defining the allowed order of steps and their evaluation windows.

    child

    string

    Name of the child step.

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    parent

    string

    Name of the parent step.

    steps

    [object]

    Steps that define the conditions to be matched in sequence.

    condition

    string

    Condition referencing rule queries (e.g., a > 0).

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    name

    string

    Unique name identifying the step.

    thirdPartyRuleOptions

    object

    Options on third party detection method.

    defaultNotifications

    [string]

    Notification targets for the logs that do not correspond to any of the cases.

    defaultStatus

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    rootQueries

    [object]

    Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.

    groupByFields

    [string]

    Fields to group by.

    query

    string

    Query to run on logs.

    signalTitleTemplate

    string

    A template for the signal title; if omitted, the title is generated based on the case name.

    queries [required]

    [object]

    Queries for selecting signals which are part of the rule.

    aggregation

    enum

    The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none

    correlatedByFields

    [string]

    Fields to group by.

    correlatedQueryIndex

    int32

    Index of the rule query used to retrieve the correlated field.

    metrics

    [string]

    Group of target fields to aggregate over.

    name

    string

    Name of the query.

    ruleId [required]

    string

    Rule ID to match on signals.

    tags

    [string]

    Tags for generated signals.

    type

    enum

    The rule type. Allowed enum values: signal_correlation

    Option 3

    object

    The payload of a cloud configuration rule.

    cases [required]

    [object]

    Description of generated findings and signals (severity and channels to be notified in case of a signal). Must contain exactly one item.

    notifications

    [string]

    Notification targets for each rule case.

    status [required]

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    complianceSignalOptions [required]

    object

    How to generate compliance signals. Useful for cloud_configuration rules only.

    defaultActivationStatus

    boolean

    The default activation status.

    defaultGroupByFields

    [string]

    The default group by fields.

    userActivationStatus

    boolean

    Whether signals will be sent.

    userGroupByFields

    [string]

    Fields to use to group findings by when sending signals.

    customMessage

    string

    Custom/Overridden message for generated signals (used in case of Default rule update).

    customName

    string

    Custom/Overridden name of the rule (used in case of Default rule update).

    filters

    [object]

    Additional queries to filter matched events before they are processed.

    action

    enum

    The type of filtering action. Allowed enum values: require,suppress

    query

    string

    Query for selecting logs to apply the filtering action.

    isEnabled [required]

    boolean

    Whether the rule is enabled.

    message [required]

    string

    Message in markdown format for generated findings and signals.

    name [required]

    string

    The name of the rule.

    options [required]

    object

    Options on cloud configuration rules.

    complianceRuleOptions [required]

    object

    Options for cloud_configuration rules. Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.

    complexRule

    boolean

    Whether the rule is a complex one. Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.

    regoRule

    object

    Rule details.

    policy [required]

    string

    The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/

    resourceTypes [required]

    [string]

    List of resource types that will be evaluated upon. Must have at least one element.

    resourceType

    string

    Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.

    tags

    [string]

    Tags for generated findings and signals.

    type

    enum

    The rule type. Allowed enum values: cloud_configuration

    {
  "cases": [
    {
      "name": "",
      "status": "info",
      "notifications": [],
      "condition": "a > 0"
    }
  ],
  "hasExtendedTitle": true,
  "isEnabled": true,
  "message": "My security monitoring rule",
  "name": "My security monitoring rule",
  "options": {
    "evaluationWindow": 1800,
    "keepAlive": 1800,
    "maxSignalDuration": 1800,
    "detectionMethod": "threshold"
  },
  "queries": [
    {
      "query": "source:source_here",
      "groupByFields": [
        "@userIdentity.assumed_role"
      ],
      "distinctFields": [],
      "aggregation": "count",
      "name": ""
    }
  ],
  "tags": [
    "env:prod",
    "team:security"
  ],
  "type": "log_detection"
}
    {
  "cases": [
    {
      "name": "",
      "status": "info",
      "notifications": [],
      "condition": "step_b > 0"
    }
  ],
  "hasExtendedTitle": true,
  "isEnabled": true,
  "message": "My security monitoring rule",
  "name": "My security monitoring rule",
  "options": {
    "evaluationWindow": 0,
    "keepAlive": 300,
    "maxSignalDuration": 600,
    "detectionMethod": "sequence_detection",
    "sequenceDetectionOptions": {
      "stepTransitions": [
        {
          "child": "step_b",
          "evaluationWindow": 900,
          "parent": "step_a"
        }
      ],
      "steps": [
        {
          "condition": "a > 0",
          "evaluationWindow": 60,
          "name": "step_a"
        },
        {
          "condition": "b > 0",
          "evaluationWindow": 60,
          "name": "step_b"
        }
      ]
    }
  },
  "queries": [
    {
      "query": "source:source_here",
      "groupByFields": [
        "@userIdentity.assumed_role"
      ],
      "distinctFields": [],
      "aggregation": "count",
      "name": ""
    },
    {
      "query": "source:source_here2",
      "groupByFields": [],
      "distinctFields": [],
      "aggregation": "count",
      "name": ""
    }
  ],
  "tags": [
    "env:prod",
    "team:security"
  ],
  "type": "log_detection"
}

    Response

    OK

    Bad Request

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Not Authorized

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Too many requests

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Code Example

                              # Curl command
    curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/validation" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "cases": [
    {
      "name": "",
      "status": "info",
      "notifications": [],
      "condition": "a > 0"
    }
  ],
  "hasExtendedTitle": true,
  "isEnabled": true,
  "message": "My security monitoring rule",
  "name": "My security monitoring rule",
  "options": {
    "evaluationWindow": 1800,
    "keepAlive": 1800,
    "maxSignalDuration": 1800,
    "detectionMethod": "threshold"
  },
  "queries": [
    {
      "query": "source:source_here",
      "groupByFields": [
        "@userIdentity.assumed_role"
      ],
      "distinctFields": [],
      "aggregation": "count",
      "name": ""
    }
  ],
  "tags": [
    "env:prod",
    "team:security"
  ],
  "type": "log_detection"
}
EOF
    
                        
                              # Curl command
    curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/validation" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "cases": [
    {
      "name": "",
      "status": "info",
      "notifications": [],
      "condition": "step_b > 0"
    }
  ],
  "hasExtendedTitle": true,
  "isEnabled": true,
  "message": "My security monitoring rule",
  "name": "My security monitoring rule",
  "options": {
    "evaluationWindow": 0,
    "keepAlive": 300,
    "maxSignalDuration": 600,
    "detectionMethod": "sequence_detection",
    "sequenceDetectionOptions": {
      "stepTransitions": [
        {
          "child": "step_b",
          "evaluationWindow": 900,
          "parent": "step_a"
        }
      ],
      "steps": [
        {
          "condition": "a > 0",
          "evaluationWindow": 60,
          "name": "step_a"
        },
        {
          "condition": "b > 0",
          "evaluationWindow": 60,
          "name": "step_b"
        }
      ]
    }
  },
  "queries": [
    {
      "query": "source:source_here",
      "groupByFields": [
        "@userIdentity.assumed_role"
      ],
      "distinctFields": [],
      "aggregation": "count",
      "name": ""
    },
    {
      "query": "source:source_here2",
      "groupByFields": [],
      "distinctFields": [],
      "aggregation": "count",
      "name": ""
    }
  ],
  "tags": [
    "env:prod",
    "team:security"
  ],
  "type": "log_detection"
}
EOF
    
                        
    // Validate a detection rule returns "OK" response

package main

import (
	"context"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringRuleValidatePayload{
		SecurityMonitoringStandardRulePayload: &datadogV2.SecurityMonitoringStandardRulePayload{
			Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{
				{
					Name:          datadog.PtrString(""),
					Status:        datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
					Notifications: []string{},
					Condition:     datadog.PtrString("a > 0"),
				},
			},
			HasExtendedTitle: datadog.PtrBool(true),
			IsEnabled:        true,
			Message:          "My security monitoring rule",
			Name:             "My security monitoring rule",
			Options: datadogV2.SecurityMonitoringRuleOptions{
				EvaluationWindow:  datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_THIRTY_MINUTES.Ptr(),
				KeepAlive:         datadogV2.SECURITYMONITORINGRULEKEEPALIVE_THIRTY_MINUTES.Ptr(),
				MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_THIRTY_MINUTES.Ptr(),
				DetectionMethod:   datadogV2.SECURITYMONITORINGRULEDETECTIONMETHOD_THRESHOLD.Ptr(),
			},
			Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{
				{
					Query: datadog.PtrString("source:source_here"),
					GroupByFields: []string{
						"@userIdentity.assumed_role",
					},
					DistinctFields: []string{},
					Aggregation:    datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),
					Name:           datadog.PtrString(""),
				},
			},
			Tags: []string{
				"env:prod",
				"team:security",
			},
			Type: datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(),
		}}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	r, err := api.ValidateSecurityMonitoringRule(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ValidateSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}
}

    // Validate a detection rule with detection method 'sequence_detection' returns "OK" response

package main

import (
	"context"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringRuleValidatePayload{
		SecurityMonitoringStandardRulePayload: &datadogV2.SecurityMonitoringStandardRulePayload{
			Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{
				{
					Name:          datadog.PtrString(""),
					Status:        datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
					Notifications: []string{},
					Condition:     datadog.PtrString("step_b > 0"),
				},
			},
			HasExtendedTitle: datadog.PtrBool(true),
			IsEnabled:        true,
			Message:          "My security monitoring rule",
			Name:             "My security monitoring rule",
			Options: datadogV2.SecurityMonitoringRuleOptions{
				EvaluationWindow:  datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_ZERO_MINUTES.Ptr(),
				KeepAlive:         datadogV2.SECURITYMONITORINGRULEKEEPALIVE_FIVE_MINUTES.Ptr(),
				MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_TEN_MINUTES.Ptr(),
				DetectionMethod:   datadogV2.SECURITYMONITORINGRULEDETECTIONMETHOD_SEQUENCE_DETECTION.Ptr(),
				SequenceDetectionOptions: &datadogV2.SecurityMonitoringRuleSequenceDetectionOptions{
					StepTransitions: []datadogV2.SecurityMonitoringRuleSequenceDetectionStepTransition{
						{
							Child:            datadog.PtrString("step_b"),
							EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(),
							Parent:           datadog.PtrString("step_a"),
						},
					},
					Steps: []datadogV2.SecurityMonitoringRuleSequenceDetectionStep{
						{
							Condition:        datadog.PtrString("a > 0"),
							EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_ONE_MINUTE.Ptr(),
							Name:             datadog.PtrString("step_a"),
						},
						{
							Condition:        datadog.PtrString("b > 0"),
							EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_ONE_MINUTE.Ptr(),
							Name:             datadog.PtrString("step_b"),
						},
					},
				},
			},
			Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{
				{
					Query: datadog.PtrString("source:source_here"),
					GroupByFields: []string{
						"@userIdentity.assumed_role",
					},
					DistinctFields: []string{},
					Aggregation:    datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),
					Name:           datadog.PtrString(""),
				},
				{
					Query:          datadog.PtrString("source:source_here2"),
					GroupByFields:  []string{},
					DistinctFields: []string{},
					Aggregation:    datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),
					Name:           datadog.PtrString(""),
				},
			},
			Tags: []string{
				"env:prod",
				"team:security",
			},
			Type: datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(),
		}}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	r, err := api.ValidateSecurityMonitoringRule(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ValidateSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}
}

    Instructions

    First install the library and its dependencies and then save the example to main.go and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
    // Validate a detection rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleDetectionMethod;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleValidatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRulePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;
import java.util.Arrays;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringRuleValidatePayload body =
        new SecurityMonitoringRuleValidatePayload(
            new SecurityMonitoringStandardRulePayload()
                .cases(
                    Collections.singletonList(
                        new SecurityMonitoringRuleCaseCreate()
                            .name("")
                            .status(SecurityMonitoringRuleSeverity.INFO)
                            .condition("a > 0")))
                .hasExtendedTitle(true)
                .isEnabled(true)
                .message("My security monitoring rule")
                .name("My security monitoring rule")
                .options(
                    new SecurityMonitoringRuleOptions()
                        .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.THIRTY_MINUTES)
                        .keepAlive(SecurityMonitoringRuleKeepAlive.THIRTY_MINUTES)
                        .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.THIRTY_MINUTES)
                        .detectionMethod(SecurityMonitoringRuleDetectionMethod.THRESHOLD))
                .queries(
                    Collections.singletonList(
                        new SecurityMonitoringStandardRuleQuery()
                            .query("source:source_here")
                            .groupByFields(Collections.singletonList("@userIdentity.assumed_role"))
                            .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)
                            .name("")))
                .tags(Arrays.asList("env:prod", "team:security"))
                .type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION));

    try {
      apiInstance.validateSecurityMonitoringRule(body);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#validateSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

    // Validate a detection rule with detection method 'sequence_detection' returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleDetectionMethod;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSequenceDetectionOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSequenceDetectionStep;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSequenceDetectionStepTransition;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleValidatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRulePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;
import java.util.Arrays;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringRuleValidatePayload body =
        new SecurityMonitoringRuleValidatePayload(
            new SecurityMonitoringStandardRulePayload()
                .cases(
                    Collections.singletonList(
                        new SecurityMonitoringRuleCaseCreate()
                            .name("")
                            .status(SecurityMonitoringRuleSeverity.INFO)
                            .condition("step_b > 0")))
                .hasExtendedTitle(true)
                .isEnabled(true)
                .message("My security monitoring rule")
                .name("My security monitoring rule")
                .options(
                    new SecurityMonitoringRuleOptions()
                        .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES)
                        .keepAlive(SecurityMonitoringRuleKeepAlive.FIVE_MINUTES)
                        .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.TEN_MINUTES)
                        .detectionMethod(SecurityMonitoringRuleDetectionMethod.SEQUENCE_DETECTION)
                        .sequenceDetectionOptions(
                            new SecurityMonitoringRuleSequenceDetectionOptions()
                                .stepTransitions(
                                    Collections.singletonList(
                                        new SecurityMonitoringRuleSequenceDetectionStepTransition()
                                            .child("step_b")
                                            .evaluationWindow(
                                                SecurityMonitoringRuleEvaluationWindow
                                                    .FIFTEEN_MINUTES)
                                            .parent("step_a")))
                                .steps(
                                    Arrays.asList(
                                        new SecurityMonitoringRuleSequenceDetectionStep()
                                            .condition("a > 0")
                                            .evaluationWindow(
                                                SecurityMonitoringRuleEvaluationWindow.ONE_MINUTE)
                                            .name("step_a"),
                                        new SecurityMonitoringRuleSequenceDetectionStep()
                                            .condition("b > 0")
                                            .evaluationWindow(
                                                SecurityMonitoringRuleEvaluationWindow.ONE_MINUTE)
                                            .name("step_b")))))
                .queries(
                    Arrays.asList(
                        new SecurityMonitoringStandardRuleQuery()
                            .query("source:source_here")
                            .groupByFields(Collections.singletonList("@userIdentity.assumed_role"))
                            .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)
                            .name(""),
                        new SecurityMonitoringStandardRuleQuery()
                            .query("source:source_here2")
                            .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)
                            .name("")))
                .tags(Arrays.asList("env:prod", "team:security"))
                .type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION));

    try {
      apiInstance.validateSecurityMonitoringRule(body);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#validateSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

    Instructions

    First install the library and its dependencies and then save the example to Example.java and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
    """
Validate a detection rule returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
    SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
    SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
    SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate
from datadog_api_client.v2.model.security_monitoring_standard_rule_payload import SecurityMonitoringStandardRulePayload
from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery

body = SecurityMonitoringStandardRulePayload(
    cases=[
        SecurityMonitoringRuleCaseCreate(
            name="",
            status=SecurityMonitoringRuleSeverity.INFO,
            notifications=[],
            condition="a > 0",
        ),
    ],
    has_extended_title=True,
    is_enabled=True,
    message="My security monitoring rule",
    name="My security monitoring rule",
    options=SecurityMonitoringRuleOptions(
        evaluation_window=SecurityMonitoringRuleEvaluationWindow.THIRTY_MINUTES,
        keep_alive=SecurityMonitoringRuleKeepAlive.THIRTY_MINUTES,
        max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.THIRTY_MINUTES,
        detection_method=SecurityMonitoringRuleDetectionMethod.THRESHOLD,
    ),
    queries=[
        SecurityMonitoringStandardRuleQuery(
            query="source:source_here",
            group_by_fields=[
                "@userIdentity.assumed_role",
            ],
            distinct_fields=[],
            aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
            name="",
        ),
    ],
    tags=[
        "env:prod",
        "team:security",
    ],
    type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    api_instance.validate_security_monitoring_rule(body=body)

    """
Validate a detection rule with detection method 'sequence_detection' returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
    SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
    SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
    SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_sequence_detection_options import (
    SecurityMonitoringRuleSequenceDetectionOptions,
)
from datadog_api_client.v2.model.security_monitoring_rule_sequence_detection_step import (
    SecurityMonitoringRuleSequenceDetectionStep,
)
from datadog_api_client.v2.model.security_monitoring_rule_sequence_detection_step_transition import (
    SecurityMonitoringRuleSequenceDetectionStepTransition,
)
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate
from datadog_api_client.v2.model.security_monitoring_standard_rule_payload import SecurityMonitoringStandardRulePayload
from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery

body = SecurityMonitoringStandardRulePayload(
    cases=[
        SecurityMonitoringRuleCaseCreate(
            name="",
            status=SecurityMonitoringRuleSeverity.INFO,
            notifications=[],
            condition="step_b > 0",
        ),
    ],
    has_extended_title=True,
    is_enabled=True,
    message="My security monitoring rule",
    name="My security monitoring rule",
    options=SecurityMonitoringRuleOptions(
        evaluation_window=SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES,
        keep_alive=SecurityMonitoringRuleKeepAlive.FIVE_MINUTES,
        max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.TEN_MINUTES,
        detection_method=SecurityMonitoringRuleDetectionMethod.SEQUENCE_DETECTION,
        sequence_detection_options=SecurityMonitoringRuleSequenceDetectionOptions(
            step_transitions=[
                SecurityMonitoringRuleSequenceDetectionStepTransition(
                    child="step_b",
                    evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES,
                    parent="step_a",
                ),
            ],
            steps=[
                SecurityMonitoringRuleSequenceDetectionStep(
                    condition="a > 0",
                    evaluation_window=SecurityMonitoringRuleEvaluationWindow.ONE_MINUTE,
                    name="step_a",
                ),
                SecurityMonitoringRuleSequenceDetectionStep(
                    condition="b > 0",
                    evaluation_window=SecurityMonitoringRuleEvaluationWindow.ONE_MINUTE,
                    name="step_b",
                ),
            ],
        ),
    ),
    queries=[
        SecurityMonitoringStandardRuleQuery(
            query="source:source_here",
            group_by_fields=[
                "@userIdentity.assumed_role",
            ],
            distinct_fields=[],
            aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
            name="",
        ),
        SecurityMonitoringStandardRuleQuery(
            query="source:source_here2",
            group_by_fields=[],
            distinct_fields=[],
            aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
            name="",
        ),
    ],
    tags=[
        "env:prod",
        "team:security",
    ],
    type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    api_instance.validate_security_monitoring_rule(body=body)

    Instructions

    First install the library and its dependencies and then save the example to example.py and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
    # Validate a detection rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringStandardRulePayload.new({
  cases: [
    DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
      name: "",
      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
      notifications: [],
      condition: "a > 0",
    }),
  ],
  has_extended_title: true,
  is_enabled: true,
  message: "My security monitoring rule",
  name: "My security monitoring rule",
  options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
    evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::THIRTY_MINUTES,
    keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::THIRTY_MINUTES,
    max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::THIRTY_MINUTES,
    detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::THRESHOLD,
  }),
  queries: [
    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
      query: "source:source_here",
      group_by_fields: [
        "@userIdentity.assumed_role",
      ],
      distinct_fields: [],
      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
      name: "",
    }),
  ],
  tags: [
    "env:prod",
    "team:security",
  ],
  type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION,
})
api_instance.validate_security_monitoring_rule(body)

    # Validate a detection rule with detection method 'sequence_detection' returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringStandardRulePayload.new({
  cases: [
    DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
      name: "",
      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
      notifications: [],
      condition: "step_b > 0",
    }),
  ],
  has_extended_title: true,
  is_enabled: true,
  message: "My security monitoring rule",
  name: "My security monitoring rule",
  options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
    evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES,
    keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::FIVE_MINUTES,
    max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::TEN_MINUTES,
    detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::SEQUENCE_DETECTION,
    sequence_detection_options: DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionOptions.new({
      step_transitions: [
        DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionStepTransition.new({
          child: "step_b",
          evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
          parent: "step_a",
        }),
      ],
      steps: [
        DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionStep.new({
          condition: "a > 0",
          evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE,
          name: "step_a",
        }),
        DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionStep.new({
          condition: "b > 0",
          evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE,
          name: "step_b",
        }),
      ],
    }),
  }),
  queries: [
    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
      query: "source:source_here",
      group_by_fields: [
        "@userIdentity.assumed_role",
      ],
      distinct_fields: [],
      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
      name: "",
    }),
    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
      query: "source:source_here2",
      group_by_fields: [],
      distinct_fields: [],
      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
      name: "",
    }),
  ],
  tags: [
    "env:prod",
    "team:security",
  ],
  type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION,
})
api_instance.validate_security_monitoring_rule(body)

    Instructions

    First install the library and its dependencies and then save the example to example.rb and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
    // Validate a detection rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleDetectionMethod;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleValidatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRulePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery;

#[tokio::main]
async fn main() {
    let body =
        SecurityMonitoringRuleValidatePayload::SecurityMonitoringStandardRulePayload(Box::new(
            SecurityMonitoringStandardRulePayload::new(
                vec![
                    SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO)
                        .condition("a > 0".to_string())
                        .name("".to_string())
                        .notifications(vec![]),
                ],
                true,
                "My security monitoring rule".to_string(),
                "My security monitoring rule".to_string(),
                SecurityMonitoringRuleOptions::new()
                    .detection_method(SecurityMonitoringRuleDetectionMethod::THRESHOLD)
                    .evaluation_window(SecurityMonitoringRuleEvaluationWindow::THIRTY_MINUTES)
                    .keep_alive(SecurityMonitoringRuleKeepAlive::THIRTY_MINUTES)
                    .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::THIRTY_MINUTES),
                vec![SecurityMonitoringStandardRuleQuery::new()
                    .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT)
                    .distinct_fields(vec![])
                    .group_by_fields(vec!["@userIdentity.assumed_role".to_string()])
                    .name("".to_string())
                    .query("source:source_here".to_string())],
            )
            .has_extended_title(true)
            .tags(vec!["env:prod".to_string(), "team:security".to_string()])
            .type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION),
        ));
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.validate_security_monitoring_rule(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

    // Validate a detection rule with detection method 'sequence_detection' returns
// "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleDetectionMethod;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSequenceDetectionOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSequenceDetectionStep;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSequenceDetectionStepTransition;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleValidatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRulePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery;

#[tokio::main]
async fn main() {
    let body =
        SecurityMonitoringRuleValidatePayload::SecurityMonitoringStandardRulePayload(Box::new(
            SecurityMonitoringStandardRulePayload::new(
                vec![
                    SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO)
                        .condition("step_b > 0".to_string())
                        .name("".to_string())
                        .notifications(vec![]),
                ],
                true,
                "My security monitoring rule".to_string(),
                "My security monitoring rule".to_string(),
                SecurityMonitoringRuleOptions::new()
                    .detection_method(SecurityMonitoringRuleDetectionMethod::SEQUENCE_DETECTION)
                    .evaluation_window(SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES)
                    .keep_alive(SecurityMonitoringRuleKeepAlive::FIVE_MINUTES)
                    .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::TEN_MINUTES)
                    .sequence_detection_options(
                        SecurityMonitoringRuleSequenceDetectionOptions::new()
                            .step_transitions(vec![
                                SecurityMonitoringRuleSequenceDetectionStepTransition::new()
                                    .child("step_b".to_string())
                                    .evaluation_window(
                                        SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
                                    )
                                    .parent("step_a".to_string()),
                            ])
                            .steps(vec![
                                SecurityMonitoringRuleSequenceDetectionStep::new()
                                    .condition("a > 0".to_string())
                                    .evaluation_window(
                                        SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE,
                                    )
                                    .name("step_a".to_string()),
                                SecurityMonitoringRuleSequenceDetectionStep::new()
                                    .condition("b > 0".to_string())
                                    .evaluation_window(
                                        SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE,
                                    )
                                    .name("step_b".to_string()),
                            ]),
                    ),
                vec![
                    SecurityMonitoringStandardRuleQuery::new()
                        .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT)
                        .distinct_fields(vec![])
                        .group_by_fields(vec!["@userIdentity.assumed_role".to_string()])
                        .name("".to_string())
                        .query("source:source_here".to_string()),
                    SecurityMonitoringStandardRuleQuery::new()
                        .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT)
                        .distinct_fields(vec![])
                        .group_by_fields(vec![])
                        .name("".to_string())
                        .query("source:source_here2".to_string()),
                ],
            )
            .has_extended_title(true)
            .tags(vec!["env:prod".to_string(), "team:security".to_string()])
            .type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION),
        ));
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.validate_security_monitoring_rule(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

    Instructions

    First install the library and its dependencies and then save the example to src/main.rs and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
    /**
 * Validate a detection rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiValidateSecurityMonitoringRuleRequest = {
  body: {
    cases: [
      {
        name: "",
        status: "info",
        notifications: [],
        condition: "a > 0",
      },
    ],
    hasExtendedTitle: true,
    isEnabled: true,
    message: "My security monitoring rule",
    name: "My security monitoring rule",
    options: {
      evaluationWindow: 1800,
      keepAlive: 1800,
      maxSignalDuration: 1800,
      detectionMethod: "threshold",
    },
    queries: [
      {
        query: "source:source_here",
        groupByFields: ["@userIdentity.assumed_role"],
        distinctFields: [],
        aggregation: "count",
        name: "",
      },
    ],
    tags: ["env:prod", "team:security"],
    type: "log_detection",
  },
};

apiInstance
  .validateSecurityMonitoringRule(params)
  .then((data: any) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

    /**
 * Validate a detection rule with detection method 'sequence_detection' returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiValidateSecurityMonitoringRuleRequest = {
  body: {
    cases: [
      {
        name: "",
        status: "info",
        notifications: [],
        condition: "step_b > 0",
      },
    ],
    hasExtendedTitle: true,
    isEnabled: true,
    message: "My security monitoring rule",
    name: "My security monitoring rule",
    options: {
      evaluationWindow: 0,
      keepAlive: 300,
      maxSignalDuration: 600,
      detectionMethod: "sequence_detection",
      sequenceDetectionOptions: {
        stepTransitions: [
          {
            child: "step_b",
            evaluationWindow: 900,
            parent: "step_a",
          },
        ],
        steps: [
          {
            condition: "a > 0",
            evaluationWindow: 60,
            name: "step_a",
          },
          {
            condition: "b > 0",
            evaluationWindow: 60,
            name: "step_b",
          },
        ],
      },
    },
    queries: [
      {
        query: "source:source_here",
        groupByFields: ["@userIdentity.assumed_role"],
        distinctFields: [],
        aggregation: "count",
        name: "",
      },
      {
        query: "source:source_here2",
        groupByFields: [],
        distinctFields: [],
        aggregation: "count",
        name: "",
      },
    ],
    tags: ["env:prod", "team:security"],
    type: "log_detection",
  },
};

apiInstance
  .validateSecurityMonitoringRule(params)
  .then((data: any) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

    Instructions

    First install the library and its dependencies and then save the example to example.ts and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

    Convert an existing rule from JSON to Terraform

    GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/converthttps://api.ap2.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/converthttps://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}/converthttps://api.ddog-gov.com/api/v2/security_monitoring/rules/{rule_id}/converthttps://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/converthttps://api.us3.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/converthttps://api.us5.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/convert

    Overview

    Convert an existing rule from JSON to Terraform for datadog provider resource datadog_security_monitoring_rule. This endpoint requires the security_monitoring_rules_read permission.

    OAuth apps require the security_monitoring_rules_read authorization scope to access this endpoint.

    Arguments

    Path Parameters

    Name

    Type

    Description

    rule_id [required]

    string

    The ID of the rule.

    Response

    OK

    Result of the convert rule request containing Terraform content.

    Expand All

    Field

    Type

    Description

    ruleId

    string

    the ID of the rule.

    terraformContent

    string

    Terraform string as a result of converting the rule from JSON.

    {
  "ruleId": "string",
  "terraformContent": "string"
}

    Bad Request

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Not Authorized

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Not Found

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Too many requests

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Code Example

                      # Path parameters
    export rule_id="CHANGE_ME"
    # Curl command
    curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}/convert" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
    
                
    """
Convert an existing rule from JSON to Terraform returns "OK" response
"""

from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

# there is a valid "security_rule_hash" in the system
SECURITY_RULE_HASH_ID = environ["SECURITY_RULE_HASH_ID"]

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.convert_existing_security_monitoring_rule(
        rule_id=SECURITY_RULE_HASH_ID,
    )

    print(response)

    Instructions

    First install the library and its dependencies and then save the example to example.py and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
    # Convert an existing rule from JSON to Terraform returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

# there is a valid "security_rule_hash" in the system
SECURITY_RULE_HASH_ID = ENV["SECURITY_RULE_HASH_ID"]
p api_instance.convert_existing_security_monitoring_rule(SECURITY_RULE_HASH_ID)

    Instructions

    First install the library and its dependencies and then save the example to example.rb and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
    // Convert an existing rule from JSON to Terraform returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	// there is a valid "security_rule_hash" in the system
	SecurityRuleHashID := os.Getenv("SECURITY_RULE_HASH_ID")

	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.ConvertExistingSecurityMonitoringRule(ctx, SecurityRuleHashID)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ConvertExistingSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ConvertExistingSecurityMonitoringRule`:\n%s\n", responseContent)
}

    Instructions

    First install the library and its dependencies and then save the example to main.go and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
    // Convert an existing rule from JSON to Terraform returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleConvertResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    // there is a valid "security_rule_hash" in the system
    String SECURITY_RULE_HASH_ID = System.getenv("SECURITY_RULE_HASH_ID");

    try {
      SecurityMonitoringRuleConvertResponse result =
          apiInstance.convertExistingSecurityMonitoringRule(SECURITY_RULE_HASH_ID);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#convertExistingSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

    Instructions

    First install the library and its dependencies and then save the example to Example.java and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
    // Convert an existing rule from JSON to Terraform returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    // there is a valid "security_rule_hash" in the system
    let security_rule_hash_id = std::env::var("SECURITY_RULE_HASH_ID").unwrap();
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .convert_existing_security_monitoring_rule(security_rule_hash_id.clone())
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

    Instructions

    First install the library and its dependencies and then save the example to src/main.rs and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
    /**
 * Convert an existing rule from JSON to Terraform returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

// there is a valid "security_rule_hash" in the system
const SECURITY_RULE_HASH_ID = process.env.SECURITY_RULE_HASH_ID as string;

const params: v2.SecurityMonitoringApiConvertExistingSecurityMonitoringRuleRequest =
  {
    ruleId: SECURITY_RULE_HASH_ID,
  };

apiInstance
  .convertExistingSecurityMonitoringRule(params)
  .then((data: v2.SecurityMonitoringRuleConvertResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

    Instructions

    First install the library and its dependencies and then save the example to example.ts and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

    Convert a rule from JSON to Terraform

    POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/converthttps://api.ap2.datadoghq.com/api/v2/security_monitoring/rules/converthttps://api.datadoghq.eu/api/v2/security_monitoring/rules/converthttps://api.ddog-gov.com/api/v2/security_monitoring/rules/converthttps://api.datadoghq.com/api/v2/security_monitoring/rules/converthttps://api.us3.datadoghq.com/api/v2/security_monitoring/rules/converthttps://api.us5.datadoghq.com/api/v2/security_monitoring/rules/convert

    Overview

    Convert a rule that doesn’t (yet) exist from JSON to Terraform for datadog provider resource datadog_security_monitoring_rule. This endpoint requires the security_monitoring_rules_write permission.

    OAuth apps require the security_monitoring_rules_write authorization scope to access this endpoint.

    Request

    Body Data (required)

    Expand All

    Field

    Type

    Description

    Option 1

    object

    The payload of a rule.

    calculatedFields

    [object]

    Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.

    expression [required]

    string

    Expression.

    name [required]

    string

    Field name.

    cases [required]

    [object]

    Cases for generating signals.

    actions

    [object]

    Action to perform for each rule case.

    options

    object

    Options for the rule action

    duration

    int64

    Duration of the action in seconds. 0 indicates no expiration.

    flaggedIPType

    enum

    Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: SUSPICIOUS,FLAGGED

    userBehaviorName

    string

    Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.

    type

    enum

    The action type. Allowed enum values: block_ip,block_user,user_behavior,flag_ip

    condition

    string

    A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

    name

    string

    Name of the case.

    notifications

    [string]

    Notification targets.

    status [required]

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    customMessage

    string

    Custom/Overridden message for generated signals (used in case of Default rule update).

    customName

    string

    Custom/Overridden name of the rule (used in case of Default rule update).

    filters

    [object]

    Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.

    action

    enum

    The type of filtering action. Allowed enum values: require,suppress

    query

    string

    Query for selecting logs to apply the filtering action.

    groupSignalsBy

    [string]

    Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.

    hasExtendedTitle

    boolean

    Whether the notifications include the triggering group-by values in their title.

    isEnabled [required]

    boolean

    Whether the rule is enabled.

    message [required]

    string

    Message for generated signals.

    name [required]

    string

    The name of the rule.

    options [required]

    object

    Options.

    complianceRuleOptions

    object

    Options for cloud_configuration rules. Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.

    complexRule

    boolean

    Whether the rule is a complex one. Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.

    regoRule

    object

    Rule details.

    policy [required]

    string

    The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/

    resourceTypes [required]

    [string]

    List of resource types that will be evaluated upon. Must have at least one element.

    resourceType

    string

    Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.

    decreaseCriticalityBasedOnEnv

    boolean

    If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO. The decrement is applied when the environment tag of the signal starts with staging, test or dev.

    detectionMethod

    enum

    The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    hardcodedEvaluatorType

    enum

    Hardcoded evaluator type. Allowed enum values: log4shell

    impossibleTravelOptions

    object

    Options on impossible travel detection method.

    baselineUserLocations

    boolean

    If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

    keepAlive

    enum

    Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    maxSignalDuration

    enum

    A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    newValueOptions

    object

    Options on new value detection method.

    forgetAfter

    enum

    The duration in days after which a learned value is forgotten. Allowed enum values: 1,2,7,14,21,28

    learningDuration

    enum

    The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: 0,1,7

    learningMethod

    enum

    The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: duration,threshold

    default: duration

    learningThreshold

    enum

    A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: 0,1

    sequenceDetectionOptions

    object

    Options on sequence detection method.

    stepTransitions

    [object]

    Transitions defining the allowed order of steps and their evaluation windows.

    child

    string

    Name of the child step.

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    parent

    string

    Name of the parent step.

    steps

    [object]

    Steps that define the conditions to be matched in sequence.

    condition

    string

    Condition referencing rule queries (e.g., a > 0).

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    name

    string

    Unique name identifying the step.

    thirdPartyRuleOptions

    object

    Options on third party detection method.

    defaultNotifications

    [string]

    Notification targets for the logs that do not correspond to any of the cases.

    defaultStatus

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    rootQueries

    [object]

    Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.

    groupByFields

    [string]

    Fields to group by.

    query

    string

    Query to run on logs.

    signalTitleTemplate

    string

    A template for the signal title; if omitted, the title is generated based on the case name.

    queries [required]

    [object]

    Queries for selecting logs which are part of the rule.

    aggregation

    enum

    The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none

    customQueryExtension

    string

    Query extension to append to the logs query.

    dataSource

    enum

    Source of events, either logs, audit trail, or Datadog events. Allowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events

    default: logs

    distinctFields

    [string]

    Field for which the cardinality is measured. Sent as an array.

    groupByFields

    [string]

    Fields to group by.

    hasOptionalGroupByFields

    boolean

    When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.

    index

    string

    This field is currently unstable and might be removed in a minor version upgrade. The index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.

    indexes

    [string]

    List of indexes to query when the dataSource is logs. Only used for scheduled rules, such as when the schedulingOptions field is present in the rule payload.

    metric

    string

    DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max aggregations. metrics field should be used instead.

    metrics

    [string]

    Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.

    name

    string

    Name of the query.

    query

    string

    Query to run on logs.

    referenceTables

    [object]

    Reference tables for the rule.

    checkPresence

    boolean

    Whether to include or exclude the matched values.

    columnName

    string

    The name of the column in the reference table.

    logFieldPath

    string

    The field in the log to match against the reference table.

    ruleQueryName

    string

    The name of the query to apply the reference table to.

    tableName

    string

    The name of the reference table.

    schedulingOptions

    object

    Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.

    rrule

    string

    Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.

    start

    string

    Start date for the schedule, in ISO 8601 format without timezone.

    timezone

    string

    Time zone of the start date, in the tz database format.

    tags

    [string]

    Tags for generated signals.

    thirdPartyCases

    [object]

    Cases for generating signals from third-party rules. Only available for third-party rules.

    name

    string

    Name of the case.

    notifications

    [string]

    Notification targets for each case.

    query

    string

    A query to map a third party event to this case.

    status [required]

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    type

    enum

    The rule type. Allowed enum values: api_security,application_security,log_detection,workload_security

    Option 2

    object

    The payload of a signal correlation rule.

    cases [required]

    [object]

    Cases for generating signals.

    actions

    [object]

    Action to perform for each rule case.

    options

    object

    Options for the rule action

    duration

    int64

    Duration of the action in seconds. 0 indicates no expiration.

    flaggedIPType

    enum

    Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: SUSPICIOUS,FLAGGED

    userBehaviorName

    string

    Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.

    type

    enum

    The action type. Allowed enum values: block_ip,block_user,user_behavior,flag_ip

    condition

    string

    A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

    name

    string

    Name of the case.

    notifications

    [string]

    Notification targets.

    status [required]

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    customMessage

    string

    Custom/Overridden message for generated signals (used in case of Default rule update).

    customName

    string

    Custom/Overridden name of the rule (used in case of Default rule update).

    filters

    [object]

    Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.

    action

    enum

    The type of filtering action. Allowed enum values: require,suppress

    query

    string

    Query for selecting logs to apply the filtering action.

    hasExtendedTitle

    boolean

    Whether the notifications include the triggering group-by values in their title.

    isEnabled [required]

    boolean

    Whether the rule is enabled.

    message [required]

    string

    Message for generated signals.

    name [required]

    string

    The name of the rule.

    options [required]

    object

    Options.

    complianceRuleOptions

    object

    Options for cloud_configuration rules. Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.

    complexRule

    boolean

    Whether the rule is a complex one. Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.

    regoRule

    object

    Rule details.

    policy [required]

    string

    The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/

    resourceTypes [required]

    [string]

    List of resource types that will be evaluated upon. Must have at least one element.

    resourceType

    string

    Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.

    decreaseCriticalityBasedOnEnv

    boolean

    If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO. The decrement is applied when the environment tag of the signal starts with staging, test or dev.

    detectionMethod

    enum

    The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    hardcodedEvaluatorType

    enum

    Hardcoded evaluator type. Allowed enum values: log4shell

    impossibleTravelOptions

    object

    Options on impossible travel detection method.

    baselineUserLocations

    boolean

    If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

    keepAlive

    enum

    Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    maxSignalDuration

    enum

    A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    newValueOptions

    object

    Options on new value detection method.

    forgetAfter

    enum

    The duration in days after which a learned value is forgotten. Allowed enum values: 1,2,7,14,21,28

    learningDuration

    enum

    The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: 0,1,7

    learningMethod

    enum

    The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: duration,threshold

    default: duration

    learningThreshold

    enum

    A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: 0,1

    sequenceDetectionOptions

    object

    Options on sequence detection method.

    stepTransitions

    [object]

    Transitions defining the allowed order of steps and their evaluation windows.

    child

    string

    Name of the child step.

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    parent

    string

    Name of the parent step.

    steps

    [object]

    Steps that define the conditions to be matched in sequence.

    condition

    string

    Condition referencing rule queries (e.g., a > 0).

    evaluationWindow

    enum

    A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

    name

    string

    Unique name identifying the step.

    thirdPartyRuleOptions

    object

    Options on third party detection method.

    defaultNotifications

    [string]

    Notification targets for the logs that do not correspond to any of the cases.

    defaultStatus

    enum

    Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

    rootQueries

    [object]

    Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.

    groupByFields

    [string]

    Fields to group by.

    query

    string

    Query to run on logs.

    signalTitleTemplate

    string

    A template for the signal title; if omitted, the title is generated based on the case name.

    queries [required]

    [object]

    Queries for selecting signals which are part of the rule.

    aggregation

    enum

    The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none

    correlatedByFields

    [string]

    Fields to group by.

    correlatedQueryIndex

    int32

    Index of the rule query used to retrieve the correlated field.

    metrics

    [string]

    Group of target fields to aggregate over.

    name

    string

    Name of the query.

    ruleId [required]

    string

    Rule ID to match on signals.

    tags

    [string]

    Tags for generated signals.

    type

    enum

    The rule type. Allowed enum values: signal_correlation

    {
  "name": "_49768568946de993",
  "queries": [
    {
      "query": "@test:true",
      "aggregation": "count",
      "groupByFields": [],
      "distinctFields": [],
      "metric": ""
    }
  ],
  "filters": [],
  "cases": [
    {
      "name": "",
      "status": "info",
      "condition": "a > 0",
      "notifications": []
    }
  ],
  "options": {
    "evaluationWindow": 900,
    "keepAlive": 3600,
    "maxSignalDuration": 86400
  },
  "message": "Test rule",
  "tags": [],
  "isEnabled": true,
  "type": "log_detection"
}

    Response

    OK

    Result of the convert rule request containing Terraform content.

    Expand All

    Field

    Type

    Description

    ruleId

    string

    the ID of the rule.

    terraformContent

    string

    Terraform string as a result of converting the rule from JSON.

    {
  "ruleId": "string",
  "terraformContent": "string"
}

    Bad Request

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Concurrent Modification

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Not Authorized

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Not Found

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Too many requests

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Code Example

                              # Curl command
    curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/convert" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "name": "_49768568946de993",
  "queries": [
    {
      "query": "@test:true",
      "aggregation": "count",
      "groupByFields": [],
      "distinctFields": [],
      "metric": ""
    }
  ],
  "filters": [],
  "cases": [
    {
      "name": "",
      "status": "info",
      "condition": "a > 0",
      "notifications": []
    }
  ],
  "options": {
    "evaluationWindow": 900,
    "keepAlive": 3600,
    "maxSignalDuration": 86400
  },
  "message": "Test rule",
  "tags": [],
  "isEnabled": true,
  "type": "log_detection"
}
EOF
    
                        
    // Convert a rule from JSON to Terraform returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringRuleConvertPayload{
		SecurityMonitoringStandardRulePayload: &datadogV2.SecurityMonitoringStandardRulePayload{
			Name: "_49768568946de993",
			Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{
				{
					Query:          datadog.PtrString("@test:true"),
					Aggregation:    datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),
					GroupByFields:  []string{},
					DistinctFields: []string{},
					Metric:         datadog.PtrString(""),
				},
			},
			Filters: []datadogV2.SecurityMonitoringFilter{},
			Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{
				{
					Name:          datadog.PtrString(""),
					Status:        datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
					Condition:     datadog.PtrString("a > 0"),
					Notifications: []string{},
				},
			},
			Options: datadogV2.SecurityMonitoringRuleOptions{
				EvaluationWindow:  datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(),
				KeepAlive:         datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ONE_HOUR.Ptr(),
				MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ONE_DAY.Ptr(),
			},
			Message:   "Test rule",
			Tags:      []string{},
			IsEnabled: true,
			Type:      datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(),
		}}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.ConvertSecurityMonitoringRuleFromJSONToTerraform(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ConvertSecurityMonitoringRuleFromJSONToTerraform`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ConvertSecurityMonitoringRuleFromJSONToTerraform`:\n%s\n", responseContent)
}

    Instructions

    First install the library and its dependencies and then save the example to main.go and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
    // Convert a rule from JSON to Terraform returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleConvertPayload;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleConvertResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRulePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringRuleConvertPayload body =
        new SecurityMonitoringRuleConvertPayload(
            new SecurityMonitoringStandardRulePayload()
                .name("_49768568946de993")
                .queries(
                    Collections.singletonList(
                        new SecurityMonitoringStandardRuleQuery()
                            .query("@test:true")
                            .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)
                            .metric("")))
                .cases(
                    Collections.singletonList(
                        new SecurityMonitoringRuleCaseCreate()
                            .name("")
                            .status(SecurityMonitoringRuleSeverity.INFO)
                            .condition("a > 0")))
                .options(
                    new SecurityMonitoringRuleOptions()
                        .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES)
                        .keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR)
                        .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.ONE_DAY))
                .message("Test rule")
                .isEnabled(true)
                .type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION));

    try {
      SecurityMonitoringRuleConvertResponse result =
          apiInstance.convertSecurityMonitoringRuleFromJSONToTerraform(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling"
              + " SecurityMonitoringApi#convertSecurityMonitoringRuleFromJSONToTerraform");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

    Instructions

    First install the library and its dependencies and then save the example to Example.java and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
    """
Convert a rule from JSON to Terraform returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
    SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
    SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
    SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate
from datadog_api_client.v2.model.security_monitoring_standard_rule_payload import SecurityMonitoringStandardRulePayload
from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery

body = SecurityMonitoringStandardRulePayload(
    name="_49768568946de993",
    queries=[
        SecurityMonitoringStandardRuleQuery(
            query="@test:true",
            aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
            group_by_fields=[],
            distinct_fields=[],
            metric="",
        ),
    ],
    filters=[],
    cases=[
        SecurityMonitoringRuleCaseCreate(
            name="",
            status=SecurityMonitoringRuleSeverity.INFO,
            condition="a > 0",
            notifications=[],
        ),
    ],
    options=SecurityMonitoringRuleOptions(
        evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES,
        keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR,
        max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY,
    ),
    message="Test rule",
    tags=[],
    is_enabled=True,
    type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.convert_security_monitoring_rule_from_json_to_terraform(body=body)

    print(response)

    Instructions

    First install the library and its dependencies and then save the example to example.py and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
    # Convert a rule from JSON to Terraform returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringStandardRulePayload.new({
  name: "_49768568946de993",
  queries: [
    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
      query: "@test:true",
      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
      group_by_fields: [],
      distinct_fields: [],
      metric: "",
    }),
  ],
  filters: [],
  cases: [
    DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
      name: "",
      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
      condition: "a > 0",
      notifications: [],
    }),
  ],
  options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
    evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
    keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ONE_HOUR,
    max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ONE_DAY,
  }),
  message: "Test rule",
  tags: [],
  is_enabled: true,
  type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION,
})
p api_instance.convert_security_monitoring_rule_from_json_to_terraform(body)

    Instructions

    First install the library and its dependencies and then save the example to example.rb and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
    // Convert a rule from JSON to Terraform returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleConvertPayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRulePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery;

#[tokio::main]
async fn main() {
    let body =
        SecurityMonitoringRuleConvertPayload::SecurityMonitoringStandardRulePayload(Box::new(
            SecurityMonitoringStandardRulePayload::new(
                vec![
                    SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO)
                        .condition("a > 0".to_string())
                        .name("".to_string())
                        .notifications(vec![]),
                ],
                true,
                "Test rule".to_string(),
                "_49768568946de993".to_string(),
                SecurityMonitoringRuleOptions::new()
                    .evaluation_window(SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES)
                    .keep_alive(SecurityMonitoringRuleKeepAlive::ONE_HOUR)
                    .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::ONE_DAY),
                vec![SecurityMonitoringStandardRuleQuery::new()
                    .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT)
                    .distinct_fields(vec![])
                    .group_by_fields(vec![])
                    .metric("".to_string())
                    .query("@test:true".to_string())],
            )
            .filters(vec![])
            .tags(vec![])
            .type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION),
        ));
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .convert_security_monitoring_rule_from_json_to_terraform(body)
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

    Instructions

    First install the library and its dependencies and then save the example to src/main.rs and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
    /**
 * Convert a rule from JSON to Terraform returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiConvertSecurityMonitoringRuleFromJSONToTerraformRequest =
  {
    body: {
      name: "_49768568946de993",
      queries: [
        {
          query: "@test:true",
          aggregation: "count",
          groupByFields: [],
          distinctFields: [],
          metric: "",
        },
      ],
      filters: [],
      cases: [
        {
          name: "",
          status: "info",
          condition: "a > 0",
          notifications: [],
        },
      ],
      options: {
        evaluationWindow: 900,
        keepAlive: 3600,
        maxSignalDuration: 86400,
      },
      message: "Test rule",
      tags: [],
      isEnabled: true,
      type: "log_detection",
    },
  };

apiInstance
  .convertSecurityMonitoringRuleFromJSONToTerraform(params)
  .then((data: v2.SecurityMonitoringRuleConvertResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

    Instructions

    First install the library and its dependencies and then save the example to example.ts and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

    Get a list of security signals

    POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/signals/searchhttps://api.ap2.datadoghq.com/api/v2/security_monitoring/signals/searchhttps://api.datadoghq.eu/api/v2/security_monitoring/signals/searchhttps://api.ddog-gov.com/api/v2/security_monitoring/signals/searchhttps://api.datadoghq.com/api/v2/security_monitoring/signals/searchhttps://api.us3.datadoghq.com/api/v2/security_monitoring/signals/searchhttps://api.us5.datadoghq.com/api/v2/security_monitoring/signals/search

    Overview

    Returns security signals that match a search query. Both this endpoint and the GET endpoint can be used interchangeably for listing security signals. This endpoint requires the security_monitoring_signals_read permission.

    OAuth apps require the security_monitoring_signals_read authorization scope to access this endpoint.

    Request

    Body Data

    Expand All

    Field

    Type

    Description

    filter

    object

    Search filters for listing security signals.

    from

    date-time

    The minimum timestamp for requested security signals.

    query

    string

    Search query for listing security signals.

    to

    date-time

    The maximum timestamp for requested security signals.

    page

    object

    The paging attributes for listing security signals.

    cursor

    string

    A list of results using the cursor provided in the previous query.

    limit

    int32

    The maximum number of security signals in the response.

    default: 10

    sort

    enum

    The sort parameters used for querying security signals. Allowed enum values: timestamp,-timestamp

    {
  "filter": {
    "from": "2021-11-11T10:56:11+00:00",
    "query": "security:attack status:high",
    "to": "2021-11-11T11:11:11+00:00"
  },
  "page": {
    "limit": 2
  },
  "sort": "timestamp"
}

    Response

    OK

    The response object with all security signals matching the request and pagination information.

    Expand All

    Field

    Type

    Description

    data

    [object]

    An array of security signals matching the request.

    attributes

    object

    The object containing all signal attributes and their associated values.

    custom

    object

    A JSON object of attributes in the security signal.

    message

    string

    The message in the security signal defined by the rule that generated the signal.

    tags

    [string]

    An array of tags associated with the security signal.

    timestamp

    date-time

    The timestamp of the security signal.

    id

    string

    The unique ID of the security signal.

    type

    enum

    The type of event. Allowed enum values: signal

    default: signal

    links

    object

    Links attributes.

    next

    string

    The link for the next set of results. Note: The request can also be made using the POST endpoint.

    meta

    object

    Meta attributes.

    page

    object

    Paging attributes.

    after

    string

    The cursor used to get the next results, if any. To make the next request, use the same parameters with the addition of the page[cursor].

    {
  "data": [
    {
      "attributes": {
        "custom": {
          "workflow": {
            "first_seen": "2020-06-23T14:46:01.000Z",
            "last_seen": "2020-06-23T14:46:49.000Z",
            "rule": {
              "id": "0f5-e0c-805",
              "name": "Brute Force Attack Grouped By User ",
              "version": 12
            }
          }
        },
        "message": "Detect Account Take Over (ATO) through brute force attempts",
        "tags": [
          "security:attack",
          "technique:T1110-brute-force"
        ],
        "timestamp": "2019-01-02T09:42:36.320Z"
      },
      "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA",
      "type": "signal"
    }
  ],
  "links": {
    "next": "https://app.datadoghq.com/api/v2/security_monitoring/signals?filter[query]=foo\u0026page[cursor]=eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="
  },
  "meta": {
    "page": {
      "after": "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="
    }
  }
}

    Bad Request

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Not Authorized

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Too many requests

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Code Example

                              # Curl command
    curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/search" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "filter": {
    "from": "2021-11-11T10:56:11+00:00",
    "query": "security:attack status:high",
    "to": "2021-11-11T11:11:11+00:00"
  },
  "page": {
    "limit": 2
  },
  "sort": "timestamp"
}
EOF
    
                        
    // Get a list of security signals returns "OK" response with pagination

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"
	"time"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringSignalListRequest{
		Filter: &datadogV2.SecurityMonitoringSignalListRequestFilter{
			From:  datadog.PtrTime(time.Now().Add(time.Minute * -15)),
			Query: datadog.PtrString("security:attack status:high"),
			To:    datadog.PtrTime(time.Now()),
		},
		Page: &datadogV2.SecurityMonitoringSignalListRequestPage{
			Limit: datadog.PtrInt32(2),
		},
		Sort: datadogV2.SECURITYMONITORINGSIGNALSSORT_TIMESTAMP_ASCENDING.Ptr(),
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, _ := api.SearchSecurityMonitoringSignalsWithPagination(ctx, *datadogV2.NewSearchSecurityMonitoringSignalsOptionalParameters().WithBody(body))

	for paginationResult := range resp {
		if paginationResult.Error != nil {
			fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.SearchSecurityMonitoringSignals`: %v\n", paginationResult.Error)
		}
		responseContent, _ := json.MarshalIndent(paginationResult.Item, "", "  ")
		fmt.Fprintf(os.Stdout, "%s\n", responseContent)
	}
}

    Instructions

    First install the library and its dependencies and then save the example to main.go and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
    // Get a list of security signals returns "OK" response with pagination
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.PaginationIterable;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.api.SecurityMonitoringApi.SearchSecurityMonitoringSignalsOptionalParameters;
import com.datadog.api.client.v2.model.SecurityMonitoringSignal;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalListRequest;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalListRequestFilter;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalListRequestPage;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalsSort;
import java.time.OffsetDateTime;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringSignalListRequest body =
        new SecurityMonitoringSignalListRequest()
            .filter(
                new SecurityMonitoringSignalListRequestFilter()
                    .from(OffsetDateTime.now().plusMinutes(-15))
                    .query("security:attack status:high")
                    .to(OffsetDateTime.now()))
            .page(new SecurityMonitoringSignalListRequestPage().limit(2))
            .sort(SecurityMonitoringSignalsSort.TIMESTAMP_ASCENDING);

    try {
      PaginationIterable<SecurityMonitoringSignal> iterable =
          apiInstance.searchSecurityMonitoringSignalsWithPagination(
              new SearchSecurityMonitoringSignalsOptionalParameters().body(body));

      for (SecurityMonitoringSignal item : iterable) {
        System.out.println(item);
      }
    } catch (RuntimeException e) {
      System.err.println(
          "Exception when calling"
              + " SecurityMonitoringApi#searchSecurityMonitoringSignalsWithPagination");
      System.err.println("Reason: " + e.getMessage());
      e.printStackTrace();
    }
  }
}

    Instructions

    First install the library and its dependencies and then save the example to Example.java and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
    """
Get a list of security signals returns "OK" response with pagination
"""

from datetime import datetime
from dateutil.relativedelta import relativedelta
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_signal_list_request import SecurityMonitoringSignalListRequest
from datadog_api_client.v2.model.security_monitoring_signal_list_request_filter import (
    SecurityMonitoringSignalListRequestFilter,
)
from datadog_api_client.v2.model.security_monitoring_signal_list_request_page import (
    SecurityMonitoringSignalListRequestPage,
)
from datadog_api_client.v2.model.security_monitoring_signals_sort import SecurityMonitoringSignalsSort

body = SecurityMonitoringSignalListRequest(
    filter=SecurityMonitoringSignalListRequestFilter(
        _from=(datetime.now() + relativedelta(minutes=-15)),
        query="security:attack status:high",
        to=datetime.now(),
    ),
    page=SecurityMonitoringSignalListRequestPage(
        limit=2,
    ),
    sort=SecurityMonitoringSignalsSort.TIMESTAMP_ASCENDING,
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    items = api_instance.search_security_monitoring_signals_with_pagination(body=body)
    for item in items:
        print(item)

    Instructions

    First install the library and its dependencies and then save the example to example.py and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
    # Get a list of security signals returns "OK" response with pagination

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringSignalListRequest.new({
  filter: DatadogAPIClient::V2::SecurityMonitoringSignalListRequestFilter.new({
    from: (Time.now + -15 * 60),
    query: "security:attack status:high",
    to: Time.now,
  }),
  page: DatadogAPIClient::V2::SecurityMonitoringSignalListRequestPage.new({
    limit: 2,
  }),
  sort: DatadogAPIClient::V2::SecurityMonitoringSignalsSort::TIMESTAMP_ASCENDING,
})
opts = {
  body: body,
}
api_instance.search_security_monitoring_signals_with_pagination(opts) { |item| puts item }

    Instructions

    First install the library and its dependencies and then save the example to example.rb and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
    // Get a list of security signals returns "OK" response with pagination
use chrono::{DateTime, Utc};
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SearchSecurityMonitoringSignalsOptionalParams;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalListRequest;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalListRequestFilter;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalListRequestPage;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalsSort;
use futures_util::pin_mut;
use futures_util::stream::StreamExt;

#[tokio::main]
async fn main() {
    let body = SecurityMonitoringSignalListRequest::new()
        .filter(
            SecurityMonitoringSignalListRequestFilter::new()
                .from(
                    DateTime::parse_from_rfc3339("2021-11-11T10:56:11+00:00")
                        .expect("Failed to parse datetime")
                        .with_timezone(&Utc),
                )
                .query("security:attack status:high".to_string())
                .to(DateTime::parse_from_rfc3339("2021-11-11T11:11:11+00:00")
                    .expect("Failed to parse datetime")
                    .with_timezone(&Utc)),
        )
        .page(SecurityMonitoringSignalListRequestPage::new().limit(2))
        .sort(SecurityMonitoringSignalsSort::TIMESTAMP_ASCENDING);
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let response = api.search_security_monitoring_signals_with_pagination(
        SearchSecurityMonitoringSignalsOptionalParams::default().body(body),
    );
    pin_mut!(response);
    while let Some(resp) = response.next().await {
        if let Ok(value) = resp {
            println!("{:#?}", value);
        } else {
            println!("{:#?}", resp.unwrap_err());
        }
    }
}

    Instructions

    First install the library and its dependencies and then save the example to src/main.rs and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
    /**
 * Get a list of security signals returns "OK" response with pagination
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiSearchSecurityMonitoringSignalsRequest = {
  body: {
    filter: {
      from: new Date(new Date().getTime() + -15 * 60 * 1000),
      query: "security:attack status:high",
      to: new Date(),
    },
    page: {
      limit: 2,
    },
    sort: "timestamp",
  },
};

(async () => {
  try {
    for await (const item of apiInstance.searchSecurityMonitoringSignalsWithPagination(
      params
    )) {
      console.log(item);
    }
  } catch (error) {
    console.error(error);
  }
})();

    Instructions

    First install the library and its dependencies and then save the example to example.ts and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

    Get a signal's details

    GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}https://api.ap2.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}https://api.datadoghq.eu/api/v2/security_monitoring/signals/{signal_id}https://api.ddog-gov.com/api/v2/security_monitoring/signals/{signal_id}https://api.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}

    Overview

    Get a signal’s details. This endpoint requires the security_monitoring_signals_read permission.

    OAuth apps require the security_monitoring_signals_read authorization scope to access this endpoint.

    Arguments

    Path Parameters

    Name

    Type

    Description

    signal_id [required]

    string

    The ID of the signal.

    Response

    OK

    Security Signal response data object.

    Expand All

    Field

    Type

    Description

    data

    object

    Object description of a security signal.

    attributes

    object

    The object containing all signal attributes and their associated values.

    custom

    object

    A JSON object of attributes in the security signal.

    message

    string

    The message in the security signal defined by the rule that generated the signal.

    tags

    [string]

    An array of tags associated with the security signal.

    timestamp

    date-time

    The timestamp of the security signal.

    id

    string

    The unique ID of the security signal.

    type

    enum

    The type of event. Allowed enum values: signal

    default: signal

    {
  "data": {
    "attributes": {
      "custom": {
        "workflow": {
          "first_seen": "2020-06-23T14:46:01.000Z",
          "last_seen": "2020-06-23T14:46:49.000Z",
          "rule": {
            "id": "0f5-e0c-805",
            "name": "Brute Force Attack Grouped By User ",
            "version": 12
          }
        }
      },
      "message": "Detect Account Take Over (ATO) through brute force attempts",
      "tags": [
        "security:attack",
        "technique:T1110-brute-force"
      ],
      "timestamp": "2019-01-02T09:42:36.320Z"
    },
    "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA",
    "type": "signal"
  }
}

    Not Found

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Too many requests

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Code Example

                      # Path parameters
    export signal_id="CHANGE_ME"
    # Curl command
    curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/${signal_id}" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
    
                
    """
Get a signal's details returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.get_security_monitoring_signal(
        signal_id="AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptMDdQUnF3QUE",
    )

    print(response)

    Instructions

    First install the library and its dependencies and then save the example to example.py and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
    # Get a signal's details returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.get_security_monitoring_signal("AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptMDdQUnF3QUE")

    Instructions

    First install the library and its dependencies and then save the example to example.rb and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
    // Get a signal's details returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.GetSecurityMonitoringSignal(ctx, "AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptMDdQUnF3QUE")

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSecurityMonitoringSignal`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSecurityMonitoringSignal`:\n%s\n", responseContent)
}

    Instructions

    First install the library and its dependencies and then save the example to main.go and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
    // Get a signal's details returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    try {
      SecurityMonitoringSignalResponse result =
          apiInstance.getSecurityMonitoringSignal(
              "AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptMDdQUnF3QUE");
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#getSecurityMonitoringSignal");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

    Instructions

    First install the library and its dependencies and then save the example to Example.java and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
    // Get a signal's details returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .get_security_monitoring_signal(
            "AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptMDdQUnF3QUE".to_string(),
        )
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

    Instructions

    First install the library and its dependencies and then save the example to src/main.rs and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
    /**
 * Get a signal's details returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiGetSecurityMonitoringSignalRequest = {
  signalId: "AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptMDdQUnF3QUE",
};

apiInstance
  .getSecurityMonitoringSignal(params)
  .then((data: v2.SecurityMonitoringSignalResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

    Instructions

    First install the library and its dependencies and then save the example to example.ts and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

    Delete a security filter

    DELETE https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.datadoghq.eu/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.ddog-gov.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}

    Overview

    Delete a specific security filter. This endpoint requires the security_monitoring_filters_write permission.

    OAuth apps require the security_monitoring_filters_write authorization scope to access this endpoint.

    Arguments

    Path Parameters

    Name

    Type

    Description

    security_filter_id [required]

    string

    The ID of the security filter.

    Response

    OK

    Not Authorized

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Not Found

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Too many requests

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Code Example

                      # Path parameters
    export security_filter_id="CHANGE_ME"
    # Curl command
    curl -X DELETE "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/${security_filter_id}" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
    
                
    """
Delete a security filter returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    api_instance.delete_security_filter(
        security_filter_id="security_filter_id",
    )

    Instructions

    First install the library and its dependencies and then save the example to example.py and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
    # Delete a security filter returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
api_instance.delete_security_filter("security_filter_id")

    Instructions

    First install the library and its dependencies and then save the example to example.rb and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
    // Delete a security filter returns "OK" response

package main

import (
	"context"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	r, err := api.DeleteSecurityFilter(ctx, "security_filter_id")

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.DeleteSecurityFilter`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}
}

    Instructions

    First install the library and its dependencies and then save the example to main.go and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
    // Delete a security filter returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    try {
      apiInstance.deleteSecurityFilter("security_filter_id");
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#deleteSecurityFilter");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

    Instructions

    First install the library and its dependencies and then save the example to Example.java and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
    // Delete a security filter returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .delete_security_filter("security_filter_id".to_string())
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

    Instructions

    First install the library and its dependencies and then save the example to src/main.rs and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
    /**
 * Delete a security filter returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiDeleteSecurityFilterRequest = {
  securityFilterId: "security_filter_id",
};

apiInstance
  .deleteSecurityFilter(params)
  .then((data: any) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

    Instructions

    First install the library and its dependencies and then save the example to example.ts and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

    Get a quick list of security signals

    GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/signalshttps://api.ap2.datadoghq.com/api/v2/security_monitoring/signalshttps://api.datadoghq.eu/api/v2/security_monitoring/signalshttps://api.ddog-gov.com/api/v2/security_monitoring/signalshttps://api.datadoghq.com/api/v2/security_monitoring/signalshttps://api.us3.datadoghq.com/api/v2/security_monitoring/signalshttps://api.us5.datadoghq.com/api/v2/security_monitoring/signals

    Overview

    The list endpoint returns security signals that match a search query. Both this endpoint and the POST endpoint can be used interchangeably when listing security signals. This endpoint requires the security_monitoring_signals_read permission.

    OAuth apps require the security_monitoring_signals_read authorization scope to access this endpoint.

    Arguments

    Query Strings

    Name

    Type

    Description

    filter[query]

    string

    The search query for security signals.

    filter[from]

    string

    The minimum timestamp for requested security signals.

    filter[to]

    string

    The maximum timestamp for requested security signals.

    sort

    enum

    The order of the security signals in results.
    Allowed enum values: timestamp, -timestamp

    page[cursor]

    string

    A list of results using the cursor provided in the previous query.

    page[limit]

    integer

    The maximum number of security signals in the response.

    Response

    OK

    The response object with all security signals matching the request and pagination information.

    Expand All

    Field

    Type

    Description

    data

    [object]

    An array of security signals matching the request.

    attributes

    object

    The object containing all signal attributes and their associated values.

    custom

    object

    A JSON object of attributes in the security signal.

    message

    string

    The message in the security signal defined by the rule that generated the signal.

    tags

    [string]

    An array of tags associated with the security signal.

    timestamp

    date-time

    The timestamp of the security signal.

    id

    string

    The unique ID of the security signal.

    type

    enum

    The type of event. Allowed enum values: signal

    default: signal

    links

    object

    Links attributes.

    next

    string

    The link for the next set of results. Note: The request can also be made using the POST endpoint.

    meta

    object

    Meta attributes.

    page

    object

    Paging attributes.

    after

    string

    The cursor used to get the next results, if any. To make the next request, use the same parameters with the addition of the page[cursor].

    {
  "data": [
    {
      "attributes": {
        "custom": {
          "workflow": {
            "first_seen": "2020-06-23T14:46:01.000Z",
            "last_seen": "2020-06-23T14:46:49.000Z",
            "rule": {
              "id": "0f5-e0c-805",
              "name": "Brute Force Attack Grouped By User ",
              "version": 12
            }
          }
        },
        "message": "Detect Account Take Over (ATO) through brute force attempts",
        "tags": [
          "security:attack",
          "technique:T1110-brute-force"
        ],
        "timestamp": "2019-01-02T09:42:36.320Z"
      },
      "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA",
      "type": "signal"
    }
  ],
  "links": {
    "next": "https://app.datadoghq.com/api/v2/security_monitoring/signals?filter[query]=foo\u0026page[cursor]=eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="
  },
  "meta": {
    "page": {
      "after": "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="
    }
  }
}

    Bad Request

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Not Authorized

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Too many requests

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Code Example

                      # Curl command
    curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/signals" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
    
                
    """
Get a quick list of security signals returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.list_security_monitoring_signals()

    print(response)

    Instructions

    First install the library and its dependencies and then save the example to example.py and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
    # Get a quick list of security signals returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.list_security_monitoring_signals()

    Instructions

    First install the library and its dependencies and then save the example to example.rb and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
    // Get a quick list of security signals returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.ListSecurityMonitoringSignals(ctx, *datadogV2.NewListSecurityMonitoringSignalsOptionalParameters())

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListSecurityMonitoringSignals`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListSecurityMonitoringSignals`:\n%s\n", responseContent)
}

    Instructions

    First install the library and its dependencies and then save the example to main.go and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
    // Get a quick list of security signals returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalsListResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    try {
      SecurityMonitoringSignalsListResponse result = apiInstance.listSecurityMonitoringSignals();
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#listSecurityMonitoringSignals");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

    Instructions

    First install the library and its dependencies and then save the example to Example.java and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
    // Get a quick list of security signals returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::ListSecurityMonitoringSignalsOptionalParams;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .list_security_monitoring_signals(ListSecurityMonitoringSignalsOptionalParams::default())
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

    Instructions

    First install the library and its dependencies and then save the example to src/main.rs and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
    /**
 * Get a quick list of security signals returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

apiInstance
  .listSecurityMonitoringSignals()
  .then((data: v2.SecurityMonitoringSignalsListResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

    Instructions

    First install the library and its dependencies and then save the example to example.ts and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

    Get the list of signal-based notification rules

    GET https://api.ap1.datadoghq.com/api/v2/security/signals/notification_ruleshttps://api.ap2.datadoghq.com/api/v2/security/signals/notification_ruleshttps://api.datadoghq.eu/api/v2/security/signals/notification_ruleshttps://api.ddog-gov.com/api/v2/security/signals/notification_ruleshttps://api.datadoghq.com/api/v2/security/signals/notification_ruleshttps://api.us3.datadoghq.com/api/v2/security/signals/notification_ruleshttps://api.us5.datadoghq.com/api/v2/security/signals/notification_rules

    Overview

    Returns the list of notification rules for security signals. This endpoint requires the security_monitoring_notification_profiles_read permission.

    Response

    The list of notification rules.

    Expand All

    Field

    Type

    Description

    data

    [object]

    attributes [required]

    object

    Attributes of the notification rule.

    created_at [required]

    int64

    Date as Unix timestamp in milliseconds.

    created_by [required]

    object

    User creating or modifying a rule.

    handle

    string

    The user handle.

    name

    string

    The user name.

    enabled [required]

    boolean

    Field used to enable or disable the rule.

    modified_at [required]

    int64

    Date as Unix timestamp in milliseconds.

    modified_by [required]

    object

    User creating or modifying a rule.

    handle

    string

    The user handle.

    name

    string

    The user name.

    name [required]

    string

    Name of the notification rule.

    selectors [required]

    object

    Selectors are used to filter security issues for which notifications should be generated. Users can specify rule severities, rule types, a query to filter security issues on tags and attributes, and the trigger source. Only the trigger_source field is required.

    query

    string

    The query is composed of one or several key:value pairs, which can be used to filter security issues on tags and attributes.

    rule_types

    [string]

    Security rule types used as filters in security rules.

    severities

    [string]

    The security rules severities to consider.

    trigger_source [required]

    enum

    The type of security issues on which the rule applies. Notification rules based on security signals need to use the trigger source "security_signals", while notification rules based on security vulnerabilities need to use the trigger source "security_findings". Allowed enum values: security_findings,security_signals

    targets [required]

    [string]

    List of recipients to notify when a notification rule is triggered. Many different target types are supported, such as email addresses, Slack channels, and PagerDuty services. The appropriate integrations need to be properly configured to send notifications to the specified targets.

    time_aggregation

    int64

    Time aggregation period (in seconds) is used to aggregate the results of the notification rule evaluation. Results are aggregated over a selected time frame using a rolling window, which updates with each new evaluation. Notifications are only sent for new issues discovered during the window. Time aggregation is only available for vulnerability-based notification rules. When omitted or set to 0, no aggregation is done.

    version [required]

    int64

    Version of the notification rule. It is updated when the rule is modified.

    id [required]

    string

    The ID of a notification rule.

    type [required]

    enum

    The rule type associated to notification rules. Allowed enum values: notification_rules

    {
  "data": [
    {
      "attributes": {
        "created_at": 1722439510282,
        "created_by": {
          "handle": "john.doe@domain.com",
          "name": "John Doe"
        },
        "enabled": true,
        "modified_at": 1722439510282,
        "modified_by": {
          "handle": "john.doe@domain.com",
          "name": "John Doe"
        },
        "name": "Rule 1",
        "selectors": {
          "query": "(source:production_service OR env:prod)",
          "rule_types": [
            "misconfiguration",
            "attack_path"
          ],
          "severities": [
            "critical"
          ],
          "trigger_source": "security_findings"
        },
        "targets": [
          "@john.doe@email.com"
        ],
        "time_aggregation": 86400,
        "version": 1
      },
      "id": "aaa-bbb-ccc",
      "type": "notification_rules"
    }
  ]
}

    Forbidden

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Too many requests

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Code Example

                      # Curl command
    curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/signals/notification_rules" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
    
                
    """
Get the list of signal-based notification rules returns "The list of notification rules." response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.get_signal_notification_rules()

    print(response)

    Instructions

    First install the library and its dependencies and then save the example to example.py and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
    # Get the list of signal-based notification rules returns "The list of notification rules." response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.get_signal_notification_rules()

    Instructions

    First install the library and its dependencies and then save the example to example.rb and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
    // Get the list of signal-based notification rules returns "The list of notification rules." response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.GetSignalNotificationRules(ctx)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSignalNotificationRules`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSignalNotificationRules`:\n%s\n", responseContent)
}

    Instructions

    First install the library and its dependencies and then save the example to main.go and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
    // Get the list of signal-based notification rules returns "The list of notification rules."
// response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    try {
      apiInstance.getSignalNotificationRules();
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#getSignalNotificationRules");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

    Instructions

    First install the library and its dependencies and then save the example to Example.java and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
    // Get the list of signal-based notification rules returns "The list of
// notification rules." response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.get_signal_notification_rules().await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

    Instructions

    First install the library and its dependencies and then save the example to src/main.rs and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
    /**
 * Get the list of signal-based notification rules returns "The list of notification rules." response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

apiInstance
  .getSignalNotificationRules()
  .then((data: any) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

    Instructions

    First install the library and its dependencies and then save the example to example.ts and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

    Get the list of vulnerability notification rules

    GET https://api.ap1.datadoghq.com/api/v2/security/vulnerabilities/notification_ruleshttps://api.ap2.datadoghq.com/api/v2/security/vulnerabilities/notification_ruleshttps://api.datadoghq.eu/api/v2/security/vulnerabilities/notification_ruleshttps://api.ddog-gov.com/api/v2/security/vulnerabilities/notification_ruleshttps://api.datadoghq.com/api/v2/security/vulnerabilities/notification_ruleshttps://api.us3.datadoghq.com/api/v2/security/vulnerabilities/notification_ruleshttps://api.us5.datadoghq.com/api/v2/security/vulnerabilities/notification_rules

    Overview

    Returns the list of notification rules for security vulnerabilities. This endpoint requires the security_monitoring_notification_profiles_read permission.

    Response

    The list of notification rules.

    Expand All

    Field

    Type

    Description

    data

    [object]

    attributes [required]

    object

    Attributes of the notification rule.

    created_at [required]

    int64

    Date as Unix timestamp in milliseconds.

    created_by [required]

    object

    User creating or modifying a rule.

    handle

    string

    The user handle.

    name

    string

    The user name.

    enabled [required]

    boolean

    Field used to enable or disable the rule.

    modified_at [required]

    int64

    Date as Unix timestamp in milliseconds.

    modified_by [required]

    object

    User creating or modifying a rule.

    handle

    string

    The user handle.

    name

    string

    The user name.

    name [required]

    string

    Name of the notification rule.

    selectors [required]

    object

    Selectors are used to filter security issues for which notifications should be generated. Users can specify rule severities, rule types, a query to filter security issues on tags and attributes, and the trigger source. Only the trigger_source field is required.

    query

    string

    The query is composed of one or several key:value pairs, which can be used to filter security issues on tags and attributes.

    rule_types

    [string]

    Security rule types used as filters in security rules.

    severities

    [string]

    The security rules severities to consider.

    trigger_source [required]

    enum

    The type of security issues on which the rule applies. Notification rules based on security signals need to use the trigger source "security_signals", while notification rules based on security vulnerabilities need to use the trigger source "security_findings". Allowed enum values: security_findings,security_signals

    targets [required]

    [string]

    List of recipients to notify when a notification rule is triggered. Many different target types are supported, such as email addresses, Slack channels, and PagerDuty services. The appropriate integrations need to be properly configured to send notifications to the specified targets.

    time_aggregation

    int64

    Time aggregation period (in seconds) is used to aggregate the results of the notification rule evaluation. Results are aggregated over a selected time frame using a rolling window, which updates with each new evaluation. Notifications are only sent for new issues discovered during the window. Time aggregation is only available for vulnerability-based notification rules. When omitted or set to 0, no aggregation is done.

    version [required]

    int64

    Version of the notification rule. It is updated when the rule is modified.

    id [required]

    string

    The ID of a notification rule.

    type [required]

    enum

    The rule type associated to notification rules. Allowed enum values: notification_rules

    {
  "data": [
    {
      "attributes": {
        "created_at": 1722439510282,
        "created_by": {
          "handle": "john.doe@domain.com",
          "name": "John Doe"
        },
        "enabled": true,
        "modified_at": 1722439510282,
        "modified_by": {
          "handle": "john.doe@domain.com",
          "name": "John Doe"
        },
        "name": "Rule 1",
        "selectors": {
          "query": "(source:production_service OR env:prod)",
          "rule_types": [
            "misconfiguration",
            "attack_path"
          ],
          "severities": [
            "critical"
          ],
          "trigger_source": "security_findings"
        },
        "targets": [
          "@john.doe@email.com"
        ],
        "time_aggregation": 86400,
        "version": 1
      },
      "id": "aaa-bbb-ccc",
      "type": "notification_rules"
    }
  ]
}

    Forbidden

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Too many requests

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Code Example

                      # Curl command
    curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/vulnerabilities/notification_rules" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
    
                
    """
Get the list of vulnerability notification rules returns "The list of notification rules." response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.get_vulnerability_notification_rules()

    print(response)

    Instructions

    First install the library and its dependencies and then save the example to example.py and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
    # Get the list of vulnerability notification rules returns "The list of notification rules." response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.get_vulnerability_notification_rules()

    Instructions

    First install the library and its dependencies and then save the example to example.rb and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
    // Get the list of vulnerability notification rules returns "The list of notification rules." response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.GetVulnerabilityNotificationRules(ctx)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetVulnerabilityNotificationRules`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetVulnerabilityNotificationRules`:\n%s\n", responseContent)
}

    Instructions

    First install the library and its dependencies and then save the example to main.go and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
    // Get the list of vulnerability notification rules returns "The list of notification rules."
// response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    try {
      apiInstance.getVulnerabilityNotificationRules();
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#getVulnerabilityNotificationRules");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

    Instructions

    First install the library and its dependencies and then save the example to Example.java and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
    // Get the list of vulnerability notification rules returns "The list of
// notification rules." response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.get_vulnerability_notification_rules().await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

    Instructions

    First install the library and its dependencies and then save the example to src/main.rs and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
    /**
 * Get the list of vulnerability notification rules returns "The list of notification rules." response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

apiInstance
  .getVulnerabilityNotificationRules()
  .then((data: any) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

    Instructions

    First install the library and its dependencies and then save the example to example.ts and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

    Update a security filter

    PATCH https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.datadoghq.eu/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.ddog-gov.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}

    Overview

    Update a specific security filter. Returns the security filter object when the request is successful. This endpoint requires the security_monitoring_filters_write permission.

    OAuth apps require the security_monitoring_filters_write authorization scope to access this endpoint.

    Arguments

    Path Parameters

    Name

    Type

    Description

    security_filter_id [required]

    string

    The ID of the security filter.

    Request

    Body Data (required)

    New definition of the security filter.

    Expand All

    Field

    Type

    Description

    data [required]

    object

    The new security filter properties.

    attributes [required]

    object

    The security filters properties to be updated.

    exclusion_filters

    [object]

    Exclusion filters to exclude some logs from the security filter.

    name [required]

    string

    Exclusion filter name.

    query [required]

    string

    Exclusion filter query. Logs that match this query are excluded from the security filter.

    filtered_data_type

    enum

    The filtered data type. Allowed enum values: logs

    is_enabled

    boolean

    Whether the security filter is enabled.

    name

    string

    The name of the security filter.

    query

    string

    The query of the security filter.

    version

    int32

    The version of the security filter to update.

    type [required]

    enum

    The type of the resource. The value should always be security_filters. Allowed enum values: security_filters

    default: security_filters

    {
  "data": {
    "attributes": {
      "exclusion_filters": [],
      "filtered_data_type": "logs",
      "is_enabled": true,
      "name": "Example-Security-Monitoring",
      "query": "service:ExampleSecurityMonitoring",
      "version": 1
    },
    "type": "security_filters"
  }
}

    Response

    OK

    Response object which includes a single security filter.

    Expand All

    Field

    Type

    Description

    data

    object

    The security filter's properties.

    attributes

    object

    The object describing a security filter.

    exclusion_filters

    [object]

    The list of exclusion filters applied in this security filter.

    name

    string

    The exclusion filter name.

    query

    string

    The exclusion filter query.

    filtered_data_type

    enum

    The filtered data type. Allowed enum values: logs

    is_builtin

    boolean

    Whether the security filter is the built-in filter.

    is_enabled

    boolean

    Whether the security filter is enabled.

    name

    string

    The security filter name.

    query

    string

    The security filter query. Logs accepted by this query will be accepted by this filter.

    version

    int32

    The version of the security filter.

    id

    string

    The ID of the security filter.

    type

    enum

    The type of the resource. The value should always be security_filters. Allowed enum values: security_filters

    default: security_filters

    meta

    object

    Optional metadata associated to the response.

    warning

    string

    A warning message.

    {
  "data": {
    "attributes": {
      "exclusion_filters": [
        {
          "name": "Exclude staging",
          "query": "source:staging"
        }
      ],
      "filtered_data_type": "logs",
      "is_builtin": false,
      "is_enabled": false,
      "name": "Custom security filter",
      "query": "service:api",
      "version": 1
    },
    "id": "3dd-0uc-h1s",
    "type": "security_filters"
  },
  "meta": {
    "warning": "All the security filters are disabled. As a result, no logs are being analyzed."
  }
}

    Bad Request

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Not Authorized

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Not Found

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Concurrent Modification

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Too many requests

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Code Example

                              # Path parameters
    export security_filter_id="CHANGE_ME"
    # Curl command
    curl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/${security_filter_id}" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "exclusion_filters": [],
      "filtered_data_type": "logs",
      "is_enabled": true,
      "name": "Example-Security-Monitoring",
      "query": "service:ExampleSecurityMonitoring",
      "version": 1
    },
    "type": "security_filters"
  }
}
EOF
    
                        
    // Update a security filter returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	// there is a valid "security_filter" in the system
	SecurityFilterDataID := os.Getenv("SECURITY_FILTER_DATA_ID")

	body := datadogV2.SecurityFilterUpdateRequest{
		Data: datadogV2.SecurityFilterUpdateData{
			Attributes: datadogV2.SecurityFilterUpdateAttributes{
				ExclusionFilters: []datadogV2.SecurityFilterExclusionFilter{},
				FilteredDataType: datadogV2.SECURITYFILTERFILTEREDDATATYPE_LOGS.Ptr(),
				IsEnabled:        datadog.PtrBool(true),
				Name:             datadog.PtrString("Example-Security-Monitoring"),
				Query:            datadog.PtrString("service:ExampleSecurityMonitoring"),
				Version:          datadog.PtrInt32(1),
			},
			Type: datadogV2.SECURITYFILTERTYPE_SECURITY_FILTERS,
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.UpdateSecurityFilter(ctx, SecurityFilterDataID, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.UpdateSecurityFilter`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.UpdateSecurityFilter`:\n%s\n", responseContent)
}

    Instructions

    First install the library and its dependencies and then save the example to main.go and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
    // Update a security filter returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityFilterFilteredDataType;
import com.datadog.api.client.v2.model.SecurityFilterResponse;
import com.datadog.api.client.v2.model.SecurityFilterType;
import com.datadog.api.client.v2.model.SecurityFilterUpdateAttributes;
import com.datadog.api.client.v2.model.SecurityFilterUpdateData;
import com.datadog.api.client.v2.model.SecurityFilterUpdateRequest;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    // there is a valid "security_filter" in the system
    String SECURITY_FILTER_DATA_ID = System.getenv("SECURITY_FILTER_DATA_ID");

    SecurityFilterUpdateRequest body =
        new SecurityFilterUpdateRequest()
            .data(
                new SecurityFilterUpdateData()
                    .attributes(
                        new SecurityFilterUpdateAttributes()
                            .filteredDataType(SecurityFilterFilteredDataType.LOGS)
                            .isEnabled(true)
                            .name("Example-Security-Monitoring")
                            .query("service:ExampleSecurityMonitoring")
                            .version(1))
                    .type(SecurityFilterType.SECURITY_FILTERS));

    try {
      SecurityFilterResponse result =
          apiInstance.updateSecurityFilter(SECURITY_FILTER_DATA_ID, body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#updateSecurityFilter");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

    Instructions

    First install the library and its dependencies and then save the example to Example.java and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
    """
Update a security filter returns "OK" response
"""

from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_filter_filtered_data_type import SecurityFilterFilteredDataType
from datadog_api_client.v2.model.security_filter_type import SecurityFilterType
from datadog_api_client.v2.model.security_filter_update_attributes import SecurityFilterUpdateAttributes
from datadog_api_client.v2.model.security_filter_update_data import SecurityFilterUpdateData
from datadog_api_client.v2.model.security_filter_update_request import SecurityFilterUpdateRequest

# there is a valid "security_filter" in the system
SECURITY_FILTER_DATA_ID = environ["SECURITY_FILTER_DATA_ID"]

body = SecurityFilterUpdateRequest(
    data=SecurityFilterUpdateData(
        attributes=SecurityFilterUpdateAttributes(
            exclusion_filters=[],
            filtered_data_type=SecurityFilterFilteredDataType.LOGS,
            is_enabled=True,
            name="Example-Security-Monitoring",
            query="service:ExampleSecurityMonitoring",
            version=1,
        ),
        type=SecurityFilterType.SECURITY_FILTERS,
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.update_security_filter(security_filter_id=SECURITY_FILTER_DATA_ID, body=body)

    print(response)

    Instructions

    First install the library and its dependencies and then save the example to example.py and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
    # Update a security filter returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

# there is a valid "security_filter" in the system
SECURITY_FILTER_DATA_ID = ENV["SECURITY_FILTER_DATA_ID"]

body = DatadogAPIClient::V2::SecurityFilterUpdateRequest.new({
  data: DatadogAPIClient::V2::SecurityFilterUpdateData.new({
    attributes: DatadogAPIClient::V2::SecurityFilterUpdateAttributes.new({
      exclusion_filters: [],
      filtered_data_type: DatadogAPIClient::V2::SecurityFilterFilteredDataType::LOGS,
      is_enabled: true,
      name: "Example-Security-Monitoring",
      query: "service:ExampleSecurityMonitoring",
      version: 1,
    }),
    type: DatadogAPIClient::V2::SecurityFilterType::SECURITY_FILTERS,
  }),
})
p api_instance.update_security_filter(SECURITY_FILTER_DATA_ID, body)

    Instructions

    First install the library and its dependencies and then save the example to example.rb and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
    // Update a security filter returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityFilterFilteredDataType;
use datadog_api_client::datadogV2::model::SecurityFilterType;
use datadog_api_client::datadogV2::model::SecurityFilterUpdateAttributes;
use datadog_api_client::datadogV2::model::SecurityFilterUpdateData;
use datadog_api_client::datadogV2::model::SecurityFilterUpdateRequest;

#[tokio::main]
async fn main() {
    // there is a valid "security_filter" in the system
    let security_filter_data_id = std::env::var("SECURITY_FILTER_DATA_ID").unwrap();
    let body = SecurityFilterUpdateRequest::new(SecurityFilterUpdateData::new(
        SecurityFilterUpdateAttributes::new()
            .exclusion_filters(vec![])
            .filtered_data_type(SecurityFilterFilteredDataType::LOGS)
            .is_enabled(true)
            .name("Example-Security-Monitoring".to_string())
            .query("service:ExampleSecurityMonitoring".to_string())
            .version(1),
        SecurityFilterType::SECURITY_FILTERS,
    ));
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .update_security_filter(security_filter_data_id.clone(), body)
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

    Instructions

    First install the library and its dependencies and then save the example to src/main.rs and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
    /**
 * Update a security filter returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

// there is a valid "security_filter" in the system
const SECURITY_FILTER_DATA_ID = process.env.SECURITY_FILTER_DATA_ID as string;

const params: v2.SecurityMonitoringApiUpdateSecurityFilterRequest = {
  body: {
    data: {
      attributes: {
        exclusionFilters: [],
        filteredDataType: "logs",
        isEnabled: true,
        name: "Example-Security-Monitoring",
        query: "service:ExampleSecurityMonitoring",
        version: 1,
      },
      type: "security_filters",
    },
  },
  securityFilterId: SECURITY_FILTER_DATA_ID,
};

apiInstance
  .updateSecurityFilter(params)
  .then((data: v2.SecurityFilterResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

    Instructions

    First install the library and its dependencies and then save the example to example.ts and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

    Create a new signal-based notification rule

    POST https://api.ap1.datadoghq.com/api/v2/security/signals/notification_ruleshttps://api.ap2.datadoghq.com/api/v2/security/signals/notification_ruleshttps://api.datadoghq.eu/api/v2/security/signals/notification_ruleshttps://api.ddog-gov.com/api/v2/security/signals/notification_ruleshttps://api.datadoghq.com/api/v2/security/signals/notification_ruleshttps://api.us3.datadoghq.com/api/v2/security/signals/notification_ruleshttps://api.us5.datadoghq.com/api/v2/security/signals/notification_rules

    Overview

    Create a new notification rule for security signals and return the created rule. This endpoint requires the security_monitoring_notification_profiles_write permission.

    Request

    Body Data (required)

    The body of the create notification rule request is composed of the rule type and the rule attributes: the rule name, the selectors, the notification targets, and the rule enabled status.

    Expand All

    Field

    Type

    Description

    data

    object

    Data of the notification rule create request: the rule type, and the rule attributes. All fields are required.

    attributes [required]

    object

    Attributes of the notification rule create request.

    enabled

    boolean

    Field used to enable or disable the rule.

    name [required]

    string

    Name of the notification rule.

    selectors [required]

    object

    Selectors are used to filter security issues for which notifications should be generated. Users can specify rule severities, rule types, a query to filter security issues on tags and attributes, and the trigger source. Only the trigger_source field is required.

    query

    string

    The query is composed of one or several key:value pairs, which can be used to filter security issues on tags and attributes.

    rule_types

    [string]

    Security rule types used as filters in security rules.

    severities

    [string]

    The security rules severities to consider.

    trigger_source [required]

    enum

    The type of security issues on which the rule applies. Notification rules based on security signals need to use the trigger source "security_signals", while notification rules based on security vulnerabilities need to use the trigger source "security_findings". Allowed enum values: security_findings,security_signals

    targets [required]

    [string]

    List of recipients to notify when a notification rule is triggered. Many different target types are supported, such as email addresses, Slack channels, and PagerDuty services. The appropriate integrations need to be properly configured to send notifications to the specified targets.

    time_aggregation

    int64

    Time aggregation period (in seconds) is used to aggregate the results of the notification rule evaluation. Results are aggregated over a selected time frame using a rolling window, which updates with each new evaluation. Notifications are only sent for new issues discovered during the window. Time aggregation is only available for vulnerability-based notification rules. When omitted or set to 0, no aggregation is done.

    type [required]

    enum

    The rule type associated to notification rules. Allowed enum values: notification_rules

    {
  "data": {
    "attributes": {
      "enabled": true,
      "name": "Rule 1",
      "selectors": {
        "query": "(source:production_service OR env:prod)",
        "rule_types": [
          "misconfiguration",
          "attack_path"
        ],
        "severities": [
          "critical"
        ],
        "trigger_source": "security_findings"
      },
      "targets": [
        "@john.doe@email.com"
      ],
      "time_aggregation": 86400
    },
    "type": "notification_rules"
  }
}

    Response

    Successfully created the notification rule.

    Response object which includes a notification rule.

    Expand All

    Field

    Type

    Description

    data

    object

    Notification rules allow full control over notifications generated by the various Datadog security products. They allow users to define the conditions under which a notification should be generated (based on rule severities, rule types, rule tags, and so on), and the targets to notify. A notification rule is composed of a rule ID, a rule type, and the rule attributes. All fields are required.

    attributes [required]

    object

    Attributes of the notification rule.

    created_at [required]

    int64

    Date as Unix timestamp in milliseconds.

    created_by [required]

    object

    User creating or modifying a rule.

    handle

    string

    The user handle.

    name

    string

    The user name.

    enabled [required]

    boolean

    Field used to enable or disable the rule.

    modified_at [required]

    int64

    Date as Unix timestamp in milliseconds.

    modified_by [required]

    object

    User creating or modifying a rule.

    handle

    string

    The user handle.

    name

    string

    The user name.

    name [required]

    string

    Name of the notification rule.

    selectors [required]

    object

    Selectors are used to filter security issues for which notifications should be generated. Users can specify rule severities, rule types, a query to filter security issues on tags and attributes, and the trigger source. Only the trigger_source field is required.

    query

    string

    The query is composed of one or several key:value pairs, which can be used to filter security issues on tags and attributes.

    rule_types

    [string]

    Security rule types used as filters in security rules.

    severities

    [string]

    The security rules severities to consider.

    trigger_source [required]

    enum

    The type of security issues on which the rule applies. Notification rules based on security signals need to use the trigger source "security_signals", while notification rules based on security vulnerabilities need to use the trigger source "security_findings". Allowed enum values: security_findings,security_signals

    targets [required]

    [string]

    List of recipients to notify when a notification rule is triggered. Many different target types are supported, such as email addresses, Slack channels, and PagerDuty services. The appropriate integrations need to be properly configured to send notifications to the specified targets.

    time_aggregation

    int64

    Time aggregation period (in seconds) is used to aggregate the results of the notification rule evaluation. Results are aggregated over a selected time frame using a rolling window, which updates with each new evaluation. Notifications are only sent for new issues discovered during the window. Time aggregation is only available for vulnerability-based notification rules. When omitted or set to 0, no aggregation is done.

    version [required]

    int64

    Version of the notification rule. It is updated when the rule is modified.

    id [required]

    string

    The ID of a notification rule.

    type [required]

    enum

    The rule type associated to notification rules. Allowed enum values: notification_rules

    {
  "data": {
    "attributes": {
      "created_at": 1722439510282,
      "created_by": {
        "handle": "john.doe@domain.com",
        "name": "John Doe"
      },
      "enabled": true,
      "modified_at": 1722439510282,
      "modified_by": {
        "handle": "john.doe@domain.com",
        "name": "John Doe"
      },
      "name": "Rule 1",
      "selectors": {
        "query": "(source:production_service OR env:prod)",
        "rule_types": [
          "misconfiguration",
          "attack_path"
        ],
        "severities": [
          "critical"
        ],
        "trigger_source": "security_findings"
      },
      "targets": [
        "@john.doe@email.com"
      ],
      "time_aggregation": 86400,
      "version": 1
    },
    "id": "aaa-bbb-ccc",
    "type": "notification_rules"
  }
}

    Bad Request

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Forbidden

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Too many requests

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Code Example

                              # Curl command
    curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/signals/notification_rules" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "enabled": true,
      "name": "Rule 1",
      "selectors": {
        "query": "(source:production_service OR env:prod)",
        "rule_types": [
          "misconfiguration",
          "attack_path"
        ],
        "severities": [
          "critical"
        ],
        "trigger_source": "security_findings"
      },
      "targets": [
        "@john.doe@email.com"
      ],
      "time_aggregation": 86400
    },
    "type": "notification_rules"
  }
}
EOF
    
                        
    // Create a new signal-based notification rule returns "Successfully created the notification rule." response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.CreateNotificationRuleParameters{
		Data: &datadogV2.CreateNotificationRuleParametersData{
			Attributes: datadogV2.CreateNotificationRuleParametersDataAttributes{
				Enabled: datadog.PtrBool(true),
				Name:    "Rule 1",
				Selectors: datadogV2.Selectors{
					Query: datadog.PtrString("(source:production_service OR env:prod)"),
					RuleTypes: []datadogV2.RuleTypesItems{
						datadogV2.RULETYPESITEMS_MISCONFIGURATION,
						datadogV2.RULETYPESITEMS_ATTACK_PATH,
					},
					Severities: []datadogV2.RuleSeverity{
						datadogV2.RULESEVERITY_CRITICAL,
					},
					TriggerSource: datadogV2.TRIGGERSOURCE_SECURITY_FINDINGS,
				},
				Targets: []string{
					"@john.doe@email.com",
				},
				TimeAggregation: datadog.PtrInt64(86400),
			},
			Type: datadogV2.NOTIFICATIONRULESTYPE_NOTIFICATION_RULES,
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.CreateSignalNotificationRule(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSignalNotificationRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSignalNotificationRule`:\n%s\n", responseContent)
}

    Instructions

    First install the library and its dependencies and then save the example to main.go and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
    // Create a new signal-based notification rule returns "Successfully created the notification rule."
// response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.CreateNotificationRuleParameters;
import com.datadog.api.client.v2.model.CreateNotificationRuleParametersData;
import com.datadog.api.client.v2.model.CreateNotificationRuleParametersDataAttributes;
import com.datadog.api.client.v2.model.NotificationRuleResponse;
import com.datadog.api.client.v2.model.NotificationRulesType;
import com.datadog.api.client.v2.model.RuleSeverity;
import com.datadog.api.client.v2.model.RuleTypesItems;
import com.datadog.api.client.v2.model.Selectors;
import com.datadog.api.client.v2.model.TriggerSource;
import java.util.Arrays;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    CreateNotificationRuleParameters body =
        new CreateNotificationRuleParameters()
            .data(
                new CreateNotificationRuleParametersData()
                    .attributes(
                        new CreateNotificationRuleParametersDataAttributes()
                            .enabled(true)
                            .name("Rule 1")
                            .selectors(
                                new Selectors()
                                    .query("(source:production_service OR env:prod)")
                                    .ruleTypes(
                                        Arrays.asList(
                                            RuleTypesItems.MISCONFIGURATION,
                                            RuleTypesItems.ATTACK_PATH))
                                    .severities(Collections.singletonList(RuleSeverity.CRITICAL))
                                    .triggerSource(TriggerSource.SECURITY_FINDINGS))
                            .targets(Collections.singletonList("@john.doe@email.com"))
                            .timeAggregation(86400L))
                    .type(NotificationRulesType.NOTIFICATION_RULES));

    try {
      NotificationRuleResponse result = apiInstance.createSignalNotificationRule(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#createSignalNotificationRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

    Instructions

    First install the library and its dependencies and then save the example to Example.java and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
    """
Create a new signal-based notification rule returns "Successfully created the notification rule." response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.create_notification_rule_parameters import CreateNotificationRuleParameters
from datadog_api_client.v2.model.create_notification_rule_parameters_data import CreateNotificationRuleParametersData
from datadog_api_client.v2.model.create_notification_rule_parameters_data_attributes import (
    CreateNotificationRuleParametersDataAttributes,
)
from datadog_api_client.v2.model.notification_rules_type import NotificationRulesType
from datadog_api_client.v2.model.rule_severity import RuleSeverity
from datadog_api_client.v2.model.rule_types_items import RuleTypesItems
from datadog_api_client.v2.model.selectors import Selectors
from datadog_api_client.v2.model.trigger_source import TriggerSource

body = CreateNotificationRuleParameters(
    data=CreateNotificationRuleParametersData(
        attributes=CreateNotificationRuleParametersDataAttributes(
            enabled=True,
            name="Rule 1",
            selectors=Selectors(
                query="(source:production_service OR env:prod)",
                rule_types=[
                    RuleTypesItems.MISCONFIGURATION,
                    RuleTypesItems.ATTACK_PATH,
                ],
                severities=[
                    RuleSeverity.CRITICAL,
                ],
                trigger_source=TriggerSource.SECURITY_FINDINGS,
            ),
            targets=[
                "@john.doe@email.com",
            ],
            time_aggregation=86400,
        ),
        type=NotificationRulesType.NOTIFICATION_RULES,
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.create_signal_notification_rule(body=body)

    print(response)

    Instructions

    First install the library and its dependencies and then save the example to example.py and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
    # Create a new signal-based notification rule returns "Successfully created the notification rule." response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::CreateNotificationRuleParameters.new({
  data: DatadogAPIClient::V2::CreateNotificationRuleParametersData.new({
    attributes: DatadogAPIClient::V2::CreateNotificationRuleParametersDataAttributes.new({
      enabled: true,
      name: "Rule 1",
      selectors: DatadogAPIClient::V2::Selectors.new({
        query: "(source:production_service OR env:prod)",
        rule_types: [
          DatadogAPIClient::V2::RuleTypesItems::MISCONFIGURATION,
          DatadogAPIClient::V2::RuleTypesItems::ATTACK_PATH,
        ],
        severities: [
          DatadogAPIClient::V2::RuleSeverity::CRITICAL,
        ],
        trigger_source: DatadogAPIClient::V2::TriggerSource::SECURITY_FINDINGS,
      }),
      targets: [
        "@john.doe@email.com",
      ],
      time_aggregation: 86400,
    }),
    type: DatadogAPIClient::V2::NotificationRulesType::NOTIFICATION_RULES,
  }),
})
p api_instance.create_signal_notification_rule(body)

    Instructions

    First install the library and its dependencies and then save the example to example.rb and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
    // Create a new signal-based notification rule returns "Successfully created the
// notification rule." response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::CreateNotificationRuleParameters;
use datadog_api_client::datadogV2::model::CreateNotificationRuleParametersData;
use datadog_api_client::datadogV2::model::CreateNotificationRuleParametersDataAttributes;
use datadog_api_client::datadogV2::model::NotificationRulesType;
use datadog_api_client::datadogV2::model::RuleSeverity;
use datadog_api_client::datadogV2::model::RuleTypesItems;
use datadog_api_client::datadogV2::model::Selectors;
use datadog_api_client::datadogV2::model::TriggerSource;

#[tokio::main]
async fn main() {
    let body =
        CreateNotificationRuleParameters::new().data(CreateNotificationRuleParametersData::new(
            CreateNotificationRuleParametersDataAttributes::new(
                "Rule 1".to_string(),
                Selectors::new(TriggerSource::SECURITY_FINDINGS)
                    .query("(source:production_service OR env:prod)".to_string())
                    .rule_types(vec![
                        RuleTypesItems::MISCONFIGURATION,
                        RuleTypesItems::ATTACK_PATH,
                    ])
                    .severities(vec![RuleSeverity::CRITICAL]),
                vec!["@john.doe@email.com".to_string()],
            )
            .enabled(true)
            .time_aggregation(86400),
            NotificationRulesType::NOTIFICATION_RULES,
        ));
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.create_signal_notification_rule(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

    Instructions

    First install the library and its dependencies and then save the example to src/main.rs and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
    /**
 * Create a new signal-based notification rule returns "Successfully created the notification rule." response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiCreateSignalNotificationRuleRequest = {
  body: {
    data: {
      attributes: {
        enabled: true,
        name: "Rule 1",
        selectors: {
          query: "(source:production_service OR env:prod)",
          ruleTypes: ["misconfiguration", "attack_path"],
          severities: ["critical"],
          triggerSource: "security_findings",
        },
        targets: ["@john.doe@email.com"],
        timeAggregation: 86400,
      },
      type: "notification_rules",
    },
  },
};

apiInstance
  .createSignalNotificationRule(params)
  .then((data: v2.NotificationRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

    Instructions

    First install the library and its dependencies and then save the example to example.ts and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

    Create a new vulnerability-based notification rule

    POST https://api.ap1.datadoghq.com/api/v2/security/vulnerabilities/notification_ruleshttps://api.ap2.datadoghq.com/api/v2/security/vulnerabilities/notification_ruleshttps://api.datadoghq.eu/api/v2/security/vulnerabilities/notification_ruleshttps://api.ddog-gov.com/api/v2/security/vulnerabilities/notification_ruleshttps://api.datadoghq.com/api/v2/security/vulnerabilities/notification_ruleshttps://api.us3.datadoghq.com/api/v2/security/vulnerabilities/notification_ruleshttps://api.us5.datadoghq.com/api/v2/security/vulnerabilities/notification_rules

    Overview

    Create a new notification rule for security vulnerabilities and return the created rule. This endpoint requires the security_monitoring_notification_profiles_write permission.

    Request

    Body Data (required)

    The body of the create notification rule request is composed of the rule type and the rule attributes: the rule name, the selectors, the notification targets, and the rule enabled status.

    Expand All

    Field

    Type

    Description

    data

    object

    Data of the notification rule create request: the rule type, and the rule attributes. All fields are required.

    attributes [required]

    object

    Attributes of the notification rule create request.

    enabled

    boolean

    Field used to enable or disable the rule.

    name [required]

    string

    Name of the notification rule.

    selectors [required]

    object

    Selectors are used to filter security issues for which notifications should be generated. Users can specify rule severities, rule types, a query to filter security issues on tags and attributes, and the trigger source. Only the trigger_source field is required.

    query

    string

    The query is composed of one or several key:value pairs, which can be used to filter security issues on tags and attributes.

    rule_types

    [string]

    Security rule types used as filters in security rules.

    severities

    [string]

    The security rules severities to consider.

    trigger_source [required]

    enum

    The type of security issues on which the rule applies. Notification rules based on security signals need to use the trigger source "security_signals", while notification rules based on security vulnerabilities need to use the trigger source "security_findings". Allowed enum values: security_findings,security_signals

    targets [required]

    [string]

    List of recipients to notify when a notification rule is triggered. Many different target types are supported, such as email addresses, Slack channels, and PagerDuty services. The appropriate integrations need to be properly configured to send notifications to the specified targets.

    time_aggregation

    int64

    Time aggregation period (in seconds) is used to aggregate the results of the notification rule evaluation. Results are aggregated over a selected time frame using a rolling window, which updates with each new evaluation. Notifications are only sent for new issues discovered during the window. Time aggregation is only available for vulnerability-based notification rules. When omitted or set to 0, no aggregation is done.

    type [required]

    enum

    The rule type associated to notification rules. Allowed enum values: notification_rules

    {
  "data": {
    "attributes": {
      "enabled": true,
      "name": "Rule 1",
      "selectors": {
        "query": "(source:production_service OR env:prod)",
        "rule_types": [
          "misconfiguration",
          "attack_path"
        ],
        "severities": [
          "critical"
        ],
        "trigger_source": "security_findings"
      },
      "targets": [
        "@john.doe@email.com"
      ],
      "time_aggregation": 86400
    },
    "type": "notification_rules"
  }
}

    Response

    Successfully created the notification rule.

    Response object which includes a notification rule.

    Expand All

    Field

    Type

    Description

    data

    object

    Notification rules allow full control over notifications generated by the various Datadog security products. They allow users to define the conditions under which a notification should be generated (based on rule severities, rule types, rule tags, and so on), and the targets to notify. A notification rule is composed of a rule ID, a rule type, and the rule attributes. All fields are required.

    attributes [required]

    object

    Attributes of the notification rule.

    created_at [required]

    int64

    Date as Unix timestamp in milliseconds.

    created_by [required]

    object

    User creating or modifying a rule.

    handle

    string

    The user handle.

    name

    string

    The user name.

    enabled [required]

    boolean

    Field used to enable or disable the rule.

    modified_at [required]

    int64

    Date as Unix timestamp in milliseconds.

    modified_by [required]

    object

    User creating or modifying a rule.

    handle

    string

    The user handle.

    name

    string

    The user name.

    name [required]

    string

    Name of the notification rule.

    selectors [required]

    object

    Selectors are used to filter security issues for which notifications should be generated. Users can specify rule severities, rule types, a query to filter security issues on tags and attributes, and the trigger source. Only the trigger_source field is required.

    query

    string

    The query is composed of one or several key:value pairs, which can be used to filter security issues on tags and attributes.

    rule_types

    [string]

    Security rule types used as filters in security rules.

    severities

    [string]

    The security rules severities to consider.

    trigger_source [required]

    enum

    The type of security issues on which the rule applies. Notification rules based on security signals need to use the trigger source "security_signals", while notification rules based on security vulnerabilities need to use the trigger source "security_findings". Allowed enum values: security_findings,security_signals

    targets [required]

    [string]

    List of recipients to notify when a notification rule is triggered. Many different target types are supported, such as email addresses, Slack channels, and PagerDuty services. The appropriate integrations need to be properly configured to send notifications to the specified targets.

    time_aggregation

    int64

    Time aggregation period (in seconds) is used to aggregate the results of the notification rule evaluation. Results are aggregated over a selected time frame using a rolling window, which updates with each new evaluation. Notifications are only sent for new issues discovered during the window. Time aggregation is only available for vulnerability-based notification rules. When omitted or set to 0, no aggregation is done.

    version [required]

    int64

    Version of the notification rule. It is updated when the rule is modified.

    id [required]

    string

    The ID of a notification rule.

    type [required]

    enum

    The rule type associated to notification rules. Allowed enum values: notification_rules

    {
  "data": {
    "attributes": {
      "created_at": 1722439510282,
      "created_by": {
        "handle": "john.doe@domain.com",
        "name": "John Doe"
      },
      "enabled": true,
      "modified_at": 1722439510282,
      "modified_by": {
        "handle": "john.doe@domain.com",
        "name": "John Doe"
      },
      "name": "Rule 1",
      "selectors": {
        "query": "(source:production_service OR env:prod)",
        "rule_types": [
          "misconfiguration",
          "attack_path"
        ],
        "severities": [
          "critical"
        ],
        "trigger_source": "security_findings"
      },
      "targets": [
        "@john.doe@email.com"
      ],
      "time_aggregation": 86400,
      "version": 1
    },
    "id": "aaa-bbb-ccc",
    "type": "notification_rules"
  }
}

    Bad Request

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Forbidden

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Too many requests

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Code Example

                              # Curl command
    curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/vulnerabilities/notification_rules" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "enabled": true,
      "name": "Rule 1",
      "selectors": {
        "query": "(source:production_service OR env:prod)",
        "rule_types": [
          "misconfiguration",
          "attack_path"
        ],
        "severities": [
          "critical"
        ],
        "trigger_source": "security_findings"
      },
      "targets": [
        "@john.doe@email.com"
      ],
      "time_aggregation": 86400
    },
    "type": "notification_rules"
  }
}
EOF
    
                        
    // Create a new vulnerability-based notification rule returns "Successfully created the notification rule." response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.CreateNotificationRuleParameters{
		Data: &datadogV2.CreateNotificationRuleParametersData{
			Attributes: datadogV2.CreateNotificationRuleParametersDataAttributes{
				Enabled: datadog.PtrBool(true),
				Name:    "Rule 1",
				Selectors: datadogV2.Selectors{
					Query: datadog.PtrString("(source:production_service OR env:prod)"),
					RuleTypes: []datadogV2.RuleTypesItems{
						datadogV2.RULETYPESITEMS_MISCONFIGURATION,
						datadogV2.RULETYPESITEMS_ATTACK_PATH,
					},
					Severities: []datadogV2.RuleSeverity{
						datadogV2.RULESEVERITY_CRITICAL,
					},
					TriggerSource: datadogV2.TRIGGERSOURCE_SECURITY_FINDINGS,
				},
				Targets: []string{
					"@john.doe@email.com",
				},
				TimeAggregation: datadog.PtrInt64(86400),
			},
			Type: datadogV2.NOTIFICATIONRULESTYPE_NOTIFICATION_RULES,
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.CreateVulnerabilityNotificationRule(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateVulnerabilityNotificationRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateVulnerabilityNotificationRule`:\n%s\n", responseContent)
}

    Instructions

    First install the library and its dependencies and then save the example to main.go and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
    // Create a new vulnerability-based notification rule returns "Successfully created the notification
// rule." response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.CreateNotificationRuleParameters;
import com.datadog.api.client.v2.model.CreateNotificationRuleParametersData;
import com.datadog.api.client.v2.model.CreateNotificationRuleParametersDataAttributes;
import com.datadog.api.client.v2.model.NotificationRuleResponse;
import com.datadog.api.client.v2.model.NotificationRulesType;
import com.datadog.api.client.v2.model.RuleSeverity;
import com.datadog.api.client.v2.model.RuleTypesItems;
import com.datadog.api.client.v2.model.Selectors;
import com.datadog.api.client.v2.model.TriggerSource;
import java.util.Arrays;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    CreateNotificationRuleParameters body =
        new CreateNotificationRuleParameters()
            .data(
                new CreateNotificationRuleParametersData()
                    .attributes(
                        new CreateNotificationRuleParametersDataAttributes()
                            .enabled(true)
                            .name("Rule 1")
                            .selectors(
                                new Selectors()
                                    .query("(source:production_service OR env:prod)")
                                    .ruleTypes(
                                        Arrays.asList(
                                            RuleTypesItems.MISCONFIGURATION,
                                            RuleTypesItems.ATTACK_PATH))
                                    .severities(Collections.singletonList(RuleSeverity.CRITICAL))
                                    .triggerSource(TriggerSource.SECURITY_FINDINGS))
                            .targets(Collections.singletonList("@john.doe@email.com"))
                            .timeAggregation(86400L))
                    .type(NotificationRulesType.NOTIFICATION_RULES));

    try {
      NotificationRuleResponse result = apiInstance.createVulnerabilityNotificationRule(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#createVulnerabilityNotificationRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

    Instructions

    First install the library and its dependencies and then save the example to Example.java and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
    """
Create a new vulnerability-based notification rule returns "Successfully created the notification rule." response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.create_notification_rule_parameters import CreateNotificationRuleParameters
from datadog_api_client.v2.model.create_notification_rule_parameters_data import CreateNotificationRuleParametersData
from datadog_api_client.v2.model.create_notification_rule_parameters_data_attributes import (
    CreateNotificationRuleParametersDataAttributes,
)
from datadog_api_client.v2.model.notification_rules_type import NotificationRulesType
from datadog_api_client.v2.model.rule_severity import RuleSeverity
from datadog_api_client.v2.model.rule_types_items import RuleTypesItems
from datadog_api_client.v2.model.selectors import Selectors
from datadog_api_client.v2.model.trigger_source import TriggerSource

body = CreateNotificationRuleParameters(
    data=CreateNotificationRuleParametersData(
        attributes=CreateNotificationRuleParametersDataAttributes(
            enabled=True,
            name="Rule 1",
            selectors=Selectors(
                query="(source:production_service OR env:prod)",
                rule_types=[
                    RuleTypesItems.MISCONFIGURATION,
                    RuleTypesItems.ATTACK_PATH,
                ],
                severities=[
                    RuleSeverity.CRITICAL,
                ],
                trigger_source=TriggerSource.SECURITY_FINDINGS,
            ),
            targets=[
                "@john.doe@email.com",
            ],
            time_aggregation=86400,
        ),
        type=NotificationRulesType.NOTIFICATION_RULES,
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.create_vulnerability_notification_rule(body=body)

    print(response)

    Instructions

    First install the library and its dependencies and then save the example to example.py and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
    # Create a new vulnerability-based notification rule returns "Successfully created the notification rule." response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::CreateNotificationRuleParameters.new({
  data: DatadogAPIClient::V2::CreateNotificationRuleParametersData.new({
    attributes: DatadogAPIClient::V2::CreateNotificationRuleParametersDataAttributes.new({
      enabled: true,
      name: "Rule 1",
      selectors: DatadogAPIClient::V2::Selectors.new({
        query: "(source:production_service OR env:prod)",
        rule_types: [
          DatadogAPIClient::V2::RuleTypesItems::MISCONFIGURATION,
          DatadogAPIClient::V2::RuleTypesItems::ATTACK_PATH,
        ],
        severities: [
          DatadogAPIClient::V2::RuleSeverity::CRITICAL,
        ],
        trigger_source: DatadogAPIClient::V2::TriggerSource::SECURITY_FINDINGS,
      }),
      targets: [
        "@john.doe@email.com",
      ],
      time_aggregation: 86400,
    }),
    type: DatadogAPIClient::V2::NotificationRulesType::NOTIFICATION_RULES,
  }),
})
p api_instance.create_vulnerability_notification_rule(body)

    Instructions

    First install the library and its dependencies and then save the example to example.rb and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
    // Create a new vulnerability-based notification rule returns "Successfully
// created the notification rule." response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::CreateNotificationRuleParameters;
use datadog_api_client::datadogV2::model::CreateNotificationRuleParametersData;
use datadog_api_client::datadogV2::model::CreateNotificationRuleParametersDataAttributes;
use datadog_api_client::datadogV2::model::NotificationRulesType;
use datadog_api_client::datadogV2::model::RuleSeverity;
use datadog_api_client::datadogV2::model::RuleTypesItems;
use datadog_api_client::datadogV2::model::Selectors;
use datadog_api_client::datadogV2::model::TriggerSource;

#[tokio::main]
async fn main() {
    let body =
        CreateNotificationRuleParameters::new().data(CreateNotificationRuleParametersData::new(
            CreateNotificationRuleParametersDataAttributes::new(
                "Rule 1".to_string(),
                Selectors::new(TriggerSource::SECURITY_FINDINGS)
                    .query("(source:production_service OR env:prod)".to_string())
                    .rule_types(vec![
                        RuleTypesItems::MISCONFIGURATION,
                        RuleTypesItems::ATTACK_PATH,
                    ])
                    .severities(vec![RuleSeverity::CRITICAL]),
                vec!["@john.doe@email.com".to_string()],
            )
            .enabled(true)
            .time_aggregation(86400),
            NotificationRulesType::NOTIFICATION_RULES,
        ));
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.create_vulnerability_notification_rule(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

    Instructions

    First install the library and its dependencies and then save the example to src/main.rs and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
    /**
 * Create a new vulnerability-based notification rule returns "Successfully created the notification rule." response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiCreateVulnerabilityNotificationRuleRequest =
  {
    body: {
      data: {
        attributes: {
          enabled: true,
          name: "Rule 1",
          selectors: {
            query: "(source:production_service OR env:prod)",
            ruleTypes: ["misconfiguration", "attack_path"],
            severities: ["critical"],
            triggerSource: "security_findings",
          },
          targets: ["@john.doe@email.com"],
          timeAggregation: 86400,
        },
        type: "notification_rules",
      },
    },
  };

apiInstance
  .createVulnerabilityNotificationRule(params)
  .then((data: v2.NotificationRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

    Instructions

    First install the library and its dependencies and then save the example to example.ts and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

    Get a security filter

    GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.datadoghq.eu/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.ddog-gov.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}

    Overview

    Get the details of a specific security filter.

    See the security filter guide for more examples.

    This endpoint requires the security_monitoring_filters_read permission.

    OAuth apps require the security_monitoring_filters_read authorization scope to access this endpoint.

    Arguments

    Path Parameters

    Name

    Type

    Description

    security_filter_id [required]

    string

    The ID of the security filter.

    Response

    OK

    Response object which includes a single security filter.

    Expand All

    Field

    Type

    Description

    data

    object

    The security filter's properties.

    attributes

    object

    The object describing a security filter.

    exclusion_filters

    [object]

    The list of exclusion filters applied in this security filter.

    name

    string

    The exclusion filter name.

    query

    string

    The exclusion filter query.

    filtered_data_type

    enum

    The filtered data type. Allowed enum values: logs

    is_builtin

    boolean

    Whether the security filter is the built-in filter.

    is_enabled

    boolean

    Whether the security filter is enabled.

    name

    string

    The security filter name.

    query

    string

    The security filter query. Logs accepted by this query will be accepted by this filter.

    version

    int32

    The version of the security filter.

    id

    string

    The ID of the security filter.

    type

    enum

    The type of the resource. The value should always be security_filters. Allowed enum values: security_filters

    default: security_filters

    meta

    object

    Optional metadata associated to the response.

    warning

    string

    A warning message.

    {
  "data": {
    "attributes": {
      "exclusion_filters": [
        {
          "name": "Exclude staging",
          "query": "source:staging"
        }
      ],
      "filtered_data_type": "logs",
      "is_builtin": false,
      "is_enabled": false,
      "name": "Custom security filter",
      "query": "service:api",
      "version": 1
    },
    "id": "3dd-0uc-h1s",
    "type": "security_filters"
  },
  "meta": {
    "warning": "All the security filters are disabled. As a result, no logs are being analyzed."
  }
}

    Not Authorized

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Not Found

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Too many requests

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Code Example

                      # Path parameters
    export security_filter_id="CHANGE_ME"
    # Curl command
    curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/${security_filter_id}" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
    
                
    """
Get a security filter returns "OK" response
"""

from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

# there is a valid "security_filter" in the system
SECURITY_FILTER_DATA_ID = environ["SECURITY_FILTER_DATA_ID"]

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.get_security_filter(
        security_filter_id=SECURITY_FILTER_DATA_ID,
    )

    print(response)

    Instructions

    First install the library and its dependencies and then save the example to example.py and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
    # Get a security filter returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

# there is a valid "security_filter" in the system
SECURITY_FILTER_DATA_ID = ENV["SECURITY_FILTER_DATA_ID"]
p api_instance.get_security_filter(SECURITY_FILTER_DATA_ID)

    Instructions

    First install the library and its dependencies and then save the example to example.rb and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
    // Get a security filter returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	// there is a valid "security_filter" in the system
	SecurityFilterDataID := os.Getenv("SECURITY_FILTER_DATA_ID")

	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.GetSecurityFilter(ctx, SecurityFilterDataID)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSecurityFilter`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSecurityFilter`:\n%s\n", responseContent)
}

    Instructions

    First install the library and its dependencies and then save the example to main.go and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
    // Get a security filter returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityFilterResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    // there is a valid "security_filter" in the system
    String SECURITY_FILTER_DATA_ID = System.getenv("SECURITY_FILTER_DATA_ID");

    try {
      SecurityFilterResponse result = apiInstance.getSecurityFilter(SECURITY_FILTER_DATA_ID);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#getSecurityFilter");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

    Instructions

    First install the library and its dependencies and then save the example to Example.java and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
    // Get a security filter returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    // there is a valid "security_filter" in the system
    let security_filter_data_id = std::env::var("SECURITY_FILTER_DATA_ID").unwrap();
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .get_security_filter(security_filter_data_id.clone())
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

    Instructions

    First install the library and its dependencies and then save the example to src/main.rs and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
    /**
 * Get a security filter returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

// there is a valid "security_filter" in the system
const SECURITY_FILTER_DATA_ID = process.env.SECURITY_FILTER_DATA_ID as string;

const params: v2.SecurityMonitoringApiGetSecurityFilterRequest = {
  securityFilterId: SECURITY_FILTER_DATA_ID,
};

apiInstance
  .getSecurityFilter(params)
  .then((data: v2.SecurityFilterResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

    Instructions

    First install the library and its dependencies and then save the example to example.ts and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

    Create a security filter

    POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/security_filtershttps://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/security_filtershttps://api.datadoghq.eu/api/v2/security_monitoring/configuration/security_filtershttps://api.ddog-gov.com/api/v2/security_monitoring/configuration/security_filtershttps://api.datadoghq.com/api/v2/security_monitoring/configuration/security_filtershttps://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/security_filtershttps://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters

    Overview

    Create a security filter.

    See the security filter guide for more examples.

    This endpoint requires the security_monitoring_filters_write permission.

    OAuth apps require the security_monitoring_filters_write authorization scope to access this endpoint.

    Request

    Body Data (required)

    The definition of the new security filter.

    Expand All

    Field

    Type

    Description

    data [required]

    object

    Object for a single security filter.

    attributes [required]

    object

    Object containing the attributes of the security filter to be created.

    exclusion_filters [required]

    [object]

    Exclusion filters to exclude some logs from the security filter.

    name [required]

    string

    Exclusion filter name.

    query [required]

    string

    Exclusion filter query. Logs that match this query are excluded from the security filter.

    filtered_data_type [required]

    enum

    The filtered data type. Allowed enum values: logs

    is_enabled [required]

    boolean

    Whether the security filter is enabled.

    name [required]

    string

    The name of the security filter.

    query [required]

    string

    The query of the security filter.

    type [required]

    enum

    The type of the resource. The value should always be security_filters. Allowed enum values: security_filters

    default: security_filters

    {
  "data": {
    "attributes": {
      "exclusion_filters": [
        {
          "name": "Exclude staging",
          "query": "source:staging"
        }
      ],
      "filtered_data_type": "logs",
      "is_enabled": true,
      "name": "Example-Security-Monitoring",
      "query": "service:ExampleSecurityMonitoring"
    },
    "type": "security_filters"
  }
}

    Response

    OK

    Response object which includes a single security filter.

    Expand All

    Field

    Type

    Description

    data

    object

    The security filter's properties.

    attributes

    object

    The object describing a security filter.

    exclusion_filters

    [object]

    The list of exclusion filters applied in this security filter.

    name

    string

    The exclusion filter name.

    query

    string

    The exclusion filter query.

    filtered_data_type

    enum

    The filtered data type. Allowed enum values: logs

    is_builtin

    boolean

    Whether the security filter is the built-in filter.

    is_enabled

    boolean

    Whether the security filter is enabled.

    name

    string

    The security filter name.

    query

    string

    The security filter query. Logs accepted by this query will be accepted by this filter.

    version

    int32

    The version of the security filter.

    id

    string

    The ID of the security filter.

    type

    enum

    The type of the resource. The value should always be security_filters. Allowed enum values: security_filters

    default: security_filters

    meta

    object

    Optional metadata associated to the response.

    warning

    string

    A warning message.

    {
  "data": {
    "attributes": {
      "exclusion_filters": [
        {
          "name": "Exclude staging",
          "query": "source:staging"
        }
      ],
      "filtered_data_type": "logs",
      "is_builtin": false,
      "is_enabled": false,
      "name": "Custom security filter",
      "query": "service:api",
      "version": 1
    },
    "id": "3dd-0uc-h1s",
    "type": "security_filters"
  },
  "meta": {
    "warning": "All the security filters are disabled. As a result, no logs are being analyzed."
  }
}

    Bad Request

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Not Authorized

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Conflict

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Too many requests

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Code Example

                              # Curl command
    curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "exclusion_filters": [
        {
          "name": "Exclude staging",
          "query": "source:staging"
        }
      ],
      "filtered_data_type": "logs",
      "is_enabled": true,
      "name": "Example-Security-Monitoring",
      "query": "service:ExampleSecurityMonitoring"
    },
    "type": "security_filters"
  }
}
EOF
    
                        
    // Create a security filter returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityFilterCreateRequest{
		Data: datadogV2.SecurityFilterCreateData{
			Attributes: datadogV2.SecurityFilterCreateAttributes{
				ExclusionFilters: []datadogV2.SecurityFilterExclusionFilter{
					{
						Name:  "Exclude staging",
						Query: "source:staging",
					},
				},
				FilteredDataType: datadogV2.SECURITYFILTERFILTEREDDATATYPE_LOGS,
				IsEnabled:        true,
				Name:             "Example-Security-Monitoring",
				Query:            "service:ExampleSecurityMonitoring",
			},
			Type: datadogV2.SECURITYFILTERTYPE_SECURITY_FILTERS,
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.CreateSecurityFilter(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityFilter`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityFilter`:\n%s\n", responseContent)
}

    Instructions

    First install the library and its dependencies and then save the example to main.go and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
    // Create a security filter returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityFilterCreateAttributes;
import com.datadog.api.client.v2.model.SecurityFilterCreateData;
import com.datadog.api.client.v2.model.SecurityFilterCreateRequest;
import com.datadog.api.client.v2.model.SecurityFilterExclusionFilter;
import com.datadog.api.client.v2.model.SecurityFilterFilteredDataType;
import com.datadog.api.client.v2.model.SecurityFilterResponse;
import com.datadog.api.client.v2.model.SecurityFilterType;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityFilterCreateRequest body =
        new SecurityFilterCreateRequest()
            .data(
                new SecurityFilterCreateData()
                    .attributes(
                        new SecurityFilterCreateAttributes()
                            .exclusionFilters(
                                Collections.singletonList(
                                    new SecurityFilterExclusionFilter()
                                        .name("Exclude staging")
                                        .query("source:staging")))
                            .filteredDataType(SecurityFilterFilteredDataType.LOGS)
                            .isEnabled(true)
                            .name("Example-Security-Monitoring")
                            .query("service:ExampleSecurityMonitoring"))
                    .type(SecurityFilterType.SECURITY_FILTERS));

    try {
      SecurityFilterResponse result = apiInstance.createSecurityFilter(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#createSecurityFilter");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

    Instructions

    First install the library and its dependencies and then save the example to Example.java and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
    """
Create a security filter returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_filter_create_attributes import SecurityFilterCreateAttributes
from datadog_api_client.v2.model.security_filter_create_data import SecurityFilterCreateData
from datadog_api_client.v2.model.security_filter_create_request import SecurityFilterCreateRequest
from datadog_api_client.v2.model.security_filter_exclusion_filter import SecurityFilterExclusionFilter
from datadog_api_client.v2.model.security_filter_filtered_data_type import SecurityFilterFilteredDataType
from datadog_api_client.v2.model.security_filter_type import SecurityFilterType

body = SecurityFilterCreateRequest(
    data=SecurityFilterCreateData(
        attributes=SecurityFilterCreateAttributes(
            exclusion_filters=[
                SecurityFilterExclusionFilter(
                    name="Exclude staging",
                    query="source:staging",
                ),
            ],
            filtered_data_type=SecurityFilterFilteredDataType.LOGS,
            is_enabled=True,
            name="Example-Security-Monitoring",
            query="service:ExampleSecurityMonitoring",
        ),
        type=SecurityFilterType.SECURITY_FILTERS,
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.create_security_filter(body=body)

    print(response)

    Instructions

    First install the library and its dependencies and then save the example to example.py and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
    # Create a security filter returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityFilterCreateRequest.new({
  data: DatadogAPIClient::V2::SecurityFilterCreateData.new({
    attributes: DatadogAPIClient::V2::SecurityFilterCreateAttributes.new({
      exclusion_filters: [
        DatadogAPIClient::V2::SecurityFilterExclusionFilter.new({
          name: "Exclude staging",
          query: "source:staging",
        }),
      ],
      filtered_data_type: DatadogAPIClient::V2::SecurityFilterFilteredDataType::LOGS,
      is_enabled: true,
      name: "Example-Security-Monitoring",
      query: "service:ExampleSecurityMonitoring",
    }),
    type: DatadogAPIClient::V2::SecurityFilterType::SECURITY_FILTERS,
  }),
})
p api_instance.create_security_filter(body)

    Instructions

    First install the library and its dependencies and then save the example to example.rb and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
    // Create a security filter returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityFilterCreateAttributes;
use datadog_api_client::datadogV2::model::SecurityFilterCreateData;
use datadog_api_client::datadogV2::model::SecurityFilterCreateRequest;
use datadog_api_client::datadogV2::model::SecurityFilterExclusionFilter;
use datadog_api_client::datadogV2::model::SecurityFilterFilteredDataType;
use datadog_api_client::datadogV2::model::SecurityFilterType;

#[tokio::main]
async fn main() {
    let body = SecurityFilterCreateRequest::new(SecurityFilterCreateData::new(
        SecurityFilterCreateAttributes::new(
            vec![SecurityFilterExclusionFilter::new(
                "Exclude staging".to_string(),
                "source:staging".to_string(),
            )],
            SecurityFilterFilteredDataType::LOGS,
            true,
            "Example-Security-Monitoring".to_string(),
            "service:ExampleSecurityMonitoring".to_string(),
        ),
        SecurityFilterType::SECURITY_FILTERS,
    ));
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.create_security_filter(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

    Instructions

    First install the library and its dependencies and then save the example to src/main.rs and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
    /**
 * Create a security filter returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiCreateSecurityFilterRequest = {
  body: {
    data: {
      attributes: {
        exclusionFilters: [
          {
            name: "Exclude staging",
            query: "source:staging",
          },
        ],
        filteredDataType: "logs",
        isEnabled: true,
        name: "Example-Security-Monitoring",
        query: "service:ExampleSecurityMonitoring",
      },
      type: "security_filters",
    },
  },
};

apiInstance
  .createSecurityFilter(params)
  .then((data: v2.SecurityFilterResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

    Instructions

    First install the library and its dependencies and then save the example to example.ts and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

    Get all security filters

    GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/security_filtershttps://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/security_filtershttps://api.datadoghq.eu/api/v2/security_monitoring/configuration/security_filtershttps://api.ddog-gov.com/api/v2/security_monitoring/configuration/security_filtershttps://api.datadoghq.com/api/v2/security_monitoring/configuration/security_filtershttps://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/security_filtershttps://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters

    Overview

    Get the list of configured security filters with their definitions. This endpoint requires the security_monitoring_filters_read permission.

    OAuth apps require the security_monitoring_filters_read authorization scope to access this endpoint.

    Response

    OK

    All the available security filters objects.

    Expand All

    Field

    Type

    Description

    data

    [object]

    A list of security filters objects.

    attributes

    object

    The object describing a security filter.

    exclusion_filters

    [object]

    The list of exclusion filters applied in this security filter.

    name

    string

    The exclusion filter name.

    query

    string

    The exclusion filter query.

    filtered_data_type

    enum

    The filtered data type. Allowed enum values: logs

    is_builtin

    boolean

    Whether the security filter is the built-in filter.

    is_enabled

    boolean

    Whether the security filter is enabled.

    name

    string

    The security filter name.

    query

    string

    The security filter query. Logs accepted by this query will be accepted by this filter.

    version

    int32

    The version of the security filter.

    id

    string

    The ID of the security filter.

    type

    enum

    The type of the resource. The value should always be security_filters. Allowed enum values: security_filters

    default: security_filters

    meta

    object

    Optional metadata associated to the response.

    warning

    string

    A warning message.

    {
  "data": [
    {
      "attributes": {
        "exclusion_filters": [
          {
            "name": "Exclude staging",
            "query": "source:staging"
          }
        ],
        "filtered_data_type": "logs",
        "is_builtin": false,
        "is_enabled": false,
        "name": "Custom security filter",
        "query": "service:api",
        "version": 1
      },
      "id": "3dd-0uc-h1s",
      "type": "security_filters"
    }
  ],
  "meta": {
    "warning": "All the security filters are disabled. As a result, no logs are being analyzed."
  }
}

    Not Authorized

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Too many requests

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Code Example

                      # Curl command
    curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
    
                
    """
Get all security filters returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.list_security_filters()

    print(response)

    Instructions

    First install the library and its dependencies and then save the example to example.py and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
    # Get all security filters returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.list_security_filters()

    Instructions

    First install the library and its dependencies and then save the example to example.rb and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
    // Get all security filters returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.ListSecurityFilters(ctx)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListSecurityFilters`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListSecurityFilters`:\n%s\n", responseContent)
}

    Instructions

    First install the library and its dependencies and then save the example to main.go and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
    // Get all security filters returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityFiltersResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    try {
      SecurityFiltersResponse result = apiInstance.listSecurityFilters();
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#listSecurityFilters");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

    Instructions

    First install the library and its dependencies and then save the example to Example.java and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
    // Get all security filters returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.list_security_filters().await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

    Instructions

    First install the library and its dependencies and then save the example to src/main.rs and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
    /**
 * Get all security filters returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

apiInstance
  .listSecurityFilters()
  .then((data: v2.SecurityFiltersResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

    Instructions

    First install the library and its dependencies and then save the example to example.ts and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

    Get details of a signal-based notification rule

    GET https://api.ap1.datadoghq.com/api/v2/security/signals/notification_rules/{id}https://api.ap2.datadoghq.com/api/v2/security/signals/notification_rules/{id}https://api.datadoghq.eu/api/v2/security/signals/notification_rules/{id}https://api.ddog-gov.com/api/v2/security/signals/notification_rules/{id}https://api.datadoghq.com/api/v2/security/signals/notification_rules/{id}https://api.us3.datadoghq.com/api/v2/security/signals/notification_rules/{id}https://api.us5.datadoghq.com/api/v2/security/signals/notification_rules/{id}

    Overview

    Get the details of a notification rule for security signals. This endpoint requires the security_monitoring_notification_profiles_read permission.

    Arguments

    Path Parameters

    Name

    Type

    Description

    id [required]

    string

    ID of the notification rule.

    Response

    Notification rule details.

    Response object which includes a notification rule.

    Expand All

    Field

    Type

    Description

    data

    object

    Notification rules allow full control over notifications generated by the various Datadog security products. They allow users to define the conditions under which a notification should be generated (based on rule severities, rule types, rule tags, and so on), and the targets to notify. A notification rule is composed of a rule ID, a rule type, and the rule attributes. All fields are required.

    attributes [required]

    object

    Attributes of the notification rule.

    created_at [required]

    int64

    Date as Unix timestamp in milliseconds.

    created_by [required]

    object

    User creating or modifying a rule.

    handle

    string

    The user handle.

    name

    string

    The user name.

    enabled [required]

    boolean

    Field used to enable or disable the rule.

    modified_at [required]

    int64

    Date as Unix timestamp in milliseconds.

    modified_by [required]

    object

    User creating or modifying a rule.

    handle

    string

    The user handle.

    name

    string

    The user name.

    name [required]

    string

    Name of the notification rule.

    selectors [required]

    object

    Selectors are used to filter security issues for which notifications should be generated. Users can specify rule severities, rule types, a query to filter security issues on tags and attributes, and the trigger source. Only the trigger_source field is required.

    query

    string

    The query is composed of one or several key:value pairs, which can be used to filter security issues on tags and attributes.

    rule_types

    [string]

    Security rule types used as filters in security rules.

    severities

    [string]

    The security rules severities to consider.

    trigger_source [required]

    enum

    The type of security issues on which the rule applies. Notification rules based on security signals need to use the trigger source "security_signals", while notification rules based on security vulnerabilities need to use the trigger source "security_findings". Allowed enum values: security_findings,security_signals

    targets [required]

    [string]

    List of recipients to notify when a notification rule is triggered. Many different target types are supported, such as email addresses, Slack channels, and PagerDuty services. The appropriate integrations need to be properly configured to send notifications to the specified targets.

    time_aggregation

    int64

    Time aggregation period (in seconds) is used to aggregate the results of the notification rule evaluation. Results are aggregated over a selected time frame using a rolling window, which updates with each new evaluation. Notifications are only sent for new issues discovered during the window. Time aggregation is only available for vulnerability-based notification rules. When omitted or set to 0, no aggregation is done.

    version [required]

    int64

    Version of the notification rule. It is updated when the rule is modified.

    id [required]

    string

    The ID of a notification rule.

    type [required]

    enum

    The rule type associated to notification rules. Allowed enum values: notification_rules

    {
  "data": {
    "attributes": {
      "created_at": 1722439510282,
      "created_by": {
        "handle": "john.doe@domain.com",
        "name": "John Doe"
      },
      "enabled": true,
      "modified_at": 1722439510282,
      "modified_by": {
        "handle": "john.doe@domain.com",
        "name": "John Doe"
      },
      "name": "Rule 1",
      "selectors": {
        "query": "(source:production_service OR env:prod)",
        "rule_types": [
          "misconfiguration",
          "attack_path"
        ],
        "severities": [
          "critical"
        ],
        "trigger_source": "security_findings"
      },
      "targets": [
        "@john.doe@email.com"
      ],
      "time_aggregation": 86400,
      "version": 1
    },
    "id": "aaa-bbb-ccc",
    "type": "notification_rules"
  }
}

    Bad Request

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Forbidden

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Not Found

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Too many requests

    API error response.

    Expand All

    Field

    Type

    Description

    errors [required]

    [string]

    A list of errors.

    {
  "errors": [
    "Bad Request"
  ]
}

    Code Example

                      # Path parameters
    export id="CHANGE_ME"
    # Curl command
    curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/signals/notification_rules/${id}" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
    
                
    """
Get details of a signal-based notification rule returns "Notification rule details." response
"""

from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

# there is a valid "valid_signal_notification_rule" in the system
VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID = environ["VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID"]

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.get_signal_notification_rule(
        id=VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID,
    )

    print(response)

    Instructions

    First install the library and its dependencies and then save the example to example.py and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
    # Get details of a signal-based notification rule returns "Notification rule details." response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

# there is a valid "valid_signal_notification_rule" in the system
VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID = ENV["VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID"]
p api_instance.get_signal_notification_rule(VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID)

    Instructions

    First install the library and its dependencies and then save the example to example.rb and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
    // Get details of a signal-based notification rule returns "Notification rule details." response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	// there is a valid "valid_signal_notification_rule" in the system
	ValidSignalNotificationRuleDataID := os.Getenv("VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID")

	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.GetSignalNotificationRule(ctx, ValidSignalNotificationRuleDataID)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSignalNotificationRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSignalNotificationRule`:\n%s\n", responseContent)
}

    Instructions

    First install the library and its dependencies and then save the example to main.go and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
    // Get details of a signal-based notification rule returns "Notification rule details." response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.NotificationRuleResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    // there is a valid "valid_signal_notification_rule" in the system
    String VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID =
        System.getenv("VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID");

    try {
      NotificationRuleResponse result =
          apiInstance.getSignalNotificationRule(VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#getSignalNotificationRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

    Instructions

    First install the library and its dependencies and then save the example to Example.java and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
    // Get details of a signal-based notification rule returns "Notification rule
// details." response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    // there is a valid "valid_signal_notification_rule" in the system
    let valid_signal_notification_rule_data_id =
        std::env::var("VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID").unwrap();
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .get_signal_notification_rule(valid_signal_notification_rule_data_id.clone())
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

    Instructions

    First install the library and its dependencies and then save the example to src/main.rs and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
    /**
 * Get details of a signal-based notification rule returns "Notification rule details." response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

// there is a valid "valid_signal_notification_rule" in the system
const VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID = process.env
  .VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID as string;

const params: v2.SecurityMonitoringApiGetSignalNotificationRuleRequest = {
  id: VALID_SIGNAL_NOTIFICATION_RULE_DATA_ID,
};

apiInstance
  .getSignalNotificationRule(params)
  .then((data: v2.NotificationRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

    Instructions

    First install the library and its dependencies and then save the example to example.ts and run following commands:

        
    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

    Get details of a vulnerability notification rule

    GET https://api.ap1.datadoghq.com/api/v2/security/vulnerabilities/notification_rules/{id}https://api.ap2.datadoghq.com/api/v2/security/vulnerabilities/notification_rules/{id}https://api.datadoghq.eu/api/v2/security/vulnerabilities/notification_rules/{id}https://api.ddog-gov.com/api/v2/security/vulnerabilities/notification_rules/{id}https://api.datadoghq.com/api/v2/security/vulnerabilities/notification_rules/{id}https://api.us3.datadoghq.com/api/v2/security/vulnerabilities/notification_rules/{id}https://api.us5.datadoghq.com/api/v2/security/vulnerabilities/notification_rules/{id}

    Overview

    Get the details of a notification rule for security vulnerabilities. This endpoint requires the security_monitoring_notification_profiles_read permission.

    Arguments

    Path Parameters

    Name

    Type

    Description

    id [required]

    string

    ID of the notification rule.

    Response

    Notification rule details.