Run a historical job

v2 (latest)

Note: This endpoint is in beta and may be subject to changes. Please check the documentation regularly for updates.

POST https://api.ap1.datadoghq.com/api/v2/siem-historical-detections/jobshttps://api.ap2.datadoghq.com/api/v2/siem-historical-detections/jobshttps://api.datadoghq.eu/api/v2/siem-historical-detections/jobshttps://api.ddog-gov.com/api/v2/siem-historical-detections/jobshttps://api.us2.ddog-gov.com/api/v2/siem-historical-detections/jobshttps://api.datadoghq.com/api/v2/siem-historical-detections/jobshttps://api.us3.datadoghq.com/api/v2/siem-historical-detections/jobshttps://api.us5.datadoghq.com/api/v2/siem-historical-detections/jobs

Overview

Run a historical job. This endpoint requires the security_monitoring_rules_write permission.

OAuth apps require the security_monitoring_rules_write authorization scope to access this endpoint.

Request

Body Data (required)

Expand All

Field

Type

Description

data

object

Data for running a historical job request.

attributes

object

Run a historical job request.

jobDefinition

object

Definition of a historical job.

options

object

Job options.

{
  "data": {
    "type": "historicalDetectionsJobCreate",
    "attributes": {
      "jobDefinition": {
        "type": "log_detection",
        "name": "Excessive number of failed attempts.",
        "queries": [
          {
            "query": "source:non_existing_src_weekend",
            "aggregation": "count",
            "groupByFields": [],
            "distinctFields": []
          }
        ],
        "cases": [
          {
            "name": "Condition 1",
            "status": "info",
            "notifications": [],
            "condition": "a > 1"
          }
        ],
        "options": {
          "keepAlive": 3600,
          "maxSignalDuration": 86400,
          "evaluationWindow": 900
        },
        "message": "A large number of failed login attempts.",
        "tags": [],
        "from": 1730387522611,
        "to": 1730387532611,
        "index": "main"
      }
    }
  }
}

Response

Status created

Run a historical job response.

Expand All

Field

Type

Description

data

object

The definition of JobCreateResponseData object.

{
  "data": {
    "id": "string",
    "type": "string"
  }
}

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Concurrent Modification

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                          ## default
# 

# Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.us2.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/siem-historical-detections/jobs" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "jobDefinition": {
        "cases": [
          {
            "condition": "a \u003e 1",
            "name": "Condition 1",
            "notifications": [],
            "status": "info"
          }
        ],
        "from": 1730387522611,
        "index": "main",
        "message": "A large number of failed login attempts.",
        "name": "Excessive number of failed attempts.",
        "options": {
          "evaluationWindow": 900,
          "keepAlive": 3600,
          "maxSignalDuration": 86400
        },
        "queries": [
          {
            "aggregation": "count",
            "distinctFields": [],
            "groupByFields": [],
            "query": "source:non_existing_src_weekend"
          }
        ],
        "tags": [],
        "to": 1730391122611,
        "type": "log_detection"
      }
    },
    "type": "historicalDetectionsJobCreate"
  }
}
EOF

                        

// Run a historical job returns "Status created" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.RunHistoricalJobRequest{
		Data: &datadogV2.RunHistoricalJobRequestData{
			Type: datadogV2.RUNHISTORICALJOBREQUESTDATATYPE_HISTORICALDETECTIONSJOBCREATE.Ptr(),
			Attributes: &datadogV2.RunHistoricalJobRequestAttributes{
				JobDefinition: &datadogV2.JobDefinition{
					Type: datadog.PtrString("log_detection"),
					Name: "Excessive number of failed attempts.",
					Queries: []datadogV2.HistoricalJobQuery{
						{
							Query:          datadog.PtrString("source:non_existing_src_weekend"),
							Aggregation:    datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),
							GroupByFields:  []string{},
							DistinctFields: []string{},
						},
					},
					Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{
						{
							Name:          datadog.PtrString("Condition 1"),
							Status:        datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
							Notifications: []string{},
							Condition:     datadog.PtrString("a > 1"),
						},
					},
					Options: &datadogV2.HistoricalJobOptions{
						KeepAlive:         datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ONE_HOUR.Ptr(),
						MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ONE_DAY.Ptr(),
						EvaluationWindow:  datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(),
					},
					Message: "A large number of failed login attempts.",
					Tags:    []string{},
					From:    1730387522611,
					To:      1730387532611,
					Index:   "main",
				},
			},
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	configuration.SetUnstableOperationEnabled("v2.RunHistoricalJob", true)
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.RunHistoricalJob(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.RunHistoricalJob`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.RunHistoricalJob`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// Run a historical job returns "Status created" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.HistoricalJobOptions;
import com.datadog.api.client.v2.model.HistoricalJobQuery;
import com.datadog.api.client.v2.model.JobCreateResponse;
import com.datadog.api.client.v2.model.JobDefinition;
import com.datadog.api.client.v2.model.RunHistoricalJobRequest;
import com.datadog.api.client.v2.model.RunHistoricalJobRequestAttributes;
import com.datadog.api.client.v2.model.RunHistoricalJobRequestData;
import com.datadog.api.client.v2.model.RunHistoricalJobRequestDataType;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    defaultClient.setUnstableOperationEnabled("v2.runHistoricalJob", true);
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    RunHistoricalJobRequest body =
        new RunHistoricalJobRequest()
            .data(
                new RunHistoricalJobRequestData()
                    .type(RunHistoricalJobRequestDataType.HISTORICALDETECTIONSJOBCREATE)
                    .attributes(
                        new RunHistoricalJobRequestAttributes()
                            .jobDefinition(
                                new JobDefinition()
                                    .type("log_detection")
                                    .name("Excessive number of failed attempts.")
                                    .queries(
                                        Collections.singletonList(
                                            new HistoricalJobQuery()
                                                .query("source:non_existing_src_weekend")
                                                .aggregation(
                                                    SecurityMonitoringRuleQueryAggregation.COUNT)))
                                    .cases(
                                        Collections.singletonList(
                                            new SecurityMonitoringRuleCaseCreate()
                                                .name("Condition 1")
                                                .status(SecurityMonitoringRuleSeverity.INFO)
                                                .condition("a > 1")))
                                    .options(
                                        new HistoricalJobOptions()
                                            .keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR)
                                            .maxSignalDuration(
                                                SecurityMonitoringRuleMaxSignalDuration.ONE_DAY)
                                            .evaluationWindow(
                                                SecurityMonitoringRuleEvaluationWindow
                                                    .FIFTEEN_MINUTES))
                                    .message("A large number of failed login attempts.")
                                    .from(1730387522611L)
                                    .to(1730387532611L)
                                    .index("main"))));

    try {
      JobCreateResponse result = apiInstance.runHistoricalJob(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#runHistoricalJob");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

"""
Run a historical job returns "Status created" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.historical_job_options import HistoricalJobOptions
from datadog_api_client.v2.model.historical_job_query import HistoricalJobQuery
from datadog_api_client.v2.model.job_definition import JobDefinition
from datadog_api_client.v2.model.run_historical_job_request import RunHistoricalJobRequest
from datadog_api_client.v2.model.run_historical_job_request_attributes import RunHistoricalJobRequestAttributes
from datadog_api_client.v2.model.run_historical_job_request_data import RunHistoricalJobRequestData
from datadog_api_client.v2.model.run_historical_job_request_data_type import RunHistoricalJobRequestDataType
from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
    SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
    SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
    SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity

body = RunHistoricalJobRequest(
    data=RunHistoricalJobRequestData(
        type=RunHistoricalJobRequestDataType.HISTORICALDETECTIONSJOBCREATE,
        attributes=RunHistoricalJobRequestAttributes(
            job_definition=JobDefinition(
                type="log_detection",
                name="Excessive number of failed attempts.",
                queries=[
                    HistoricalJobQuery(
                        query="source:non_existing_src_weekend",
                        aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
                        group_by_fields=[],
                        distinct_fields=[],
                    ),
                ],
                cases=[
                    SecurityMonitoringRuleCaseCreate(
                        name="Condition 1",
                        status=SecurityMonitoringRuleSeverity.INFO,
                        notifications=[],
                        condition="a > 1",
                    ),
                ],
                options=HistoricalJobOptions(
                    keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR,
                    max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY,
                    evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES,
                ),
                message="A large number of failed login attempts.",
                tags=[],
                _from=1730387522611,
                to=1730387532611,
                index="main",
            ),
        ),
    ),
)

configuration = Configuration()
configuration.unstable_operations["run_historical_job"] = True
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.run_historical_job(body=body)

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# Run a historical job returns "Status created" response

require "datadog_api_client"
DatadogAPIClient.configure do |config|
  config.unstable_operations["v2.run_historical_job".to_sym] = true
end
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::RunHistoricalJobRequest.new({
  data: DatadogAPIClient::V2::RunHistoricalJobRequestData.new({
    type: DatadogAPIClient::V2::RunHistoricalJobRequestDataType::HISTORICALDETECTIONSJOBCREATE,
    attributes: DatadogAPIClient::V2::RunHistoricalJobRequestAttributes.new({
      job_definition: DatadogAPIClient::V2::JobDefinition.new({
        type: "log_detection",
        name: "Excessive number of failed attempts.",
        queries: [
          DatadogAPIClient::V2::HistoricalJobQuery.new({
            query: "source:non_existing_src_weekend",
            aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
            group_by_fields: [],
            distinct_fields: [],
          }),
        ],
        cases: [
          DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
            name: "Condition 1",
            status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
            notifications: [],
            condition: "a > 1",
          }),
        ],
        options: DatadogAPIClient::V2::HistoricalJobOptions.new({
          keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ONE_HOUR,
          max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ONE_DAY,
          evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
        }),
        message: "A large number of failed login attempts.",
        tags: [],
        from: 1730387522611,
        to: 1730387532611,
        index: "main",
      }),
    }),
  }),
})
p api_instance.run_historical_job(body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

// Run a historical job returns "Status created" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::HistoricalJobOptions;
use datadog_api_client::datadogV2::model::HistoricalJobQuery;
use datadog_api_client::datadogV2::model::JobDefinition;
use datadog_api_client::datadogV2::model::RunHistoricalJobRequest;
use datadog_api_client::datadogV2::model::RunHistoricalJobRequestAttributes;
use datadog_api_client::datadogV2::model::RunHistoricalJobRequestData;
use datadog_api_client::datadogV2::model::RunHistoricalJobRequestDataType;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;

#[tokio::main]
async fn main() {
    let body = RunHistoricalJobRequest::new().data(
        RunHistoricalJobRequestData::new()
            .attributes(
                RunHistoricalJobRequestAttributes::new().job_definition(
                    JobDefinition::new(
                        vec![SecurityMonitoringRuleCaseCreate::new(
                            SecurityMonitoringRuleSeverity::INFO,
                        )
                        .condition("a > 1".to_string())
                        .name("Condition 1".to_string())
                        .notifications(vec![])],
                        1730387522611,
                        "main".to_string(),
                        "A large number of failed login attempts.".to_string(),
                        "Excessive number of failed attempts.".to_string(),
                        vec![HistoricalJobQuery::new()
                            .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT)
                            .distinct_fields(vec![])
                            .group_by_fields(vec![])
                            .query("source:non_existing_src_weekend".to_string())],
                        1730387532611,
                    )
                    .options(
                        HistoricalJobOptions::new()
                            .evaluation_window(
                                SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
                            )
                            .keep_alive(SecurityMonitoringRuleKeepAlive::ONE_HOUR)
                            .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::ONE_DAY),
                    )
                    .tags(vec![])
                    .type_("log_detection".to_string()),
                ),
            )
            .type_(RunHistoricalJobRequestDataType::HISTORICALDETECTIONSJOBCREATE),
    );
    let mut configuration = datadog::Configuration::new();
    configuration.set_unstable_operation_enabled("v2.RunHistoricalJob", true);
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.run_historical_job(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run

/**
 * Run a historical job returns "Status created" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
configuration.unstableOperations["v2.runHistoricalJob"] = true;
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiRunHistoricalJobRequest = {
  body: {
    data: {
      type: "historicalDetectionsJobCreate",
      attributes: {
        jobDefinition: {
          type: "log_detection",
          name: "Excessive number of failed attempts.",
          queries: [
            {
              query: "source:non_existing_src_weekend",
              aggregation: "count",
              groupByFields: [],
              distinctFields: [],
            },
          ],
          cases: [
            {
              name: "Condition 1",
              status: "info",
              notifications: [],
              condition: "a > 1",
            },
          ],
          options: {
            keepAlive: 3600,
            maxSignalDuration: 86400,
            evaluationWindow: 900,
          },
          message: "A large number of failed login attempts.",
          tags: [],
          from: 1730387522611,
          to: 1730387532611,
          index: "main",
        },
      },
    },
  },
};

apiInstance
  .runHistoricalJob(params)
  .then((data: v2.JobCreateResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Run a historical job

Overview

Request

Body Data (required)

Response

Code Example

Run a historical job returns "Status created" response

Run a historical job returns "Status created" response

Instructions

Run a historical job returns "Status created" response

Instructions

Run a historical job returns "Status created" response

Instructions

Run a historical job returns "Status created" response

Instructions

Run a historical job returns "Status created" response

Instructions

Run a historical job returns "Status created" response

Instructions

How can I help you today?