--- title: Run a historical job description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > API Reference > Security Monitoring --- # Run a historical job{% #run-a-historical-job %} Copy pageCopied {% tab title="v2" %} **Note**: This endpoint is in beta and may be subject to changes. Please check the documentation regularly for updates. | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------- | | ap1.datadoghq.com | POST https://api.ap1.datadoghq.com/api/v2/siem-historical-detections/jobs | | ap2.datadoghq.com | POST https://api.ap2.datadoghq.com/api/v2/siem-historical-detections/jobs | | app.datadoghq.eu | POST https://api.datadoghq.eu/api/v2/siem-historical-detections/jobs | | app.ddog-gov.com | POST https://api.ddog-gov.com/api/v2/siem-historical-detections/jobs | | us2.ddog-gov.com | POST https://api.us2.ddog-gov.com/api/v2/siem-historical-detections/jobs | | app.datadoghq.com | POST https://api.datadoghq.com/api/v2/siem-historical-detections/jobs | | us3.datadoghq.com | POST https://api.us3.datadoghq.com/api/v2/siem-historical-detections/jobs | | us5.datadoghq.com | POST https://api.us5.datadoghq.com/api/v2/siem-historical-detections/jobs | ### Overview Run a historical job. This endpoint requires the `security_monitoring_rules_write` permission. OAuth apps require the `security_monitoring_rules_write` authorization [scope](https://docs.datadoghq.com/api/latest/scopes.md#security-monitoring) to access this endpoint. ### Request #### Body Data (required) {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------------------ | ----------------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | data | object | Data for running a historical job request. | | data | attributes | object | Run a historical job request. | | attributes | fromRule | object | Definition of a historical job based on a security monitoring rule. | | fromRule | caseIndex | int32 | Zero-based index of the rule case to use as the job's signal condition. When omitted, all cases are evaluated. Up to 10 cases are supported, so valid values are 0 to 9. | | fromRule | from [*required*] | int64 | Starting time of data analyzed by the job. | | fromRule | id [*required*] | string | ID of the detection rule used to create the job. | | fromRule | index [*required*] | string | Index used to load the data. | | fromRule | notifications | [string] | Notifications sent when the job is completed. | | fromRule | to [*required*] | int64 | Ending time of data analyzed by the job. | | attributes | jobDefinition | object | Definition of a historical job. | | jobDefinition | calculatedFields | [object] | Calculated fields. | | calculatedFields | expression [*required*] | string | Expression. | | calculatedFields | name [*required*] | string | Field name. | | jobDefinition | cases [*required*] | [object] | Cases used for generating job results. Up to 10 cases are allowed. | | cases | actions | [object] | Action to perform for each rule case. | | actions | options | object | Options for the rule action | | options | duration | int64 | Duration of the action in seconds. 0 indicates no expiration. | | options | flaggedIPType | enum | Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: `SUSPICIOUS,FLAGGED` | | options | userBehaviorName | string | Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule. | | actions | type | enum | The action type. Allowed enum values: `block_ip,block_user,user_behavior,flag_ip` | | cases | condition | string | A case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated based on the event counts in the previously defined queries. | | cases | name | string | Name of the case. | | cases | notifications | [string] | Notification targets. | | cases | status [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | jobDefinition | from [*required*] | int64 | Starting time of data analyzed by the job. | | jobDefinition | groupSignalsBy | [string] | Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups. | | jobDefinition | index [*required*] | string | Index used to load the data. | | jobDefinition | message [*required*] | string | Message for generated results. | | jobDefinition | name [*required*] | string | Job name. | | jobDefinition | options | object | Job options. | | options | anomalyDetectionOptions | object | Options on anomaly detection method. | | anomalyDetectionOptions | bucketDuration | enum | Duration in seconds of the time buckets used to aggregate events matched by the rule. Must be greater than or equal to 300. Allowed enum values: `300,600,900,1800,3600,10800` | | anomalyDetectionOptions | detectionTolerance | enum | An optional parameter that sets how permissive anomaly detection is. Higher values require higher deviations before triggering a signal. Allowed enum values: `1,2,3,4,5` | | anomalyDetectionOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | anomalyDetectionOptions | learningDuration | enum | Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. Allowed enum values: `1,6,12,24,48,168,336` | | anomalyDetectionOptions | learningPeriodBaseline | int64 | An optional override baseline to apply while the rule is in the learning period. Must be greater than or equal to 0. | | options | detectionMethod | enum | The detection method. Allowed enum values: `threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection` | | options | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | impossibleTravelOptions | object | Options on impossible travel detection method. | | impossibleTravelOptions | baselineUserLocations | boolean | If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. | | impossibleTravelOptions | baselineUserLocationsDuration | int32 | The duration in days during which Datadog learns the user's regular access locations. After this period, signals are generated for accesses from unknown locations. | | options | keepAlive | enum | Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | maxSignalDuration | enum | A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | newValueOptions | object | Options on new value detection method. | | newValueOptions | forgetAfter | int32 | The duration in days after which a learned value is forgotten. | | newValueOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | newValueOptions | learningDuration | int32 | The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. | | newValueOptions | learningMethod | enum | The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: `duration,threshold` | | newValueOptions | learningThreshold | enum | A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: `0,1` | | options | sequenceDetectionOptions | object | Options on sequence detection method. | | sequenceDetectionOptions | stepTransitions | [object] | Transitions defining the allowed order of steps and their evaluation windows. | | stepTransitions | child | string | Name of the child step. | | stepTransitions | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | stepTransitions | parent | string | Name of the parent step. | | sequenceDetectionOptions | steps | [object] | Steps that define the conditions to be matched in sequence. | | steps | condition | string | Condition referencing rule queries (e.g., `a > 0`). | | steps | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | steps | name | string | Unique name identifying the step. | | options | thirdPartyRuleOptions | object | Options on third party detection method. | | thirdPartyRuleOptions | defaultNotifications | [string] | Notification targets for the logs that do not correspond to any of the cases. | | thirdPartyRuleOptions | defaultStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyRuleOptions | rootQueries | [object] | Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert. | | rootQueries | groupByFields | [string] | Fields to group by. | | rootQueries | query | string | Query to run on logs. | | thirdPartyRuleOptions | signalTitleTemplate | string | A template for the signal title; if omitted, the title is generated based on the case name. | | jobDefinition | queries [*required*] | [object] | Queries for selecting logs analyzed by the job. Up to 10 queries are allowed. | | queries | additionalFilters | string | Additional filters appended to the query at evaluation time. | | queries | aggregation | enum | The aggregation type. Allowed enum values: `count,cardinality,sum,max,new_value,geo_data,event_count,none` | | queries | correlatedByFields | [string] | Fields used to correlate results across queries in sequence detection rules. | | queries | correlatedQueryIndex | int64 | Zero-based index of the query to correlate with in sequence detection rules. Up to 10 queries are supported, so valid values are 0 to 9. | | queries | customQueryExtension | string | Custom query extension used to refine the base query. | | queries | dataSource | enum | Source of events, either logs, audit trail, security signals, or Datadog events. `app_sec_spans` is deprecated in favor of `spans`. Allowed enum values: `logs,audit,app_sec_spans,spans,security_runtime,network,events,security_signals` | | queries | datasetIds | [string] | IDs of reference datasets used by this query. | | queries | distinctFields | [string] | Field for which the cardinality is measured. Sent as an array. | | queries | groupByFields | [string] | Fields to group by. | | queries | hasOptionalGroupByFields | boolean | When false, events without a group-by value are ignored by the query. When true, events with missing group-by fields are processed with `N/A`, replacing the missing values. | | queries | index | string | Index used to load the data for this query. | | queries | indexes | [string] | Indexes used to load the data for this query. Mutually exclusive with `index`. | | queries | metrics | [string] | Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values. | | queries | name | string | Name of the query. | | queries | query | string | Query to run on logs. | | queries | queryLanguage | string | Language used to parse the query string. | | jobDefinition | referenceTables | [object] | Reference tables used in the queries. | | referenceTables | checkPresence | boolean | Whether to include or exclude the matched values. | | referenceTables | columnName | string | The name of the column in the reference table. | | referenceTables | logFieldPath | string | The field in the log to match against the reference table. | | referenceTables | ruleQueryName | string | The name of the query to apply the reference table to. | | referenceTables | tableName | string | The name of the reference table. | | jobDefinition | tags | [string] | Tags for generated signals. | | jobDefinition | thirdPartyCases | [object] | Cases for generating results from third-party detection method. Only available for third-party detection method. Up to 10 cases are allowed. | | thirdPartyCases | name | string | Name of the case. | | thirdPartyCases | notifications | [string] | Notification targets for each case. | | thirdPartyCases | query | string | A query to map a third party event to this case. | | thirdPartyCases | status [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | jobDefinition | to [*required*] | int64 | Ending time of data analyzed by the job. | | jobDefinition | type | string | Job type. | | attributes | signalOutput | boolean | Whether the job outputs signals when results are converted. | | data | type | enum | Type of data. Allowed enum values: `historicalDetectionsJobCreate` | {% /tab %} {% tab title="Example" %} ```json { "data": { "type": "historicalDetectionsJobCreate", "attributes": { "jobDefinition": { "type": "log_detection", "name": "Excessive number of failed attempts.", "queries": [ { "query": "source:non_existing_src_weekend", "aggregation": "count", "groupByFields": [], "distinctFields": [] } ], "cases": [ { "name": "Condition 1", "status": "info", "notifications": [], "condition": "a > 1" } ], "options": { "keepAlive": 3600, "maxSignalDuration": 86400, "evaluationWindow": 900 }, "message": "A large number of failed login attempts.", "tags": [], "from": 1730387522611, "to": 1730387532611, "index": "main" } } } } ``` {% /tab %} ### Response {% tab title="201" %} Status created {% tab title="Model" %} Run a historical job response. | Parent field | Field | Type | Description | | ------------ | ----- | ------ | --------------------------------------------------------------- | | | data | object | The definition of `JobCreateResponseData` object. | | data | id | string | ID of the created job. | | data | type | enum | Type of payload. Allowed enum values: `historicalDetectionsJob` | {% /tab %} {% tab title="Example" %} ```json { "data": { "id": "string", "type": "string" } } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="401" %} Concurrent Modification {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \## default # \# Curl command curl -X POST "https://api.datadoghq.com/api/v2/siem-historical-detections/jobs" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "attributes": { "jobDefinition": { "cases": [ { "condition": "a \u003e 1", "name": "Condition 1", "notifications": [], "status": "info" } ], "from": 1730387522611, "index": "main", "message": "A large number of failed login attempts.", "name": "Excessive number of failed attempts.", "options": { "evaluationWindow": 900, "keepAlive": 3600, "maxSignalDuration": 86400 }, "queries": [ { "aggregation": "count", "distinctFields": [], "groupByFields": [], "query": "source:non_existing_src_weekend" } ], "tags": [], "to": 1730391122611, "type": "log_detection" } }, "type": "historicalDetectionsJobCreate" } } EOF ##### ```go // Run a historical job returns "Status created" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.RunHistoricalJobRequest{ Data: &datadogV2.RunHistoricalJobRequestData{ Type: datadogV2.RUNHISTORICALJOBREQUESTDATATYPE_HISTORICALDETECTIONSJOBCREATE.Ptr(), Attributes: &datadogV2.RunHistoricalJobRequestAttributes{ JobDefinition: &datadogV2.JobDefinition{ Type: datadog.PtrString("log_detection"), Name: "Excessive number of failed attempts.", Queries: []datadogV2.HistoricalJobQuery{ { Query: datadog.PtrString("source:non_existing_src_weekend"), Aggregation: datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(), GroupByFields: []string{}, DistinctFields: []string{}, }, }, Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{ { Name: datadog.PtrString("Condition 1"), Status: datadogV2.SECURITYMONITORINGRULESEVERITY_INFO, Notifications: []string{}, Condition: datadog.PtrString("a > 1"), }, }, Options: &datadogV2.HistoricalJobOptions{ KeepAlive: datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ONE_HOUR.Ptr(), MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ONE_DAY.Ptr(), EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(), }, Message: "A large number of failed login attempts.", Tags: []string{}, From: 1730387522611, To: 1730387532611, Index: "main", }, }, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() configuration.SetUnstableOperationEnabled("v2.RunHistoricalJob", true) apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.RunHistoricalJob(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.RunHistoricalJob`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.RunHistoricalJob`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Run a historical job returns "Status created" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.HistoricalJobOptions; import com.datadog.api.client.v2.model.HistoricalJobQuery; import com.datadog.api.client.v2.model.JobCreateResponse; import com.datadog.api.client.v2.model.JobDefinition; import com.datadog.api.client.v2.model.RunHistoricalJobRequest; import com.datadog.api.client.v2.model.RunHistoricalJobRequestAttributes; import com.datadog.api.client.v2.model.RunHistoricalJobRequestData; import com.datadog.api.client.v2.model.RunHistoricalJobRequestDataType; import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate; import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow; import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive; import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration; import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation; import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); defaultClient.setUnstableOperationEnabled("v2.runHistoricalJob", true); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); RunHistoricalJobRequest body = new RunHistoricalJobRequest() .data( new RunHistoricalJobRequestData() .type(RunHistoricalJobRequestDataType.HISTORICALDETECTIONSJOBCREATE) .attributes( new RunHistoricalJobRequestAttributes() .jobDefinition( new JobDefinition() .type("log_detection") .name("Excessive number of failed attempts.") .queries( Collections.singletonList( new HistoricalJobQuery() .query("source:non_existing_src_weekend") .aggregation( SecurityMonitoringRuleQueryAggregation.COUNT))) .cases( Collections.singletonList( new SecurityMonitoringRuleCaseCreate() .name("Condition 1") .status(SecurityMonitoringRuleSeverity.INFO) .condition("a > 1"))) .options( new HistoricalJobOptions() .keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR) .maxSignalDuration( SecurityMonitoringRuleMaxSignalDuration.ONE_DAY) .evaluationWindow( SecurityMonitoringRuleEvaluationWindow .FIFTEEN_MINUTES)) .message("A large number of failed login attempts.") .from(1730387522611L) .to(1730387532611L) .index("main")))); try { JobCreateResponse result = apiInstance.runHistoricalJob(body); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#runHistoricalJob"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Run a historical job returns "Status created" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.historical_job_options import HistoricalJobOptions from datadog_api_client.v2.model.historical_job_query import HistoricalJobQuery from datadog_api_client.v2.model.job_definition import JobDefinition from datadog_api_client.v2.model.run_historical_job_request import RunHistoricalJobRequest from datadog_api_client.v2.model.run_historical_job_request_attributes import RunHistoricalJobRequestAttributes from datadog_api_client.v2.model.run_historical_job_request_data import RunHistoricalJobRequestData from datadog_api_client.v2.model.run_historical_job_request_data_type import RunHistoricalJobRequestDataType from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import ( SecurityMonitoringRuleEvaluationWindow, ) from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import ( SecurityMonitoringRuleMaxSignalDuration, ) from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import ( SecurityMonitoringRuleQueryAggregation, ) from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity body = RunHistoricalJobRequest( data=RunHistoricalJobRequestData( type=RunHistoricalJobRequestDataType.HISTORICALDETECTIONSJOBCREATE, attributes=RunHistoricalJobRequestAttributes( job_definition=JobDefinition( type="log_detection", name="Excessive number of failed attempts.", queries=[ HistoricalJobQuery( query="source:non_existing_src_weekend", aggregation=SecurityMonitoringRuleQueryAggregation.COUNT, group_by_fields=[], distinct_fields=[], ), ], cases=[ SecurityMonitoringRuleCaseCreate( name="Condition 1", status=SecurityMonitoringRuleSeverity.INFO, notifications=[], condition="a > 1", ), ], options=HistoricalJobOptions( keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR, max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY, evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES, ), message="A large number of failed login attempts.", tags=[], _from=1730387522611, to=1730387532611, index="main", ), ), ), ) configuration = Configuration() configuration.unstable_operations["run_historical_job"] = True with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.run_historical_job(body=body) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Run a historical job returns "Status created" response require "datadog_api_client" DatadogAPIClient.configure do |config| config.unstable_operations["v2.run_historical_job".to_sym] = true end api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::RunHistoricalJobRequest.new({ data: DatadogAPIClient::V2::RunHistoricalJobRequestData.new({ type: DatadogAPIClient::V2::RunHistoricalJobRequestDataType::HISTORICALDETECTIONSJOBCREATE, attributes: DatadogAPIClient::V2::RunHistoricalJobRequestAttributes.new({ job_definition: DatadogAPIClient::V2::JobDefinition.new({ type: "log_detection", name: "Excessive number of failed attempts.", queries: [ DatadogAPIClient::V2::HistoricalJobQuery.new({ query: "source:non_existing_src_weekend", aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT, group_by_fields: [], distinct_fields: [], }), ], cases: [ DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({ name: "Condition 1", status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO, notifications: [], condition: "a > 1", }), ], options: DatadogAPIClient::V2::HistoricalJobOptions.new({ keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ONE_HOUR, max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ONE_DAY, evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES, }), message: "A large number of failed login attempts.", tags: [], from: 1730387522611, to: 1730387532611, index: "main", }), }), }), }) p api_instance.run_historical_job(body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Run a historical job returns "Status created" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::HistoricalJobOptions; use datadog_api_client::datadogV2::model::HistoricalJobQuery; use datadog_api_client::datadogV2::model::JobDefinition; use datadog_api_client::datadogV2::model::RunHistoricalJobRequest; use datadog_api_client::datadogV2::model::RunHistoricalJobRequestAttributes; use datadog_api_client::datadogV2::model::RunHistoricalJobRequestData; use datadog_api_client::datadogV2::model::RunHistoricalJobRequestDataType; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity; #[tokio::main] async fn main() { let body = RunHistoricalJobRequest::new().data( RunHistoricalJobRequestData::new() .attributes( RunHistoricalJobRequestAttributes::new().job_definition( JobDefinition::new( vec![SecurityMonitoringRuleCaseCreate::new( SecurityMonitoringRuleSeverity::INFO, ) .condition("a > 1".to_string()) .name("Condition 1".to_string()) .notifications(vec![])], 1730387522611, "main".to_string(), "A large number of failed login attempts.".to_string(), "Excessive number of failed attempts.".to_string(), vec![HistoricalJobQuery::new() .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT) .distinct_fields(vec![]) .group_by_fields(vec![]) .query("source:non_existing_src_weekend".to_string())], 1730387532611, ) .options( HistoricalJobOptions::new() .evaluation_window( SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES, ) .keep_alive(SecurityMonitoringRuleKeepAlive::ONE_HOUR) .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::ONE_DAY), ) .tags(vec![]) .type_("log_detection".to_string()), ), ) .type_(RunHistoricalJobRequestDataType::HISTORICALDETECTIONSJOBCREATE), ); let mut configuration = datadog::Configuration::new(); configuration.set_unstable_operation_enabled("v2.RunHistoricalJob", true); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.run_historical_job(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Run a historical job returns "Status created" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); configuration.unstableOperations["v2.runHistoricalJob"] = true; const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiRunHistoricalJobRequest = { body: { data: { type: "historicalDetectionsJobCreate", attributes: { jobDefinition: { type: "log_detection", name: "Excessive number of failed attempts.", queries: [ { query: "source:non_existing_src_weekend", aggregation: "count", groupByFields: [], distinctFields: [], }, ], cases: [ { name: "Condition 1", status: "info", notifications: [], condition: "a > 1", }, ], options: { keepAlive: 3600, maxSignalDuration: 86400, evaluationWindow: 900, }, message: "A large number of failed login attempts.", tags: [], from: 1730387522611, to: 1730387532611, index: "main", }, }, }, }, }; apiInstance .runHistoricalJob(params) .then((data: v2.JobCreateResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %}