--- title: Test a rule description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > API Reference > Security Monitoring --- # Test a rule{% #test-a-rule %} Copy pageCopied {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------ | | ap1.datadoghq.com | POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/test | | ap2.datadoghq.com | POST https://api.ap2.datadoghq.com/api/v2/security_monitoring/rules/test | | app.datadoghq.eu | POST https://api.datadoghq.eu/api/v2/security_monitoring/rules/test | | app.ddog-gov.com | POST https://api.ddog-gov.com/api/v2/security_monitoring/rules/test | | us2.ddog-gov.com | POST https://api.us2.ddog-gov.com/api/v2/security_monitoring/rules/test | | app.datadoghq.com | POST https://api.datadoghq.com/api/v2/security_monitoring/rules/test | | us3.datadoghq.com | POST https://api.us3.datadoghq.com/api/v2/security_monitoring/rules/test | | us5.datadoghq.com | POST https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/test | ### Overview Test a rule. This endpoint requires the `security_monitoring_rules_write` permission. OAuth apps require the `security_monitoring_rules_write` authorization [scope](https://docs.datadoghq.com/api/latest/scopes.md#security-monitoring) to access this endpoint. ### Request #### Body Data (required) {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------------------ | ------------------------------- | ------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | rule | | Test a rule. | | rule | Option 1 | object | The payload of a rule to test | | Option 1 | calculatedFields | [object] | Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined. | | calculatedFields | expression [*required*] | string | Expression. | | calculatedFields | name [*required*] | string | Field name. | | Option 1 | cases [*required*] | [object] | Cases for generating signals. | | cases | actions | [object] | Action to perform for each rule case. | | actions | options | object | Options for the rule action | | options | duration | int64 | Duration of the action in seconds. 0 indicates no expiration. | | options | flaggedIPType | enum | Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: `SUSPICIOUS,FLAGGED` | | options | userBehaviorName | string | Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule. | | actions | type | enum | The action type. Allowed enum values: `block_ip,block_user,user_behavior,flag_ip` | | cases | condition | string | A case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated based on the event counts in the previously defined queries. | | cases | name | string | Name of the case. | | cases | notifications | [string] | Notification targets. | | cases | status [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 1 | filters | [object] | Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules. | | filters | action | enum | The type of filtering action. Allowed enum values: `require,suppress` | | filters | query | string | Query for selecting logs to apply the filtering action. | | Option 1 | groupSignalsBy | [string] | Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups. | | Option 1 | hasExtendedTitle | boolean | Whether the notifications include the triggering group-by values in their title. | | Option 1 | isEnabled [*required*] | boolean | Whether the rule is enabled. | | Option 1 | message [*required*] | string | Message for generated signals. | | Option 1 | name [*required*] | string | The name of the rule. | | Option 1 | options [*required*] | object | Options. | | options | anomalyDetectionOptions | object | Options on anomaly detection method. | | anomalyDetectionOptions | bucketDuration | enum | Duration in seconds of the time buckets used to aggregate events matched by the rule. Must be greater than or equal to 300. Allowed enum values: `300,600,900,1800,3600,10800` | | anomalyDetectionOptions | detectionTolerance | enum | An optional parameter that sets how permissive anomaly detection is. Higher values require higher deviations before triggering a signal. Allowed enum values: `1,2,3,4,5` | | anomalyDetectionOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | anomalyDetectionOptions | learningDuration | enum | Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. Allowed enum values: `1,6,12,24,48,168,336` | | anomalyDetectionOptions | learningPeriodBaseline | int64 | An optional override baseline to apply while the rule is in the learning period. Must be greater than or equal to 0. | | options | complianceRuleOptions | object | Options for cloud_configuration rules. Fields `resourceType` and `regoRule` are mandatory when managing custom `cloud_configuration` rules. | | complianceRuleOptions | complexRule | boolean | Whether the rule is a complex one. Must be set to true if `regoRule.resourceTypes` contains more than one item. Defaults to false. | | complianceRuleOptions | regoRule | object | Rule details. | | regoRule | policy [*required*] | string | The policy written in `rego`, see: [https://www.openpolicyagent.org/docs/latest/policy-language/](https://www.openpolicyagent.org/docs/latest/policy-language/) | | regoRule | resourceTypes [*required*] | [string] | List of resource types that will be evaluated upon. Must have at least one element. | | complianceRuleOptions | resourceType | string | Main resource type to be checked by the rule. It should be specified again in `regoRule.resourceTypes`. | | options | decreaseCriticalityBasedOnEnv | boolean | If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: `CRITICAL` in production becomes `HIGH` in non-production, `HIGH` becomes `MEDIUM` and so on. `INFO` remains `INFO`. The decrement is applied when the environment tag of the signal starts with `staging`, `test` or `dev`. | | options | detectionMethod | enum | The detection method. Allowed enum values: `threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection` | | options | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | hardcodedEvaluatorType | enum | Hardcoded evaluator type. Allowed enum values: `log4shell` | | options | impossibleTravelOptions | object | Options on impossible travel detection method. | | impossibleTravelOptions | baselineUserLocations | boolean | If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. | | impossibleTravelOptions | baselineUserLocationsDuration | int32 | The duration in days during which Datadog learns the user's regular access locations. After this period, signals are generated for accesses from unknown locations. | | options | keepAlive | enum | Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | maxSignalDuration | enum | A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | newValueOptions | object | Options on new value detection method. | | newValueOptions | forgetAfter | int32 | The duration in days after which a learned value is forgotten. | | newValueOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | newValueOptions | learningDuration | int32 | The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. | | newValueOptions | learningMethod | enum | The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: `duration,threshold` | | newValueOptions | learningThreshold | enum | A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: `0,1` | | options | sequenceDetectionOptions | object | Options on sequence detection method. | | sequenceDetectionOptions | stepTransitions | [object] | Transitions defining the allowed order of steps and their evaluation windows. | | stepTransitions | child | string | Name of the child step. | | stepTransitions | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | stepTransitions | parent | string | Name of the parent step. | | sequenceDetectionOptions | steps | [object] | Steps that define the conditions to be matched in sequence. | | steps | condition | string | Condition referencing rule queries (e.g., `a > 0`). | | steps | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | steps | name | string | Unique name identifying the step. | | options | thirdPartyRuleOptions | object | Options on third party detection method. | | thirdPartyRuleOptions | defaultNotifications | [string] | Notification targets for the logs that do not correspond to any of the cases. | | thirdPartyRuleOptions | defaultStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyRuleOptions | rootQueries | [object] | Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert. | | rootQueries | groupByFields | [string] | Fields to group by. | | rootQueries | query | string | Query to run on logs. | | thirdPartyRuleOptions | signalTitleTemplate | string | A template for the signal title; if omitted, the title is generated based on the case name. | | Option 1 | queries [*required*] | [object] | Queries for selecting logs which are part of the rule. | | queries | aggregation | enum | The aggregation type. Allowed enum values: `count,cardinality,sum,max,new_value,geo_data,event_count,none` | | queries | customQueryExtension | string | Query extension to append to the logs query. | | queries | dataSource | enum | Source of events, either logs, audit trail, security signals, or Datadog events. `app_sec_spans` is deprecated in favor of `spans`. Allowed enum values: `logs,audit,app_sec_spans,spans,security_runtime,network,events,security_signals` | | queries | distinctFields | [string] | Field for which the cardinality is measured. Sent as an array. | | queries | groupByFields | [string] | Fields to group by. | | queries | hasOptionalGroupByFields | boolean | When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with `N/A`, replacing the missing values. | | queries | index | string | **This field is currently unstable and might be removed in a minor version upgrade.** The index to run the query on, if the `dataSource` is `logs`. Only used for scheduled rules - in other words, when the `schedulingOptions` field is present in the rule payload. | | queries | indexes | [string] | List of indexes to query when the `dataSource` is `logs`. Only used for scheduled rules, such as when the `schedulingOptions` field is present in the rule payload. | | queries | metric | string | **DEPRECATED**: (Deprecated) The target field to aggregate over when using the sum or max aggregations. `metrics` field should be used instead. | | queries | metrics | [string] | Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values. | | queries | name | string | Name of the query. | | queries | query | string | Query to run on logs. | | Option 1 | referenceTables | [object] | Reference tables for the rule. | | referenceTables | checkPresence | boolean | Whether to include or exclude the matched values. | | referenceTables | columnName | string | The name of the column in the reference table. | | referenceTables | logFieldPath | string | The field in the log to match against the reference table. | | referenceTables | ruleQueryName | string | The name of the query to apply the reference table to. | | referenceTables | tableName | string | The name of the reference table. | | Option 1 | schedulingOptions | object | Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs. | | schedulingOptions | rrule | string | Schedule for the rule queries, written in RRULE syntax. See [RFC](https://icalendar.org/iCalendar-RFC-5545/3-8-5-3-recurrence-rule.html) for syntax reference. | | schedulingOptions | start | string | Start date for the schedule, in ISO 8601 format without timezone. | | schedulingOptions | timezone | string | Time zone of the start date, in the [tz database](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) format. | | Option 1 | tags | [string] | Tags for generated signals. | | Option 1 | thirdPartyCases | [object] | Cases for generating signals from third-party rules. Only available for third-party rules. | | thirdPartyCases | name | string | Name of the case. | | thirdPartyCases | notifications | [string] | Notification targets for each case. | | thirdPartyCases | query | string | A query to map a third party event to this case. | | thirdPartyCases | status [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 1 | type | enum | The rule type. Allowed enum values: `log_detection` | | | ruleQueryPayloads | [object] | Data payloads used to test rules query with the expected result. | | ruleQueryPayloads | expectedResult | boolean | Expected result of the test. | | ruleQueryPayloads | index | int64 | Index of the query under test. | | ruleQueryPayloads | payload | object | Payload used to test the rule query. | | payload | ddsource | string | Source of the payload. | | payload | ddtags | string | Tags associated with your data. | | payload | hostname | string | The name of the originating host of the log. | | payload | message | string | The message of the payload. | | payload | service | string | The name of the application or service generating the data. | {% /tab %} {% tab title="Example" %} ```json { "rule": { "cases": [ { "name": "", "status": "info", "notifications": [], "condition": "a > 0" } ], "hasExtendedTitle": true, "isEnabled": true, "message": "My security monitoring rule message.", "name": "My security monitoring rule.", "options": { "decreaseCriticalityBasedOnEnv": false, "detectionMethod": "threshold", "evaluationWindow": 0, "keepAlive": 0, "maxSignalDuration": 0 }, "queries": [ { "query": "source:source_here", "groupByFields": [ "@userIdentity.assumed_role" ], "distinctFields": [], "aggregation": "count", "name": "" } ], "tags": [ "env:prod", "team:security" ], "type": "log_detection" }, "ruleQueryPayloads": [ { "expectedResult": true, "index": 0, "payload": { "ddsource": "source_here", "ddtags": "env:staging,version:5.1", "hostname": "i-012345678", "message": "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World", "service": "payment", "userIdentity": { "assumed_role": "fake assumed_role" } } } ] } ``` {% /tab %} ### Response {% tab title="200" %} OK {% tab title="Model" %} Result of the test of the rule queries. | Field | Type | Description | | ------- | --------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | results | [boolean] | Assert results are returned in the same order as the rule query payloads. For each payload, it returns True if the result matched the expected result, False otherwise. | {% /tab %} {% tab title="Example" %} ```json { "results": [] } ``` {% /tab %} {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="401" %} Concurrent Modification {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="404" %} Not Found {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \## default # \# Curl command curl -X POST "https://api.datadoghq.com/api/v2/security_monitoring/rules/test" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "rule": { "calculatedFields": [ { "expression": "@request_end_timestamp - @request_start_timestamp", "name": "response_time" } ], "cases": [ { "condition": "a \u003e 0", "name": "", "notifications": [], "status": "info" } ], "filters": [ { "action": "require" } ], "groupSignalsBy": [ "service" ], "hasExtendedTitle": true, "isEnabled": true, "message": "My security monitoring rule message.", "name": "My security monitoring rule.", "options": { "anomalyDetectionOptions": { "bucketDuration": 300, "detectionTolerance": 5, "instantaneousBaseline": false }, "complianceRuleOptions": { "resourceType": "aws_acm" }, "decreaseCriticalityBasedOnEnv": false, "detectionMethod": "threshold", "evaluationWindow": 0, "hardcodedEvaluatorType": "log4shell", "impossibleTravelOptions": { "baselineUserLocations": true, "baselineUserLocationsDuration": 7 }, "keepAlive": 0, "maxSignalDuration": 0, "newValueOptions": { "instantaneousBaseline": false, "learningMethod": "duration" }, "thirdPartyRuleOptions": { "defaultStatus": "critical" } }, "queries": [ { "aggregation": "count", "distinctFields": [], "groupByFields": [ "@userIdentity.assumed_role" ], "name": "", "query": "source:cloudtrail" } ], "schedulingOptions": { "rrule": "FREQ=HOURLY;INTERVAL=1;", "start": "2025-07-14T12:00:00", "timezone": "America/New_York" }, "tags": [ "env:prod", "team:security" ], "thirdPartyCases": [], "type": "log_detection" }, "ruleQueryPayloads": [ { "expectedResult": true, "index": 0, "payload": { "ddsource": "nginx", "ddtags": "env:staging,version:5.1", "hostname": "i-012345678", "message": "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World", "service": "payment" } } ] } EOF ##### ```go // Test a rule returns "OK" response package main import ( "context" "encoding/json" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.SecurityMonitoringRuleTestRequest{ Rule: &datadogV2.SecurityMonitoringRuleTestPayload{ SecurityMonitoringStandardRuleTestPayload: &datadogV2.SecurityMonitoringStandardRuleTestPayload{ Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{ { Name: datadog.PtrString(""), Status: datadogV2.SECURITYMONITORINGRULESEVERITY_INFO, Notifications: []string{}, Condition: datadog.PtrString("a > 0"), }, }, HasExtendedTitle: datadog.PtrBool(true), IsEnabled: true, Message: "My security monitoring rule message.", Name: "My security monitoring rule.", Options: datadogV2.SecurityMonitoringRuleOptions{ DecreaseCriticalityBasedOnEnv: datadog.PtrBool(false), DetectionMethod: datadogV2.SECURITYMONITORINGRULEDETECTIONMETHOD_THRESHOLD.Ptr(), EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_ZERO_MINUTES.Ptr(), KeepAlive: datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ZERO_MINUTES.Ptr(), MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ZERO_MINUTES.Ptr(), }, Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{ { Query: datadog.PtrString("source:source_here"), GroupByFields: []string{ "@userIdentity.assumed_role", }, DistinctFields: []string{}, Aggregation: datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(), Name: datadog.PtrString(""), }, }, Tags: []string{ "env:prod", "team:security", }, Type: datadogV2.SECURITYMONITORINGRULETYPETEST_LOG_DETECTION.Ptr(), }}, RuleQueryPayloads: []datadogV2.SecurityMonitoringRuleQueryPayload{ { ExpectedResult: datadog.PtrBool(true), Index: datadog.PtrInt64(0), Payload: &datadogV2.SecurityMonitoringRuleQueryPayloadData{ Ddsource: datadog.PtrString("source_here"), Ddtags: datadog.PtrString("env:staging,version:5.1"), Hostname: datadog.PtrString("i-012345678"), Message: datadog.PtrString("2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World"), Service: datadog.PtrString("payment"), AdditionalProperties: map[string]interface{}{ "userIdentity": "{'assumed_role': 'fake assumed_role'}", }, }, }, }, } ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) resp, r, err := api.TestSecurityMonitoringRule(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.TestSecurityMonitoringRule`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } responseContent, _ := json.MarshalIndent(resp, "", " ") fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.TestSecurityMonitoringRule`:\n%s\n", responseContent) } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Test a rule returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate; import com.datadog.api.client.v2.model.SecurityMonitoringRuleDetectionMethod; import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow; import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive; import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration; import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions; import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation; import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryPayload; import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryPayloadData; import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity; import com.datadog.api.client.v2.model.SecurityMonitoringRuleTestPayload; import com.datadog.api.client.v2.model.SecurityMonitoringRuleTestRequest; import com.datadog.api.client.v2.model.SecurityMonitoringRuleTestResponse; import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeTest; import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery; import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleTestPayload; import java.util.Arrays; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); SecurityMonitoringRuleTestRequest body = new SecurityMonitoringRuleTestRequest() .rule( new SecurityMonitoringRuleTestPayload( new SecurityMonitoringStandardRuleTestPayload() .cases( Collections.singletonList( new SecurityMonitoringRuleCaseCreate() .name("") .status(SecurityMonitoringRuleSeverity.INFO) .condition("a > 0"))) .hasExtendedTitle(true) .isEnabled(true) .message("My security monitoring rule message.") .name("My security monitoring rule.") .options( new SecurityMonitoringRuleOptions() .decreaseCriticalityBasedOnEnv(false) .detectionMethod(SecurityMonitoringRuleDetectionMethod.THRESHOLD) .evaluationWindow( SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES) .keepAlive(SecurityMonitoringRuleKeepAlive.ZERO_MINUTES) .maxSignalDuration( SecurityMonitoringRuleMaxSignalDuration.ZERO_MINUTES)) .queries( Collections.singletonList( new SecurityMonitoringStandardRuleQuery() .query("source:source_here") .groupByFields( Collections.singletonList("@userIdentity.assumed_role")) .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT) .name(""))) .tags(Arrays.asList("env:prod", "team:security")) .type(SecurityMonitoringRuleTypeTest.LOG_DETECTION))) .ruleQueryPayloads( Collections.singletonList( new SecurityMonitoringRuleQueryPayload() .expectedResult(true) .index(0L) .payload( new SecurityMonitoringRuleQueryPayloadData() .ddsource("source_here") .ddtags("env:staging,version:5.1") .hostname("i-012345678") .message( "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello" + " World") .service("payment")))); try { SecurityMonitoringRuleTestResponse result = apiInstance.testSecurityMonitoringRule(body); System.out.println(result); } catch (ApiException e) { System.err.println("Exception when calling SecurityMonitoringApi#testSecurityMonitoringRule"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Test a rule returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import ( SecurityMonitoringRuleEvaluationWindow, ) from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import ( SecurityMonitoringRuleMaxSignalDuration, ) from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import ( SecurityMonitoringRuleQueryAggregation, ) from datadog_api_client.v2.model.security_monitoring_rule_query_payload import SecurityMonitoringRuleQueryPayload from datadog_api_client.v2.model.security_monitoring_rule_query_payload_data import ( SecurityMonitoringRuleQueryPayloadData, ) from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity from datadog_api_client.v2.model.security_monitoring_rule_test_request import SecurityMonitoringRuleTestRequest from datadog_api_client.v2.model.security_monitoring_rule_type_test import SecurityMonitoringRuleTypeTest from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery from datadog_api_client.v2.model.security_monitoring_standard_rule_test_payload import ( SecurityMonitoringStandardRuleTestPayload, ) body = SecurityMonitoringRuleTestRequest( rule=SecurityMonitoringStandardRuleTestPayload( cases=[ SecurityMonitoringRuleCaseCreate( name="", status=SecurityMonitoringRuleSeverity.INFO, notifications=[], condition="a > 0", ), ], has_extended_title=True, is_enabled=True, message="My security monitoring rule message.", name="My security monitoring rule.", options=SecurityMonitoringRuleOptions( decrease_criticality_based_on_env=False, detection_method=SecurityMonitoringRuleDetectionMethod.THRESHOLD, evaluation_window=SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES, keep_alive=SecurityMonitoringRuleKeepAlive.ZERO_MINUTES, max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ZERO_MINUTES, ), queries=[ SecurityMonitoringStandardRuleQuery( query="source:source_here", group_by_fields=[ "@userIdentity.assumed_role", ], distinct_fields=[], aggregation=SecurityMonitoringRuleQueryAggregation.COUNT, name="", ), ], tags=[ "env:prod", "team:security", ], type=SecurityMonitoringRuleTypeTest.LOG_DETECTION, ), rule_query_payloads=[ SecurityMonitoringRuleQueryPayload( expected_result=True, index=0, payload=SecurityMonitoringRuleQueryPayloadData( ddsource="source_here", ddtags="env:staging,version:5.1", hostname="i-012345678", message="2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World", service="payment", user_identity=dict([("assumed_role", "fake assumed_role")]), ), ), ], ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.test_security_monitoring_rule(body=body) print(response) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Test a rule returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::SecurityMonitoringRuleTestRequest.new({ rule: DatadogAPIClient::V2::SecurityMonitoringStandardRuleTestPayload.new({ cases: [ DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({ name: "", status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO, notifications: [], condition: "a > 0", }), ], has_extended_title: true, is_enabled: true, message: "My security monitoring rule message.", name: "My security monitoring rule.", options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({ decrease_criticality_based_on_env: false, detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::THRESHOLD, evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES, keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ZERO_MINUTES, max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ZERO_MINUTES, }), queries: [ DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({ query: "source:source_here", group_by_fields: [ "@userIdentity.assumed_role", ], distinct_fields: [], aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT, name: "", }), ], tags: [ "env:prod", "team:security", ], type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeTest::LOG_DETECTION, }), rule_query_payloads: [ DatadogAPIClient::V2::SecurityMonitoringRuleQueryPayload.new({ expected_result: true, index: 0, payload: DatadogAPIClient::V2::SecurityMonitoringRuleQueryPayloadData.new({ ddsource: "source_here", ddtags: "env:staging,version:5.1", hostname: "i-012345678", message: "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World", service: "payment", }), }), ], }) p api_instance.test_security_monitoring_rule(body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Test a rule returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleDetectionMethod; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryPayload; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryPayloadData; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTestPayload; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTestRequest; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeTest; use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery; use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleTestPayload; #[tokio::main] async fn main() { let body = SecurityMonitoringRuleTestRequest::new() .rule( SecurityMonitoringRuleTestPayload::SecurityMonitoringStandardRuleTestPayload(Box::new( SecurityMonitoringStandardRuleTestPayload::new( vec![SecurityMonitoringRuleCaseCreate::new( SecurityMonitoringRuleSeverity::INFO, ) .condition("a > 0".to_string()) .name("".to_string()) .notifications(vec![])], true, "My security monitoring rule message.".to_string(), "My security monitoring rule.".to_string(), SecurityMonitoringRuleOptions::new() .decrease_criticality_based_on_env(false) .detection_method(SecurityMonitoringRuleDetectionMethod::THRESHOLD) .evaluation_window(SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES) .keep_alive(SecurityMonitoringRuleKeepAlive::ZERO_MINUTES) .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::ZERO_MINUTES), vec![SecurityMonitoringStandardRuleQuery::new() .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT) .distinct_fields(vec![]) .group_by_fields(vec!["@userIdentity.assumed_role".to_string()]) .name("".to_string()) .query("source:source_here".to_string())], ) .has_extended_title(true) .tags(vec!["env:prod".to_string(), "team:security".to_string()]) .type_(SecurityMonitoringRuleTypeTest::LOG_DETECTION), )), ) .rule_query_payloads(vec![SecurityMonitoringRuleQueryPayload::new() .expected_result(true) .index(0) .payload( SecurityMonitoringRuleQueryPayloadData::new() .ddsource("source_here".to_string()) .ddtags("env:staging,version:5.1".to_string()) .hostname("i-012345678".to_string()) .message( "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World" .to_string(), ) .service("payment".to_string()), )]); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.test_security_monitoring_rule(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Test a rule returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiTestSecurityMonitoringRuleRequest = { body: { rule: { cases: [ { name: "", status: "info", notifications: [], condition: "a > 0", }, ], hasExtendedTitle: true, isEnabled: true, message: "My security monitoring rule message.", name: "My security monitoring rule.", options: { decreaseCriticalityBasedOnEnv: false, detectionMethod: "threshold", evaluationWindow: 0, keepAlive: 0, maxSignalDuration: 0, }, queries: [ { query: "source:source_here", groupByFields: ["@userIdentity.assumed_role"], distinctFields: [], aggregation: "count", name: "", }, ], tags: ["env:prod", "team:security"], type: "log_detection", }, ruleQueryPayloads: [ { expectedResult: true, index: 0, payload: { ddsource: "source_here", ddtags: "env:staging,version:5.1", hostname: "i-012345678", message: "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World", service: "payment", }, }, ], }, }; apiInstance .testSecurityMonitoringRule(params) .then((data: v2.SecurityMonitoringRuleTestResponse) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %}