Language

English Français 日本語 한국어 Español

Datadog Site

Site help
US1 US3 US5 EU AP1 AP2 US1-FED US2-FED

Validate a detection rule

POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/validationhttps://api.ap2.datadoghq.com/api/v2/security_monitoring/rules/validationhttps://api.datadoghq.eu/api/v2/security_monitoring/rules/validationhttps://api.ddog-gov.com/api/v2/security_monitoring/rules/validationhttps://api.us2.ddog-gov.com/api/v2/security_monitoring/rules/validationhttps://api.datadoghq.com/api/v2/security_monitoring/rules/validationhttps://api.us3.datadoghq.com/api/v2/security_monitoring/rules/validationhttps://api.us5.datadoghq.com/api/v2/security_monitoring/rules/validation

Overview

Validate a detection rule. This endpoint requires the security_monitoring_rules_write permission.

OAuth apps require the security_monitoring_rules_write authorization scope to access this endpoint.

Request

Body Data (required)

Expand All

Field

Type

Description

Option 1

object

The payload of a rule.

calculatedFields

[object]

Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.

expression [required]

string

Expression.

name [required]

string

Field name.

cases [required]

[object]

Cases for generating signals.

actions

[object]

Action to perform for each rule case.

options

object

Options for the rule action

duration

int64

Duration of the action in seconds. 0 indicates no expiration.

flaggedIPType

enum

Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: SUSPICIOUS,FLAGGED

userBehaviorName

string

Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.

type

enum

The action type. Allowed enum values: block_ip,block_user,user_behavior,flag_ip

condition

string

A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

name

string

Name of the case.

notifications

[string]

Notification targets.

status [required]

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

customMessage

string

Custom/Overridden message for generated signals (used in case of Default rule update).

customName

string

Custom/Overridden name of the rule (used in case of Default rule update).

filters

[object]

Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.

action

enum

The type of filtering action. Allowed enum values: require,suppress

query

string

Query for selecting logs to apply the filtering action.

groupSignalsBy

[string]

Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.

hasExtendedTitle

boolean

Whether the notifications include the triggering group-by values in their title.

isEnabled [required]

boolean

Whether the rule is enabled.

message [required]

string

Message for generated signals.

name [required]

string

The name of the rule.

options [required]

object

Options.

anomalyDetectionOptions

object

Options on anomaly detection method.

bucketDuration

enum

Duration in seconds of the time buckets used to aggregate events matched by the rule. Must be greater than or equal to 300. Allowed enum values: 300,600,900,1800,3600,10800

detectionTolerance

enum

An optional parameter that sets how permissive anomaly detection is. Higher values require higher deviations before triggering a signal. Allowed enum values: 1,2,3,4,5

instantaneousBaseline

boolean

When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time.

learningDuration

enum

Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. Allowed enum values: 1,6,12,24,48,168,336

learningPeriodBaseline

int64

An optional override baseline to apply while the rule is in the learning period. Must be greater than or equal to 0.

complianceRuleOptions

object

Options for cloud_configuration rules. Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.

complexRule

boolean

Whether the rule is a complex one. Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.

regoRule

object

Rule details.

policy [required]

string

The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/

resourceTypes [required]

[string]

List of resource types that will be evaluated upon. Must have at least one element.

resourceType

string

Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.

decreaseCriticalityBasedOnEnv

boolean

If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO. The decrement is applied when the environment tag of the signal starts with staging, test or dev.

detectionMethod

enum

The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection

evaluationWindow

enum

A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600

Show 2 more,43200,86400

hardcodedEvaluatorType

enum

Hardcoded evaluator type. Allowed enum values: log4shell

impossibleTravelOptions

object

Options on impossible travel detection method.

baselineUserLocations

boolean

If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

baselineUserLocationsDuration

int32

The duration in days during which Datadog learns the user's regular access locations. After this period, signals are generated for accesses from unknown locations.

keepAlive

enum

Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600

Show 2 more,43200,86400

maxSignalDuration

enum

A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600

Show 2 more,43200,86400

newValueOptions

object

Options on new value detection method.

forgetAfter

int32

The duration in days after which a learned value is forgotten.

instantaneousBaseline

boolean

When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time.

learningDuration

int32

The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.

learningMethod

enum

The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: duration,threshold

default: duration

learningThreshold

enum

A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: 0,1

sequenceDetectionOptions

object

Options on sequence detection method.

stepTransitions

[object]

Transitions defining the allowed order of steps and their evaluation windows.

child

string

Name of the child step.

evaluationWindow

enum

A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600

Show 2 more,43200,86400

parent

string

Name of the parent step.

steps

[object]

Steps that define the conditions to be matched in sequence.

condition

string

Condition referencing rule queries (e.g., a > 0).

evaluationWindow

enum

A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600

Show 2 more,43200,86400

name

string

Unique name identifying the step.

thirdPartyRuleOptions

object

Options on third party detection method.

defaultNotifications

[string]

Notification targets for the logs that do not correspond to any of the cases.

defaultStatus

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

rootQueries

[object]

Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.

groupByFields

[string]

Fields to group by.

query

string

Query to run on logs.

signalTitleTemplate

string

A template for the signal title; if omitted, the title is generated based on the case name.

queries [required]

[object]

Queries for selecting logs which are part of the rule.

aggregation

enum

The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none

customQueryExtension

string

Query extension to append to the logs query.

dataSource

enum

Source of events, either logs, audit trail, security signals, or Datadog events. app_sec_spans is deprecated in favor of spans. Allowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events,security_signals

default: logs

distinctFields

[string]

Field for which the cardinality is measured. Sent as an array.

groupByFields

[string]

Fields to group by.

hasOptionalGroupByFields

boolean

When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.

index

string

This field is currently unstable and might be removed in a minor version upgrade. The index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.

indexes

[string]

List of indexes to query when the dataSource is logs. Only used for scheduled rules, such as when the schedulingOptions field is present in the rule payload.

metric

string

DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max aggregations. metrics field should be used instead.

metrics

[string]

Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.

name

string

Name of the query.

query

string

Query to run on logs.

referenceTables

[object]

Reference tables for the rule.

checkPresence

boolean

Whether to include or exclude the matched values.

columnName

string

The name of the column in the reference table.

logFieldPath

string

The field in the log to match against the reference table.

ruleQueryName

string

The name of the query to apply the reference table to.

tableName

string

The name of the reference table.

schedulingOptions

object

Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.

rrule

string

Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.

start

string

Start date for the schedule, in ISO 8601 format without timezone.

timezone

string

Time zone of the start date, in the tz database format.

tags

[string]

Tags for generated signals.

thirdPartyCases

[object]

Cases for generating signals from third-party rules. Only available for third-party rules.

name

string

Name of the case.

notifications

[string]

Notification targets for each case.

query

string

A query to map a third party event to this case.

status [required]

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

type

enum

The rule type. Allowed enum values: api_security,application_security,log_detection,workload_activity,workload_security

Option 2

object

The payload of a signal correlation rule.

cases [required]

[object]

Cases for generating signals.

actions

[object]

Action to perform for each rule case.

options

object

Options for the rule action

duration

int64

Duration of the action in seconds. 0 indicates no expiration.

flaggedIPType

enum

Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: SUSPICIOUS,FLAGGED

userBehaviorName

string

Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.

type

enum

The action type. Allowed enum values: block_ip,block_user,user_behavior,flag_ip

condition

string

A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

name

string

Name of the case.

notifications

[string]

Notification targets.

status [required]

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

customMessage

string

Custom/Overridden message for generated signals (used in case of Default rule update).

customName

string

Custom/Overridden name of the rule (used in case of Default rule update).

filters

[object]

Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.

action

enum

The type of filtering action. Allowed enum values: require,suppress

query

string

Query for selecting logs to apply the filtering action.

hasExtendedTitle

boolean

Whether the notifications include the triggering group-by values in their title.

isEnabled [required]

boolean

Whether the rule is enabled.

message [required]

string

Message for generated signals.

name [required]

string

The name of the rule.

options [required]

object

Options.

anomalyDetectionOptions

object

Options on anomaly detection method.

bucketDuration

enum

Duration in seconds of the time buckets used to aggregate events matched by the rule. Must be greater than or equal to 300. Allowed enum values: 300,600,900,1800,3600,10800

detectionTolerance

enum

An optional parameter that sets how permissive anomaly detection is. Higher values require higher deviations before triggering a signal. Allowed enum values: 1,2,3,4,5

instantaneousBaseline

boolean

When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time.

learningDuration

enum

Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. Allowed enum values: 1,6,12,24,48,168,336

learningPeriodBaseline

int64

An optional override baseline to apply while the rule is in the learning period. Must be greater than or equal to 0.

complianceRuleOptions

object

Options for cloud_configuration rules. Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.

complexRule

boolean

Whether the rule is a complex one. Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.

regoRule

object

Rule details.

policy [required]

string

The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/

resourceTypes [required]

[string]

List of resource types that will be evaluated upon. Must have at least one element.

resourceType

string

Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.

decreaseCriticalityBasedOnEnv

boolean

If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO. The decrement is applied when the environment tag of the signal starts with staging, test or dev.

detectionMethod

enum

The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection

evaluationWindow

enum

A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600

Show 2 more,43200,86400

hardcodedEvaluatorType

enum

Hardcoded evaluator type. Allowed enum values: log4shell

impossibleTravelOptions

object

Options on impossible travel detection method.

baselineUserLocations

boolean

If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

baselineUserLocationsDuration

int32

The duration in days during which Datadog learns the user's regular access locations. After this period, signals are generated for accesses from unknown locations.

keepAlive

enum

Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600

Show 2 more,43200,86400

maxSignalDuration

enum

A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600

Show 2 more,43200,86400

newValueOptions

object

Options on new value detection method.

forgetAfter

int32

The duration in days after which a learned value is forgotten.

instantaneousBaseline

boolean

When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time.

learningDuration

int32

The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.

learningMethod

enum

The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: duration,threshold

default: duration

learningThreshold

enum

A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: 0,1

sequenceDetectionOptions

object

Options on sequence detection method.

stepTransitions

[object]

Transitions defining the allowed order of steps and their evaluation windows.

child

string

Name of the child step.

evaluationWindow

enum

A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600

Show 2 more,43200,86400

parent

string

Name of the parent step.

steps

[object]

Steps that define the conditions to be matched in sequence.

condition

string

Condition referencing rule queries (e.g., a > 0).

evaluationWindow

enum

A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600

Show 2 more,43200,86400

name

string

Unique name identifying the step.

thirdPartyRuleOptions

object

Options on third party detection method.

defaultNotifications

[string]

Notification targets for the logs that do not correspond to any of the cases.

defaultStatus

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

rootQueries

[object]

Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.

groupByFields

[string]

Fields to group by.

query

string

Query to run on logs.

signalTitleTemplate

string

A template for the signal title; if omitted, the title is generated based on the case name.

queries [required]

[object]

Queries for selecting signals which are part of the rule.

aggregation

enum

The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none

correlatedByFields

[string]

Fields to group by.

correlatedQueryIndex

int32

Index of the rule query used to retrieve the correlated field.

metrics

[string]

Group of target fields to aggregate over.

name

string

Name of the query.

ruleId [required]

string

Rule ID to match on signals.

tags

[string]

Tags for generated signals.

type

enum

The rule type. Allowed enum values: signal_correlation

Option 3

object

The payload of a cloud configuration rule.

cases [required]

[object]

Description of generated findings and signals (severity and channels to be notified in case of a signal). Must contain exactly one item.

notifications

[string]

Notification targets for each rule case.

status [required]

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

complianceSignalOptions [required]

object

How to generate compliance signals. Useful for cloud_configuration rules only.

defaultActivationStatus

boolean

The default activation status.

defaultGroupByFields

[string]

The default group by fields.

userActivationStatus

boolean

Whether signals will be sent.

userGroupByFields

[string]

Fields to use to group findings by when sending signals.

customMessage

string

Custom/Overridden message for generated signals (used in case of Default rule update).

customName

string

Custom/Overridden name of the rule (used in case of Default rule update).

filters

[object]

Additional queries to filter matched events before they are processed.

action

enum

The type of filtering action. Allowed enum values: require,suppress

query

string

Query for selecting logs to apply the filtering action.

isEnabled [required]

boolean

Whether the rule is enabled.

message [required]

string

Message in markdown format for generated findings and signals.

name [required]

string

The name of the rule.

options [required]

object

Options on cloud configuration rules.

complianceRuleOptions [required]

object

Options for cloud_configuration rules. Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.

complexRule

boolean

Whether the rule is a complex one. Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.

regoRule

object

Rule details.

policy [required]

string

The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/

resourceTypes [required]

[string]

List of resource types that will be evaluated upon. Must have at least one element.

resourceType

string

Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.

tags

[string]

Tags for generated findings and signals.

type

enum

The rule type. Allowed enum values: cloud_configuration

{
  "cases": [
    {
      "name": "",
      "status": "info",
      "notifications": [],
      "condition": "a > 0"
    }
  ],
  "hasExtendedTitle": true,
  "isEnabled": true,
  "message": "My security monitoring rule",
  "name": "My security monitoring rule",
  "options": {
    "evaluationWindow": 1800,
    "keepAlive": 1800,
    "maxSignalDuration": 1800,
    "detectionMethod": "threshold"
  },
  "queries": [
    {
      "query": "source:source_here",
      "groupByFields": [
        "@userIdentity.assumed_role"
      ],
      "distinctFields": [],
      "aggregation": "count",
      "name": ""
    }
  ],
  "tags": [
    "env:prod",
    "team:security"
  ],
  "type": "log_detection"
}
{
  "cases": [
    {
      "name": "",
      "status": "info",
      "notifications": []
    }
  ],
  "hasExtendedTitle": true,
  "isEnabled": true,
  "message": "My security monitoring rule",
  "name": "My security monitoring rule",
  "options": {
    "evaluationWindow": 0,
    "keepAlive": 300,
    "maxSignalDuration": 600,
    "detectionMethod": "new_value",
    "newValueOptions": {
      "forgetAfter": 7,
      "instantaneousBaseline": true,
      "learningDuration": 1,
      "learningThreshold": 0,
      "learningMethod": "duration"
    }
  },
  "queries": [
    {
      "query": "source:source_here",
      "groupByFields": [
        "@userIdentity.assumed_role"
      ],
      "distinctFields": [],
      "metric": "name",
      "metrics": [
        "name"
      ],
      "aggregation": "new_value",
      "name": "",
      "dataSource": "logs"
    }
  ],
  "tags": [
    "env:prod",
    "team:security"
  ],
  "type": "log_detection"
}
{
  "cases": [
    {
      "name": "",
      "status": "info",
      "notifications": [],
      "condition": "step_b > 0"
    }
  ],
  "hasExtendedTitle": true,
  "isEnabled": true,
  "message": "My security monitoring rule",
  "name": "My security monitoring rule",
  "options": {
    "evaluationWindow": 0,
    "keepAlive": 300,
    "maxSignalDuration": 600,
    "detectionMethod": "sequence_detection",
    "sequenceDetectionOptions": {
      "stepTransitions": [
        {
          "child": "step_b",
          "evaluationWindow": 900,
          "parent": "step_a"
        }
      ],
      "steps": [
        {
          "condition": "a > 0",
          "evaluationWindow": 60,
          "name": "step_a"
        },
        {
          "condition": "b > 0",
          "evaluationWindow": 60,
          "name": "step_b"
        }
      ]
    }
  },
  "queries": [
    {
      "query": "source:source_here",
      "groupByFields": [
        "@userIdentity.assumed_role"
      ],
      "distinctFields": [],
      "aggregation": "count",
      "name": ""
    },
    {
      "query": "source:source_here2",
      "groupByFields": [],
      "distinctFields": [],
      "aggregation": "count",
      "name": ""
    }
  ],
  "tags": [
    "env:prod",
    "team:security"
  ],
  "type": "log_detection"
}

Response

OK

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                          ## default
# 

# Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.us2.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/validation" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "calculatedFields": [
    {
      "expression": "@request_end_timestamp - @request_start_timestamp",
      "name": "response_time"
    }
  ],
  "cases": [
    {
      "condition": "a \u003e 0",
      "name": "",
      "notifications": [],
      "status": "info"
    }
  ],
  "filters": [
    {
      "action": "require"
    }
  ],
  "groupSignalsBy": [
    "service"
  ],
  "hasExtendedTitle": true,
  "isEnabled": true,
  "message": "My security monitoring rule",
  "name": "My security monitoring rule.",
  "options": {
    "anomalyDetectionOptions": {
      "bucketDuration": 300,
      "detectionTolerance": 5,
      "instantaneousBaseline": false
    },
    "complianceRuleOptions": {
      "regoRule": {
        "policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n  # Logic that evaluates to true if the resource should be skipped\n  true\n} else = \"pass\" {\n  # Logic that evaluates to true if the resource is compliant\n  true\n} else = \"fail\" {\n  # Logic that evaluates to true if the resource is not compliant\n  true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n  some resource in input.resources[input.main_resource_type]\n  result := dd_output.format(resource, eval(resource))\n}",
        "resourceTypes": [
          "gcp_iam_service_account",
          "gcp_iam_policy"
        ]
      },
      "resourceType": "aws_acm"
    },
    "decreaseCriticalityBasedOnEnv": false,
    "detectionMethod": "threshold",
    "evaluationWindow": 1800,
    "hardcodedEvaluatorType": "log4shell",
    "impossibleTravelOptions": {
      "baselineUserLocations": true,
      "baselineUserLocationsDuration": 7
    },
    "keepAlive": 1800,
    "maxSignalDuration": 1800,
    "newValueOptions": {
      "instantaneousBaseline": false,
      "learningMethod": "duration"
    },
    "thirdPartyRuleOptions": {
      "defaultStatus": "critical",
      "rootQueries": [
        {
          "query": "source:cloudtrail"
        }
      ]
    }
  },
  "queries": [
    {
      "aggregation": "count",
      "distinctFields": [],
      "groupByFields": [
        "@userIdentity.assumed_role"
      ],
      "name": "",
      "query": "source:cloudtrail"
    }
  ],
  "schedulingOptions": {
    "rrule": "FREQ=HOURLY;INTERVAL=1;",
    "start": "2025-07-14T12:00:00",
    "timezone": "America/New_York"
  },
  "tags": [
    "env:prod",
    "team:security"
  ],
  "thirdPartyCases": [],
  "type": "log_detection"
}
EOF

                        
                          ## default
# 

# Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.us2.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/validation" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "calculatedFields": [
    {
      "expression": "@request_end_timestamp - @request_start_timestamp",
      "name": "response_time"
    }
  ],
  "cases": [
    {
      "condition": "a \u003e 0",
      "name": "",
      "notifications": [],
      "status": "info"
    }
  ],
  "filters": [
    {
      "action": "require"
    }
  ],
  "groupSignalsBy": [
    "service"
  ],
  "hasExtendedTitle": true,
  "isEnabled": true,
  "message": "My security monitoring rule",
  "name": "My security monitoring rule.",
  "options": {
    "anomalyDetectionOptions": {
      "bucketDuration": 300,
      "detectionTolerance": 5,
      "instantaneousBaseline": false
    },
    "complianceRuleOptions": {
      "regoRule": {
        "policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n  # Logic that evaluates to true if the resource should be skipped\n  true\n} else = \"pass\" {\n  # Logic that evaluates to true if the resource is compliant\n  true\n} else = \"fail\" {\n  # Logic that evaluates to true if the resource is not compliant\n  true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n  some resource in input.resources[input.main_resource_type]\n  result := dd_output.format(resource, eval(resource))\n}",
        "resourceTypes": [
          "gcp_iam_service_account",
          "gcp_iam_policy"
        ]
      },
      "resourceType": "aws_acm"
    },
    "decreaseCriticalityBasedOnEnv": false,
    "detectionMethod": "threshold",
    "evaluationWindow": 1800,
    "hardcodedEvaluatorType": "log4shell",
    "impossibleTravelOptions": {
      "baselineUserLocations": true,
      "baselineUserLocationsDuration": 7
    },
    "keepAlive": 1800,
    "maxSignalDuration": 1800,
    "newValueOptions": {
      "instantaneousBaseline": false,
      "learningMethod": "duration"
    },
    "thirdPartyRuleOptions": {
      "defaultStatus": "critical",
      "rootQueries": [
        {
          "query": "source:cloudtrail"
        }
      ]
    }
  },
  "queries": [
    {
      "aggregation": "count",
      "distinctFields": [],
      "groupByFields": [
        "@userIdentity.assumed_role"
      ],
      "name": "",
      "query": "source:cloudtrail"
    }
  ],
  "schedulingOptions": {
    "rrule": "FREQ=HOURLY;INTERVAL=1;",
    "start": "2025-07-14T12:00:00",
    "timezone": "America/New_York"
  },
  "tags": [
    "env:prod",
    "team:security"
  ],
  "thirdPartyCases": [],
  "type": "log_detection"
}
EOF

                        
                          ## default
# 

# Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.us2.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/validation" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "calculatedFields": [
    {
      "expression": "@request_end_timestamp - @request_start_timestamp",
      "name": "response_time"
    }
  ],
  "cases": [
    {
      "condition": "a \u003e 0",
      "name": "",
      "notifications": [],
      "status": "info"
    }
  ],
  "filters": [
    {
      "action": "require"
    }
  ],
  "groupSignalsBy": [
    "service"
  ],
  "hasExtendedTitle": true,
  "isEnabled": true,
  "message": "My security monitoring rule",
  "name": "My security monitoring rule.",
  "options": {
    "anomalyDetectionOptions": {
      "bucketDuration": 300,
      "detectionTolerance": 5,
      "instantaneousBaseline": false
    },
    "complianceRuleOptions": {
      "regoRule": {
        "policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n  # Logic that evaluates to true if the resource should be skipped\n  true\n} else = \"pass\" {\n  # Logic that evaluates to true if the resource is compliant\n  true\n} else = \"fail\" {\n  # Logic that evaluates to true if the resource is not compliant\n  true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n  some resource in input.resources[input.main_resource_type]\n  result := dd_output.format(resource, eval(resource))\n}",
        "resourceTypes": [
          "gcp_iam_service_account",
          "gcp_iam_policy"
        ]
      },
      "resourceType": "aws_acm"
    },
    "decreaseCriticalityBasedOnEnv": false,
    "detectionMethod": "threshold",
    "evaluationWindow": 1800,
    "hardcodedEvaluatorType": "log4shell",
    "impossibleTravelOptions": {
      "baselineUserLocations": true,
      "baselineUserLocationsDuration": 7
    },
    "keepAlive": 1800,
    "maxSignalDuration": 1800,
    "newValueOptions": {
      "instantaneousBaseline": false,
      "learningMethod": "duration"
    },
    "thirdPartyRuleOptions": {
      "defaultStatus": "critical",
      "rootQueries": [
        {
          "query": "source:cloudtrail"
        }
      ]
    }
  },
  "queries": [
    {
      "aggregation": "count",
      "distinctFields": [],
      "groupByFields": [
        "@userIdentity.assumed_role"
      ],
      "name": "",
      "query": "source:cloudtrail"
    }
  ],
  "schedulingOptions": {
    "rrule": "FREQ=HOURLY;INTERVAL=1;",
    "start": "2025-07-14T12:00:00",
    "timezone": "America/New_York"
  },
  "tags": [
    "env:prod",
    "team:security"
  ],
  "thirdPartyCases": [],
  "type": "log_detection"
}
EOF

                        
// Validate a detection rule returns "OK" response

package main

import (
	"context"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringRuleValidatePayload{
		SecurityMonitoringStandardRulePayload: &datadogV2.SecurityMonitoringStandardRulePayload{
			Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{
				{
					Name:          datadog.PtrString(""),
					Status:        datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
					Notifications: []string{},
					Condition:     datadog.PtrString("a > 0"),
				},
			},
			HasExtendedTitle: datadog.PtrBool(true),
			IsEnabled:        true,
			Message:          "My security monitoring rule",
			Name:             "My security monitoring rule",
			Options: datadogV2.SecurityMonitoringRuleOptions{
				EvaluationWindow:  datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_THIRTY_MINUTES.Ptr(),
				KeepAlive:         datadogV2.SECURITYMONITORINGRULEKEEPALIVE_THIRTY_MINUTES.Ptr(),
				MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_THIRTY_MINUTES.Ptr(),
				DetectionMethod:   datadogV2.SECURITYMONITORINGRULEDETECTIONMETHOD_THRESHOLD.Ptr(),
			},
			Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{
				{
					Query: datadog.PtrString("source:source_here"),
					GroupByFields: []string{
						"@userIdentity.assumed_role",
					},
					DistinctFields: []string{},
					Aggregation:    datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),
					Name:           datadog.PtrString(""),
				},
			},
			Tags: []string{
				"env:prod",
				"team:security",
			},
			Type: datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(),
		}}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	r, err := api.ValidateSecurityMonitoringRule(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ValidateSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}
}

// Validate a detection rule with detection method 'new_value' with enabled feature 'instantaneousBaseline' returns "OK"
// response

package main

import (
	"context"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringRuleValidatePayload{
		SecurityMonitoringStandardRulePayload: &datadogV2.SecurityMonitoringStandardRulePayload{
			Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{
				{
					Name:          datadog.PtrString(""),
					Status:        datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
					Notifications: []string{},
				},
			},
			HasExtendedTitle: datadog.PtrBool(true),
			IsEnabled:        true,
			Message:          "My security monitoring rule",
			Name:             "My security monitoring rule",
			Options: datadogV2.SecurityMonitoringRuleOptions{
				EvaluationWindow:  datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_ZERO_MINUTES.Ptr(),
				KeepAlive:         datadogV2.SECURITYMONITORINGRULEKEEPALIVE_FIVE_MINUTES.Ptr(),
				MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_TEN_MINUTES.Ptr(),
				DetectionMethod:   datadogV2.SECURITYMONITORINGRULEDETECTIONMETHOD_NEW_VALUE.Ptr(),
				NewValueOptions: &datadogV2.SecurityMonitoringRuleNewValueOptions{
					ForgetAfter:           datadog.PtrInt32(7),
					InstantaneousBaseline: datadog.PtrBool(true),
					LearningDuration:      datadog.PtrInt32(1),
					LearningThreshold:     datadogV2.SECURITYMONITORINGRULENEWVALUEOPTIONSLEARNINGTHRESHOLD_ZERO_OCCURRENCES.Ptr(),
					LearningMethod:        datadogV2.SECURITYMONITORINGRULENEWVALUEOPTIONSLEARNINGMETHOD_DURATION.Ptr(),
				},
			},
			Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{
				{
					Query: datadog.PtrString("source:source_here"),
					GroupByFields: []string{
						"@userIdentity.assumed_role",
					},
					DistinctFields: []string{},
					Metric:         datadog.PtrString("name"),
					Metrics: []string{
						"name",
					},
					Aggregation: datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_NEW_VALUE.Ptr(),
					Name:        datadog.PtrString(""),
					DataSource:  datadogV2.SECURITYMONITORINGSTANDARDDATASOURCE_LOGS.Ptr(),
				},
			},
			Tags: []string{
				"env:prod",
				"team:security",
			},
			Type: datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(),
		}}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	r, err := api.ValidateSecurityMonitoringRule(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ValidateSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}
}

// Validate a detection rule with detection method 'sequence_detection' returns "OK" response

package main

import (
	"context"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringRuleValidatePayload{
		SecurityMonitoringStandardRulePayload: &datadogV2.SecurityMonitoringStandardRulePayload{
			Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{
				{
					Name:          datadog.PtrString(""),
					Status:        datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
					Notifications: []string{},
					Condition:     datadog.PtrString("step_b > 0"),
				},
			},
			HasExtendedTitle: datadog.PtrBool(true),
			IsEnabled:        true,
			Message:          "My security monitoring rule",
			Name:             "My security monitoring rule",
			Options: datadogV2.SecurityMonitoringRuleOptions{
				EvaluationWindow:  datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_ZERO_MINUTES.Ptr(),
				KeepAlive:         datadogV2.SECURITYMONITORINGRULEKEEPALIVE_FIVE_MINUTES.Ptr(),
				MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_TEN_MINUTES.Ptr(),
				DetectionMethod:   datadogV2.SECURITYMONITORINGRULEDETECTIONMETHOD_SEQUENCE_DETECTION.Ptr(),
				SequenceDetectionOptions: &datadogV2.SecurityMonitoringRuleSequenceDetectionOptions{
					StepTransitions: []datadogV2.SecurityMonitoringRuleSequenceDetectionStepTransition{
						{
							Child:            datadog.PtrString("step_b"),
							EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(),
							Parent:           datadog.PtrString("step_a"),
						},
					},
					Steps: []datadogV2.SecurityMonitoringRuleSequenceDetectionStep{
						{
							Condition:        datadog.PtrString("a > 0"),
							EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_ONE_MINUTE.Ptr(),
							Name:             datadog.PtrString("step_a"),
						},
						{
							Condition:        datadog.PtrString("b > 0"),
							EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_ONE_MINUTE.Ptr(),
							Name:             datadog.PtrString("step_b"),
						},
					},
				},
			},
			Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{
				{
					Query: datadog.PtrString("source:source_here"),
					GroupByFields: []string{
						"@userIdentity.assumed_role",
					},
					DistinctFields: []string{},
					Aggregation:    datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),
					Name:           datadog.PtrString(""),
				},
				{
					Query:          datadog.PtrString("source:source_here2"),
					GroupByFields:  []string{},
					DistinctFields: []string{},
					Aggregation:    datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),
					Name:           datadog.PtrString(""),
				},
			},
			Tags: []string{
				"env:prod",
				"team:security",
			},
			Type: datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(),
		}}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	r, err := api.ValidateSecurityMonitoringRule(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ValidateSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Validate a detection rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleDetectionMethod;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleValidatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRulePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;
import java.util.Arrays;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringRuleValidatePayload body =
        new SecurityMonitoringRuleValidatePayload(
            new SecurityMonitoringStandardRulePayload()
                .cases(
                    Collections.singletonList(
                        new SecurityMonitoringRuleCaseCreate()
                            .name("")
                            .status(SecurityMonitoringRuleSeverity.INFO)
                            .condition("a > 0")))
                .hasExtendedTitle(true)
                .isEnabled(true)
                .message("My security monitoring rule")
                .name("My security monitoring rule")
                .options(
                    new SecurityMonitoringRuleOptions()
                        .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.THIRTY_MINUTES)
                        .keepAlive(SecurityMonitoringRuleKeepAlive.THIRTY_MINUTES)
                        .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.THIRTY_MINUTES)
                        .detectionMethod(SecurityMonitoringRuleDetectionMethod.THRESHOLD))
                .queries(
                    Collections.singletonList(
                        new SecurityMonitoringStandardRuleQuery()
                            .query("source:source_here")
                            .groupByFields(Collections.singletonList("@userIdentity.assumed_role"))
                            .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)
                            .name("")))
                .tags(Arrays.asList("env:prod", "team:security"))
                .type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION));

    try {
      apiInstance.validateSecurityMonitoringRule(body);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#validateSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

// Validate a detection rule with detection method 'new_value' with enabled feature
// 'instantaneousBaseline' returns "OK"
// response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleDetectionMethod;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleNewValueOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleNewValueOptionsLearningMethod;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleNewValueOptionsLearningThreshold;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleValidatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardDataSource;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRulePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;
import java.util.Arrays;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringRuleValidatePayload body =
        new SecurityMonitoringRuleValidatePayload(
            new SecurityMonitoringStandardRulePayload()
                .cases(
                    Collections.singletonList(
                        new SecurityMonitoringRuleCaseCreate()
                            .name("")
                            .status(SecurityMonitoringRuleSeverity.INFO)))
                .hasExtendedTitle(true)
                .isEnabled(true)
                .message("My security monitoring rule")
                .name("My security monitoring rule")
                .options(
                    new SecurityMonitoringRuleOptions()
                        .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES)
                        .keepAlive(SecurityMonitoringRuleKeepAlive.FIVE_MINUTES)
                        .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.TEN_MINUTES)
                        .detectionMethod(SecurityMonitoringRuleDetectionMethod.NEW_VALUE)
                        .newValueOptions(
                            new SecurityMonitoringRuleNewValueOptions()
                                .forgetAfter(7)
                                .instantaneousBaseline(true)
                                .learningDuration(1)
                                .learningThreshold(
                                    SecurityMonitoringRuleNewValueOptionsLearningThreshold
                                        .ZERO_OCCURRENCES)
                                .learningMethod(
                                    SecurityMonitoringRuleNewValueOptionsLearningMethod.DURATION)))
                .queries(
                    Collections.singletonList(
                        new SecurityMonitoringStandardRuleQuery()
                            .query("source:source_here")
                            .groupByFields(Collections.singletonList("@userIdentity.assumed_role"))
                            .metric("name")
                            .metrics(Collections.singletonList("name"))
                            .aggregation(SecurityMonitoringRuleQueryAggregation.NEW_VALUE)
                            .name("")
                            .dataSource(SecurityMonitoringStandardDataSource.LOGS)))
                .tags(Arrays.asList("env:prod", "team:security"))
                .type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION));

    try {
      apiInstance.validateSecurityMonitoringRule(body);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#validateSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

// Validate a detection rule with detection method 'sequence_detection' returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleDetectionMethod;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSequenceDetectionOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSequenceDetectionStep;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSequenceDetectionStepTransition;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleValidatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRulePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;
import java.util.Arrays;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringRuleValidatePayload body =
        new SecurityMonitoringRuleValidatePayload(
            new SecurityMonitoringStandardRulePayload()
                .cases(
                    Collections.singletonList(
                        new SecurityMonitoringRuleCaseCreate()
                            .name("")
                            .status(SecurityMonitoringRuleSeverity.INFO)
                            .condition("step_b > 0")))
                .hasExtendedTitle(true)
                .isEnabled(true)
                .message("My security monitoring rule")
                .name("My security monitoring rule")
                .options(
                    new SecurityMonitoringRuleOptions()
                        .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES)
                        .keepAlive(SecurityMonitoringRuleKeepAlive.FIVE_MINUTES)
                        .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.TEN_MINUTES)
                        .detectionMethod(SecurityMonitoringRuleDetectionMethod.SEQUENCE_DETECTION)
                        .sequenceDetectionOptions(
                            new SecurityMonitoringRuleSequenceDetectionOptions()
                                .stepTransitions(
                                    Collections.singletonList(
                                        new SecurityMonitoringRuleSequenceDetectionStepTransition()
                                            .child("step_b")
                                            .evaluationWindow(
                                                SecurityMonitoringRuleEvaluationWindow
                                                    .FIFTEEN_MINUTES)
                                            .parent("step_a")))
                                .steps(
                                    Arrays.asList(
                                        new SecurityMonitoringRuleSequenceDetectionStep()
                                            .condition("a > 0")
                                            .evaluationWindow(
                                                SecurityMonitoringRuleEvaluationWindow.ONE_MINUTE)
                                            .name("step_a"),
                                        new SecurityMonitoringRuleSequenceDetectionStep()
                                            .condition("b > 0")
                                            .evaluationWindow(
                                                SecurityMonitoringRuleEvaluationWindow.ONE_MINUTE)
                                            .name("step_b")))))
                .queries(
                    Arrays.asList(
                        new SecurityMonitoringStandardRuleQuery()
                            .query("source:source_here")
                            .groupByFields(Collections.singletonList("@userIdentity.assumed_role"))
                            .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)
                            .name(""),
                        new SecurityMonitoringStandardRuleQuery()
                            .query("source:source_here2")
                            .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)
                            .name("")))
                .tags(Arrays.asList("env:prod", "team:security"))
                .type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION));

    try {
      apiInstance.validateSecurityMonitoringRule(body);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#validateSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
"""
Validate a detection rule returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
    SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
    SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
    SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate
from datadog_api_client.v2.model.security_monitoring_standard_rule_payload import SecurityMonitoringStandardRulePayload
from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery

body = SecurityMonitoringStandardRulePayload(
    cases=[
        SecurityMonitoringRuleCaseCreate(
            name="",
            status=SecurityMonitoringRuleSeverity.INFO,
            notifications=[],
            condition="a > 0",
        ),
    ],
    has_extended_title=True,
    is_enabled=True,
    message="My security monitoring rule",
    name="My security monitoring rule",
    options=SecurityMonitoringRuleOptions(
        evaluation_window=SecurityMonitoringRuleEvaluationWindow.THIRTY_MINUTES,
        keep_alive=SecurityMonitoringRuleKeepAlive.THIRTY_MINUTES,
        max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.THIRTY_MINUTES,
        detection_method=SecurityMonitoringRuleDetectionMethod.THRESHOLD,
    ),
    queries=[
        SecurityMonitoringStandardRuleQuery(
            query="source:source_here",
            group_by_fields=[
                "@userIdentity.assumed_role",
            ],
            distinct_fields=[],
            aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
            name="",
        ),
    ],
    tags=[
        "env:prod",
        "team:security",
    ],
    type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    api_instance.validate_security_monitoring_rule(body=body)

"""
Validate a detection rule with detection method 'new_value' with enabled feature 'instantaneousBaseline' returns "OK"
response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
    SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
    SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_new_value_options import SecurityMonitoringRuleNewValueOptions
from datadog_api_client.v2.model.security_monitoring_rule_new_value_options_learning_method import (
    SecurityMonitoringRuleNewValueOptionsLearningMethod,
)
from datadog_api_client.v2.model.security_monitoring_rule_new_value_options_learning_threshold import (
    SecurityMonitoringRuleNewValueOptionsLearningThreshold,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
    SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate
from datadog_api_client.v2.model.security_monitoring_standard_data_source import SecurityMonitoringStandardDataSource
from datadog_api_client.v2.model.security_monitoring_standard_rule_payload import SecurityMonitoringStandardRulePayload
from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery

body = SecurityMonitoringStandardRulePayload(
    cases=[
        SecurityMonitoringRuleCaseCreate(
            name="",
            status=SecurityMonitoringRuleSeverity.INFO,
            notifications=[],
        ),
    ],
    has_extended_title=True,
    is_enabled=True,
    message="My security monitoring rule",
    name="My security monitoring rule",
    options=SecurityMonitoringRuleOptions(
        evaluation_window=SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES,
        keep_alive=SecurityMonitoringRuleKeepAlive.FIVE_MINUTES,
        max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.TEN_MINUTES,
        detection_method=SecurityMonitoringRuleDetectionMethod.NEW_VALUE,
        new_value_options=SecurityMonitoringRuleNewValueOptions(
            forget_after=7,
            instantaneous_baseline=True,
            learning_duration=1,
            learning_threshold=SecurityMonitoringRuleNewValueOptionsLearningThreshold.ZERO_OCCURRENCES,
            learning_method=SecurityMonitoringRuleNewValueOptionsLearningMethod.DURATION,
        ),
    ),
    queries=[
        SecurityMonitoringStandardRuleQuery(
            query="source:source_here",
            group_by_fields=[
                "@userIdentity.assumed_role",
            ],
            distinct_fields=[],
            metric="name",
            metrics=[
                "name",
            ],
            aggregation=SecurityMonitoringRuleQueryAggregation.NEW_VALUE,
            name="",
            data_source=SecurityMonitoringStandardDataSource.LOGS,
        ),
    ],
    tags=[
        "env:prod",
        "team:security",
    ],
    type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    api_instance.validate_security_monitoring_rule(body=body)

"""
Validate a detection rule with detection method 'sequence_detection' returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
    SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
    SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
    SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_sequence_detection_options import (
    SecurityMonitoringRuleSequenceDetectionOptions,
)
from datadog_api_client.v2.model.security_monitoring_rule_sequence_detection_step import (
    SecurityMonitoringRuleSequenceDetectionStep,
)
from datadog_api_client.v2.model.security_monitoring_rule_sequence_detection_step_transition import (
    SecurityMonitoringRuleSequenceDetectionStepTransition,
)
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate
from datadog_api_client.v2.model.security_monitoring_standard_rule_payload import SecurityMonitoringStandardRulePayload
from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery

body = SecurityMonitoringStandardRulePayload(
    cases=[
        SecurityMonitoringRuleCaseCreate(
            name="",
            status=SecurityMonitoringRuleSeverity.INFO,
            notifications=[],
            condition="step_b > 0",
        ),
    ],
    has_extended_title=True,
    is_enabled=True,
    message="My security monitoring rule",
    name="My security monitoring rule",
    options=SecurityMonitoringRuleOptions(
        evaluation_window=SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES,
        keep_alive=SecurityMonitoringRuleKeepAlive.FIVE_MINUTES,
        max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.TEN_MINUTES,
        detection_method=SecurityMonitoringRuleDetectionMethod.SEQUENCE_DETECTION,
        sequence_detection_options=SecurityMonitoringRuleSequenceDetectionOptions(
            step_transitions=[
                SecurityMonitoringRuleSequenceDetectionStepTransition(
                    child="step_b",
                    evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES,
                    parent="step_a",
                ),
            ],
            steps=[
                SecurityMonitoringRuleSequenceDetectionStep(
                    condition="a > 0",
                    evaluation_window=SecurityMonitoringRuleEvaluationWindow.ONE_MINUTE,
                    name="step_a",
                ),
                SecurityMonitoringRuleSequenceDetectionStep(
                    condition="b > 0",
                    evaluation_window=SecurityMonitoringRuleEvaluationWindow.ONE_MINUTE,
                    name="step_b",
                ),
            ],
        ),
    ),
    queries=[
        SecurityMonitoringStandardRuleQuery(
            query="source:source_here",
            group_by_fields=[
                "@userIdentity.assumed_role",
            ],
            distinct_fields=[],
            aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
            name="",
        ),
        SecurityMonitoringStandardRuleQuery(
            query="source:source_here2",
            group_by_fields=[],
            distinct_fields=[],
            aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
            name="",
        ),
    ],
    tags=[
        "env:prod",
        "team:security",
    ],
    type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    api_instance.validate_security_monitoring_rule(body=body)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Validate a detection rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringStandardRulePayload.new({
  cases: [
    DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
      name: "",
      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
      notifications: [],
      condition: "a > 0",
    }),
  ],
  has_extended_title: true,
  is_enabled: true,
  message: "My security monitoring rule",
  name: "My security monitoring rule",
  options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
    evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::THIRTY_MINUTES,
    keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::THIRTY_MINUTES,
    max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::THIRTY_MINUTES,
    detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::THRESHOLD,
  }),
  queries: [
    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
      query: "source:source_here",
      group_by_fields: [
        "@userIdentity.assumed_role",
      ],
      distinct_fields: [],
      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
      name: "",
    }),
  ],
  tags: [
    "env:prod",
    "team:security",
  ],
  type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION,
})
api_instance.validate_security_monitoring_rule(body)

# Validate a detection rule with detection method 'new_value' with enabled feature 'instantaneousBaseline' returns "OK"
# response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringStandardRulePayload.new({
  cases: [
    DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
      name: "",
      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
      notifications: [],
    }),
  ],
  has_extended_title: true,
  is_enabled: true,
  message: "My security monitoring rule",
  name: "My security monitoring rule",
  options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
    evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES,
    keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::FIVE_MINUTES,
    max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::TEN_MINUTES,
    detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::NEW_VALUE,
    new_value_options: DatadogAPIClient::V2::SecurityMonitoringRuleNewValueOptions.new({
      forget_after: 7,
      instantaneous_baseline: true,
      learning_duration: 1,
      learning_threshold: DatadogAPIClient::V2::SecurityMonitoringRuleNewValueOptionsLearningThreshold::ZERO_OCCURRENCES,
      learning_method: DatadogAPIClient::V2::SecurityMonitoringRuleNewValueOptionsLearningMethod::DURATION,
    }),
  }),
  queries: [
    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
      query: "source:source_here",
      group_by_fields: [
        "@userIdentity.assumed_role",
      ],
      distinct_fields: [],
      metric: "name",
      metrics: [
        "name",
      ],
      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::NEW_VALUE,
      name: "",
      data_source: DatadogAPIClient::V2::SecurityMonitoringStandardDataSource::LOGS,
    }),
  ],
  tags: [
    "env:prod",
    "team:security",
  ],
  type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION,
})
api_instance.validate_security_monitoring_rule(body)

# Validate a detection rule with detection method 'sequence_detection' returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringStandardRulePayload.new({
  cases: [
    DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
      name: "",
      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
      notifications: [],
      condition: "step_b > 0",
    }),
  ],
  has_extended_title: true,
  is_enabled: true,
  message: "My security monitoring rule",
  name: "My security monitoring rule",
  options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
    evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES,
    keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::FIVE_MINUTES,
    max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::TEN_MINUTES,
    detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::SEQUENCE_DETECTION,
    sequence_detection_options: DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionOptions.new({
      step_transitions: [
        DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionStepTransition.new({
          child: "step_b",
          evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
          parent: "step_a",
        }),
      ],
      steps: [
        DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionStep.new({
          condition: "a > 0",
          evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE,
          name: "step_a",
        }),
        DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionStep.new({
          condition: "b > 0",
          evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE,
          name: "step_b",
        }),
      ],
    }),
  }),
  queries: [
    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
      query: "source:source_here",
      group_by_fields: [
        "@userIdentity.assumed_role",
      ],
      distinct_fields: [],
      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
      name: "",
    }),
    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
      query: "source:source_here2",
      group_by_fields: [],
      distinct_fields: [],
      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
      name: "",
    }),
  ],
  tags: [
    "env:prod",
    "team:security",
  ],
  type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION,
})
api_instance.validate_security_monitoring_rule(body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Validate a detection rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleDetectionMethod;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleValidatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRulePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery;

#[tokio::main]
async fn main() {
    let body =
        SecurityMonitoringRuleValidatePayload::SecurityMonitoringStandardRulePayload(Box::new(
            SecurityMonitoringStandardRulePayload::new(
                vec![
                    SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO)
                        .condition("a > 0".to_string())
                        .name("".to_string())
                        .notifications(vec![]),
                ],
                true,
                "My security monitoring rule".to_string(),
                "My security monitoring rule".to_string(),
                SecurityMonitoringRuleOptions::new()
                    .detection_method(SecurityMonitoringRuleDetectionMethod::THRESHOLD)
                    .evaluation_window(SecurityMonitoringRuleEvaluationWindow::THIRTY_MINUTES)
                    .keep_alive(SecurityMonitoringRuleKeepAlive::THIRTY_MINUTES)
                    .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::THIRTY_MINUTES),
                vec![SecurityMonitoringStandardRuleQuery::new()
                    .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT)
                    .distinct_fields(vec![])
                    .group_by_fields(vec!["@userIdentity.assumed_role".to_string()])
                    .name("".to_string())
                    .query("source:source_here".to_string())],
            )
            .has_extended_title(true)
            .tags(vec!["env:prod".to_string(), "team:security".to_string()])
            .type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION),
        ));
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.validate_security_monitoring_rule(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

// Validate a detection rule with detection method 'new_value' with enabled
// feature 'instantaneousBaseline' returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleDetectionMethod;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleNewValueOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleNewValueOptionsLearningMethod;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleNewValueOptionsLearningThreshold;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleValidatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardDataSource;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRulePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery;

#[tokio::main]
async fn main() {
    let body =
        SecurityMonitoringRuleValidatePayload::SecurityMonitoringStandardRulePayload(
            Box::new(
                SecurityMonitoringStandardRulePayload::new(
                    vec![
                        SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO)
                            .name("".to_string())
                            .notifications(vec![])
                    ],
                    true,
                    "My security monitoring rule".to_string(),
                    "My security monitoring rule".to_string(),
                    SecurityMonitoringRuleOptions::new()
                        .detection_method(SecurityMonitoringRuleDetectionMethod::NEW_VALUE)
                        .evaluation_window(SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES)
                        .keep_alive(SecurityMonitoringRuleKeepAlive::FIVE_MINUTES)
                        .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::TEN_MINUTES)
                        .new_value_options(
                            SecurityMonitoringRuleNewValueOptions::new()
                                .forget_after(7)
                                .instantaneous_baseline(true)
                                .learning_duration(1)
                                .learning_method(SecurityMonitoringRuleNewValueOptionsLearningMethod::DURATION)
                                .learning_threshold(
                                    SecurityMonitoringRuleNewValueOptionsLearningThreshold::ZERO_OCCURRENCES,
                                ),
                        ),
                    vec![
                        SecurityMonitoringStandardRuleQuery::new()
                            .aggregation(SecurityMonitoringRuleQueryAggregation::NEW_VALUE)
                            .data_source(SecurityMonitoringStandardDataSource::LOGS)
                            .distinct_fields(vec![])
                            .group_by_fields(vec!["@userIdentity.assumed_role".to_string()])
                            .metric("name".to_string())
                            .metrics(vec!["name".to_string()])
                            .name("".to_string())
                            .query("source:source_here".to_string())
                    ],
                )
                    .has_extended_title(true)
                    .tags(vec!["env:prod".to_string(), "team:security".to_string()])
                    .type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION),
            ),
        );
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.validate_security_monitoring_rule(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

// Validate a detection rule with detection method 'sequence_detection' returns
// "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleDetectionMethod;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSequenceDetectionOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSequenceDetectionStep;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSequenceDetectionStepTransition;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleValidatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRulePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery;

#[tokio::main]
async fn main() {
    let body =
        SecurityMonitoringRuleValidatePayload::SecurityMonitoringStandardRulePayload(Box::new(
            SecurityMonitoringStandardRulePayload::new(
                vec![
                    SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO)
                        .condition("step_b > 0".to_string())
                        .name("".to_string())
                        .notifications(vec![]),
                ],
                true,
                "My security monitoring rule".to_string(),
                "My security monitoring rule".to_string(),
                SecurityMonitoringRuleOptions::new()
                    .detection_method(SecurityMonitoringRuleDetectionMethod::SEQUENCE_DETECTION)
                    .evaluation_window(SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES)
                    .keep_alive(SecurityMonitoringRuleKeepAlive::FIVE_MINUTES)
                    .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::TEN_MINUTES)
                    .sequence_detection_options(
                        SecurityMonitoringRuleSequenceDetectionOptions::new()
                            .step_transitions(vec![
                                SecurityMonitoringRuleSequenceDetectionStepTransition::new()
                                    .child("step_b".to_string())
                                    .evaluation_window(
                                        SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
                                    )
                                    .parent("step_a".to_string()),
                            ])
                            .steps(vec![
                                SecurityMonitoringRuleSequenceDetectionStep::new()
                                    .condition("a > 0".to_string())
                                    .evaluation_window(
                                        SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE,
                                    )
                                    .name("step_a".to_string()),
                                SecurityMonitoringRuleSequenceDetectionStep::new()
                                    .condition("b > 0".to_string())
                                    .evaluation_window(
                                        SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE,
                                    )
                                    .name("step_b".to_string()),
                            ]),
                    ),
                vec![
                    SecurityMonitoringStandardRuleQuery::new()
                        .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT)
                        .distinct_fields(vec![])
                        .group_by_fields(vec!["@userIdentity.assumed_role".to_string()])
                        .name("".to_string())
                        .query("source:source_here".to_string()),
                    SecurityMonitoringStandardRuleQuery::new()
                        .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT)
                        .distinct_fields(vec![])
                        .group_by_fields(vec![])
                        .name("".to_string())
                        .query("source:source_here2".to_string()),
                ],
            )
            .has_extended_title(true)
            .tags(vec!["env:prod".to_string(), "team:security".to_string()])
            .type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION),
        ));
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.validate_security_monitoring_rule(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
 * Validate a detection rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiValidateSecurityMonitoringRuleRequest = {
  body: {
    cases: [
      {
        name: "",
        status: "info",
        notifications: [],
        condition: "a > 0",
      },
    ],
    hasExtendedTitle: true,
    isEnabled: true,
    message: "My security monitoring rule",
    name: "My security monitoring rule",
    options: {
      evaluationWindow: 1800,
      keepAlive: 1800,
      maxSignalDuration: 1800,
      detectionMethod: "threshold",
    },
    queries: [
      {
        query: "source:source_here",
        groupByFields: ["@userIdentity.assumed_role"],
        distinctFields: [],
        aggregation: "count",
        name: "",
      },
    ],
    tags: ["env:prod", "team:security"],
    type: "log_detection",
  },
};

apiInstance
  .validateSecurityMonitoringRule(params)
  .then((data: any) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

/**
 * Validate a detection rule with detection method 'new_value' with enabled feature 'instantaneousBaseline' returns "OK"
 * response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiValidateSecurityMonitoringRuleRequest = {
  body: {
    cases: [
      {
        name: "",
        status: "info",
        notifications: [],
      },
    ],
    hasExtendedTitle: true,
    isEnabled: true,
    message: "My security monitoring rule",
    name: "My security monitoring rule",
    options: {
      evaluationWindow: 0,
      keepAlive: 300,
      maxSignalDuration: 600,
      detectionMethod: "new_value",
      newValueOptions: {
        forgetAfter: 7,
        instantaneousBaseline: true,
        learningDuration: 1,
        learningThreshold: 0,
        learningMethod: "duration",
      },
    },
    queries: [
      {
        query: "source:source_here",
        groupByFields: ["@userIdentity.assumed_role"],
        distinctFields: [],
        metric: "name",
        metrics: ["name"],
        aggregation: "new_value",
        name: "",
        dataSource: "logs",
      },
    ],
    tags: ["env:prod", "team:security"],
    type: "log_detection",
  },
};

apiInstance
  .validateSecurityMonitoringRule(params)
  .then((data: any) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

/**
 * Validate a detection rule with detection method 'sequence_detection' returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiValidateSecurityMonitoringRuleRequest = {
  body: {
    cases: [
      {
        name: "",
        status: "info",
        notifications: [],
        condition: "step_b > 0",
      },
    ],
    hasExtendedTitle: true,
    isEnabled: true,
    message: "My security monitoring rule",
    name: "My security monitoring rule",
    options: {
      evaluationWindow: 0,
      keepAlive: 300,
      maxSignalDuration: 600,
      detectionMethod: "sequence_detection",
      sequenceDetectionOptions: {
        stepTransitions: [
          {
            child: "step_b",
            evaluationWindow: 900,
            parent: "step_a",
          },
        ],
        steps: [
          {
            condition: "a > 0",
            evaluationWindow: 60,
            name: "step_a",
          },
          {
            condition: "b > 0",
            evaluationWindow: 60,
            name: "step_b",
          },
        ],
      },
    },
    queries: [
      {
        query: "source:source_here",
        groupByFields: ["@userIdentity.assumed_role"],
        distinctFields: [],
        aggregation: "count",
        name: "",
      },
      {
        query: "source:source_here2",
        groupByFields: [],
        distinctFields: [],
        aggregation: "count",
        name: "",
      },
    ],
    tags: ["env:prod", "team:security"],
    type: "log_detection",
  },
};

apiInstance
  .validateSecurityMonitoringRule(params)
  .then((data: any) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"