--- title: Validate a detection rule description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > API Reference > Security Monitoring --- # Validate a detection rule{% #validate-a-detection-rule %} Copy pageCopied {% tab title="v2" %} | Datadog site | API endpoint | | ----------------- | ------------------------------------------------------------------------------ | | ap1.datadoghq.com | POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/validation | | ap2.datadoghq.com | POST https://api.ap2.datadoghq.com/api/v2/security_monitoring/rules/validation | | app.datadoghq.eu | POST https://api.datadoghq.eu/api/v2/security_monitoring/rules/validation | | app.ddog-gov.com | POST https://api.ddog-gov.com/api/v2/security_monitoring/rules/validation | | us2.ddog-gov.com | POST https://api.us2.ddog-gov.com/api/v2/security_monitoring/rules/validation | | app.datadoghq.com | POST https://api.datadoghq.com/api/v2/security_monitoring/rules/validation | | us3.datadoghq.com | POST https://api.us3.datadoghq.com/api/v2/security_monitoring/rules/validation | | us5.datadoghq.com | POST https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/validation | ### Overview Validate a detection rule. This endpoint requires the `security_monitoring_rules_write` permission. OAuth apps require the `security_monitoring_rules_write` authorization [scope](https://docs.datadoghq.com/api/latest/scopes.md#security-monitoring) to access this endpoint. ### Request #### Body Data (required) {% tab title="Model" %} | Parent field | Field | Type | Description | | ------------------------ | ----------------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Option 1 | object | The payload of a rule. | | Option 1 | calculatedFields | [object] | Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined. | | calculatedFields | expression [*required*] | string | Expression. | | calculatedFields | name [*required*] | string | Field name. | | Option 1 | cases [*required*] | [object] | Cases for generating signals. | | cases | actions | [object] | Action to perform for each rule case. | | actions | options | object | Options for the rule action | | options | duration | int64 | Duration of the action in seconds. 0 indicates no expiration. | | options | flaggedIPType | enum | Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: `SUSPICIOUS,FLAGGED` | | options | userBehaviorName | string | Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule. | | actions | type | enum | The action type. Allowed enum values: `block_ip,block_user,user_behavior,flag_ip` | | cases | condition | string | A case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated based on the event counts in the previously defined queries. | | cases | name | string | Name of the case. | | cases | notifications | [string] | Notification targets. | | cases | status [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 1 | customMessage | string | Custom/Overridden message for generated signals (used in case of Default rule update). | | Option 1 | customName | string | Custom/Overridden name of the rule (used in case of Default rule update). | | Option 1 | filters | [object] | Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules. | | filters | action | enum | The type of filtering action. Allowed enum values: `require,suppress` | | filters | query | string | Query for selecting logs to apply the filtering action. | | Option 1 | groupSignalsBy | [string] | Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups. | | Option 1 | hasExtendedTitle | boolean | Whether the notifications include the triggering group-by values in their title. | | Option 1 | isEnabled [*required*] | boolean | Whether the rule is enabled. | | Option 1 | message [*required*] | string | Message for generated signals. | | Option 1 | name [*required*] | string | The name of the rule. | | Option 1 | options [*required*] | object | Options. | | options | anomalyDetectionOptions | object | Options on anomaly detection method. | | anomalyDetectionOptions | bucketDuration | enum | Duration in seconds of the time buckets used to aggregate events matched by the rule. Must be greater than or equal to 300. Allowed enum values: `300,600,900,1800,3600,10800` | | anomalyDetectionOptions | detectionTolerance | enum | An optional parameter that sets how permissive anomaly detection is. Higher values require higher deviations before triggering a signal. Allowed enum values: `1,2,3,4,5` | | anomalyDetectionOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | anomalyDetectionOptions | learningDuration | enum | Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. Allowed enum values: `1,6,12,24,48,168,336` | | anomalyDetectionOptions | learningPeriodBaseline | int64 | An optional override baseline to apply while the rule is in the learning period. Must be greater than or equal to 0. | | options | complianceRuleOptions | object | Options for cloud_configuration rules. Fields `resourceType` and `regoRule` are mandatory when managing custom `cloud_configuration` rules. | | complianceRuleOptions | complexRule | boolean | Whether the rule is a complex one. Must be set to true if `regoRule.resourceTypes` contains more than one item. Defaults to false. | | complianceRuleOptions | regoRule | object | Rule details. | | regoRule | policy [*required*] | string | The policy written in `rego`, see: [https://www.openpolicyagent.org/docs/latest/policy-language/](https://www.openpolicyagent.org/docs/latest/policy-language/) | | regoRule | resourceTypes [*required*] | [string] | List of resource types that will be evaluated upon. Must have at least one element. | | complianceRuleOptions | resourceType | string | Main resource type to be checked by the rule. It should be specified again in `regoRule.resourceTypes`. | | options | decreaseCriticalityBasedOnEnv | boolean | If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: `CRITICAL` in production becomes `HIGH` in non-production, `HIGH` becomes `MEDIUM` and so on. `INFO` remains `INFO`. The decrement is applied when the environment tag of the signal starts with `staging`, `test` or `dev`. | | options | detectionMethod | enum | The detection method. Allowed enum values: `threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection` | | options | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | hardcodedEvaluatorType | enum | Hardcoded evaluator type. Allowed enum values: `log4shell` | | options | impossibleTravelOptions | object | Options on impossible travel detection method. | | impossibleTravelOptions | baselineUserLocations | boolean | If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. | | impossibleTravelOptions | baselineUserLocationsDuration | int32 | The duration in days during which Datadog learns the user's regular access locations. After this period, signals are generated for accesses from unknown locations. | | options | keepAlive | enum | Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | maxSignalDuration | enum | A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | newValueOptions | object | Options on new value detection method. | | newValueOptions | forgetAfter | int32 | The duration in days after which a learned value is forgotten. | | newValueOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | newValueOptions | learningDuration | int32 | The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. | | newValueOptions | learningMethod | enum | The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: `duration,threshold` | | newValueOptions | learningThreshold | enum | A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: `0,1` | | options | sequenceDetectionOptions | object | Options on sequence detection method. | | sequenceDetectionOptions | stepTransitions | [object] | Transitions defining the allowed order of steps and their evaluation windows. | | stepTransitions | child | string | Name of the child step. | | stepTransitions | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | stepTransitions | parent | string | Name of the parent step. | | sequenceDetectionOptions | steps | [object] | Steps that define the conditions to be matched in sequence. | | steps | condition | string | Condition referencing rule queries (e.g., `a > 0`). | | steps | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | steps | name | string | Unique name identifying the step. | | options | thirdPartyRuleOptions | object | Options on third party detection method. | | thirdPartyRuleOptions | defaultNotifications | [string] | Notification targets for the logs that do not correspond to any of the cases. | | thirdPartyRuleOptions | defaultStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyRuleOptions | rootQueries | [object] | Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert. | | rootQueries | groupByFields | [string] | Fields to group by. | | rootQueries | query | string | Query to run on logs. | | thirdPartyRuleOptions | signalTitleTemplate | string | A template for the signal title; if omitted, the title is generated based on the case name. | | Option 1 | queries [*required*] | [object] | Queries for selecting logs which are part of the rule. | | queries | aggregation | enum | The aggregation type. Allowed enum values: `count,cardinality,sum,max,new_value,geo_data,event_count,none` | | queries | customQueryExtension | string | Query extension to append to the logs query. | | queries | dataSource | enum | Source of events, either logs, audit trail, security signals, or Datadog events. `app_sec_spans` is deprecated in favor of `spans`. Allowed enum values: `logs,audit,app_sec_spans,spans,security_runtime,network,events,security_signals` | | queries | distinctFields | [string] | Field for which the cardinality is measured. Sent as an array. | | queries | groupByFields | [string] | Fields to group by. | | queries | hasOptionalGroupByFields | boolean | When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with `N/A`, replacing the missing values. | | queries | index | string | **This field is currently unstable and might be removed in a minor version upgrade.** The index to run the query on, if the `dataSource` is `logs`. Only used for scheduled rules - in other words, when the `schedulingOptions` field is present in the rule payload. | | queries | indexes | [string] | List of indexes to query when the `dataSource` is `logs`. Only used for scheduled rules, such as when the `schedulingOptions` field is present in the rule payload. | | queries | metric | string | **DEPRECATED**: (Deprecated) The target field to aggregate over when using the sum or max aggregations. `metrics` field should be used instead. | | queries | metrics | [string] | Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values. | | queries | name | string | Name of the query. | | queries | query | string | Query to run on logs. | | Option 1 | referenceTables | [object] | Reference tables for the rule. | | referenceTables | checkPresence | boolean | Whether to include or exclude the matched values. | | referenceTables | columnName | string | The name of the column in the reference table. | | referenceTables | logFieldPath | string | The field in the log to match against the reference table. | | referenceTables | ruleQueryName | string | The name of the query to apply the reference table to. | | referenceTables | tableName | string | The name of the reference table. | | Option 1 | schedulingOptions | object | Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs. | | schedulingOptions | rrule | string | Schedule for the rule queries, written in RRULE syntax. See [RFC](https://icalendar.org/iCalendar-RFC-5545/3-8-5-3-recurrence-rule.html) for syntax reference. | | schedulingOptions | start | string | Start date for the schedule, in ISO 8601 format without timezone. | | schedulingOptions | timezone | string | Time zone of the start date, in the [tz database](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) format. | | Option 1 | tags | [string] | Tags for generated signals. | | Option 1 | thirdPartyCases | [object] | Cases for generating signals from third-party rules. Only available for third-party rules. | | thirdPartyCases | name | string | Name of the case. | | thirdPartyCases | notifications | [string] | Notification targets for each case. | | thirdPartyCases | query | string | A query to map a third party event to this case. | | thirdPartyCases | status [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 1 | type | enum | The rule type. Allowed enum values: `api_security,application_security,log_detection,workload_activity,workload_security` | | | Option 2 | object | The payload of a signal correlation rule. | | Option 2 | cases [*required*] | [object] | Cases for generating signals. | | cases | actions | [object] | Action to perform for each rule case. | | actions | options | object | Options for the rule action | | options | duration | int64 | Duration of the action in seconds. 0 indicates no expiration. | | options | flaggedIPType | enum | Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. Allowed enum values: `SUSPICIOUS,FLAGGED` | | options | userBehaviorName | string | Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule. | | actions | type | enum | The action type. Allowed enum values: `block_ip,block_user,user_behavior,flag_ip` | | cases | condition | string | A case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated based on the event counts in the previously defined queries. | | cases | name | string | Name of the case. | | cases | notifications | [string] | Notification targets. | | cases | status [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 2 | customMessage | string | Custom/Overridden message for generated signals (used in case of Default rule update). | | Option 2 | customName | string | Custom/Overridden name of the rule (used in case of Default rule update). | | Option 2 | filters | [object] | Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules. | | filters | action | enum | The type of filtering action. Allowed enum values: `require,suppress` | | filters | query | string | Query for selecting logs to apply the filtering action. | | Option 2 | hasExtendedTitle | boolean | Whether the notifications include the triggering group-by values in their title. | | Option 2 | isEnabled [*required*] | boolean | Whether the rule is enabled. | | Option 2 | message [*required*] | string | Message for generated signals. | | Option 2 | name [*required*] | string | The name of the rule. | | Option 2 | options [*required*] | object | Options. | | options | anomalyDetectionOptions | object | Options on anomaly detection method. | | anomalyDetectionOptions | bucketDuration | enum | Duration in seconds of the time buckets used to aggregate events matched by the rule. Must be greater than or equal to 300. Allowed enum values: `300,600,900,1800,3600,10800` | | anomalyDetectionOptions | detectionTolerance | enum | An optional parameter that sets how permissive anomaly detection is. Higher values require higher deviations before triggering a signal. Allowed enum values: `1,2,3,4,5` | | anomalyDetectionOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | anomalyDetectionOptions | learningDuration | enum | Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. Allowed enum values: `1,6,12,24,48,168,336` | | anomalyDetectionOptions | learningPeriodBaseline | int64 | An optional override baseline to apply while the rule is in the learning period. Must be greater than or equal to 0. | | options | complianceRuleOptions | object | Options for cloud_configuration rules. Fields `resourceType` and `regoRule` are mandatory when managing custom `cloud_configuration` rules. | | complianceRuleOptions | complexRule | boolean | Whether the rule is a complex one. Must be set to true if `regoRule.resourceTypes` contains more than one item. Defaults to false. | | complianceRuleOptions | regoRule | object | Rule details. | | regoRule | policy [*required*] | string | The policy written in `rego`, see: [https://www.openpolicyagent.org/docs/latest/policy-language/](https://www.openpolicyagent.org/docs/latest/policy-language/) | | regoRule | resourceTypes [*required*] | [string] | List of resource types that will be evaluated upon. Must have at least one element. | | complianceRuleOptions | resourceType | string | Main resource type to be checked by the rule. It should be specified again in `regoRule.resourceTypes`. | | options | decreaseCriticalityBasedOnEnv | boolean | If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: `CRITICAL` in production becomes `HIGH` in non-production, `HIGH` becomes `MEDIUM` and so on. `INFO` remains `INFO`. The decrement is applied when the environment tag of the signal starts with `staging`, `test` or `dev`. | | options | detectionMethod | enum | The detection method. Allowed enum values: `threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection` | | options | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | hardcodedEvaluatorType | enum | Hardcoded evaluator type. Allowed enum values: `log4shell` | | options | impossibleTravelOptions | object | Options on impossible travel detection method. | | impossibleTravelOptions | baselineUserLocations | boolean | If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. | | impossibleTravelOptions | baselineUserLocationsDuration | int32 | The duration in days during which Datadog learns the user's regular access locations. After this period, signals are generated for accesses from unknown locations. | | options | keepAlive | enum | Once a signal is generated, the signal will remain "open" if a case is matched at least once within this keep alive window. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | maxSignalDuration | enum | A signal will "close" regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | options | newValueOptions | object | Options on new value detection method. | | newValueOptions | forgetAfter | int32 | The duration in days after which a learned value is forgotten. | | newValueOptions | instantaneousBaseline | boolean | When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. | | newValueOptions | learningDuration | int32 | The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. | | newValueOptions | learningMethod | enum | The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: `duration,threshold` | | newValueOptions | learningThreshold | enum | A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: `0,1` | | options | sequenceDetectionOptions | object | Options on sequence detection method. | | sequenceDetectionOptions | stepTransitions | [object] | Transitions defining the allowed order of steps and their evaluation windows. | | stepTransitions | child | string | Name of the child step. | | stepTransitions | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | stepTransitions | parent | string | Name of the parent step. | | sequenceDetectionOptions | steps | [object] | Steps that define the conditions to be matched in sequence. | | steps | condition | string | Condition referencing rule queries (e.g., `a > 0`). | | steps | evaluationWindow | enum | A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. For third party detection method, this field is not used. Allowed enum values: `0,60,300,600,900,1800,3600,7200,10800,21600` | | steps | name | string | Unique name identifying the step. | | options | thirdPartyRuleOptions | object | Options on third party detection method. | | thirdPartyRuleOptions | defaultNotifications | [string] | Notification targets for the logs that do not correspond to any of the cases. | | thirdPartyRuleOptions | defaultStatus | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | thirdPartyRuleOptions | rootQueries | [object] | Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert. | | rootQueries | groupByFields | [string] | Fields to group by. | | rootQueries | query | string | Query to run on logs. | | thirdPartyRuleOptions | signalTitleTemplate | string | A template for the signal title; if omitted, the title is generated based on the case name. | | Option 2 | queries [*required*] | [object] | Queries for selecting signals which are part of the rule. | | queries | aggregation | enum | The aggregation type. Allowed enum values: `count,cardinality,sum,max,new_value,geo_data,event_count,none` | | queries | correlatedByFields | [string] | Fields to group by. | | queries | correlatedQueryIndex | int32 | Index of the rule query used to retrieve the correlated field. | | queries | metrics | [string] | Group of target fields to aggregate over. | | queries | name | string | Name of the query. | | queries | ruleId [*required*] | string | Rule ID to match on signals. | | Option 2 | tags | [string] | Tags for generated signals. | | Option 2 | type | enum | The rule type. Allowed enum values: `signal_correlation` | | | Option 3 | object | The payload of a cloud configuration rule. | | Option 3 | cases [*required*] | [object] | Description of generated findings and signals (severity and channels to be notified in case of a signal). Must contain exactly one item. | | cases | notifications | [string] | Notification targets for each rule case. | | cases | status [*required*] | enum | Severity of the Security Signal. Allowed enum values: `info,low,medium,high,critical` | | Option 3 | complianceSignalOptions [*required*] | object | How to generate compliance signals. Useful for cloud_configuration rules only. | | complianceSignalOptions | defaultActivationStatus | boolean | The default activation status. | | complianceSignalOptions | defaultGroupByFields | [string] | The default group by fields. | | complianceSignalOptions | userActivationStatus | boolean | Whether signals will be sent. | | complianceSignalOptions | userGroupByFields | [string] | Fields to use to group findings by when sending signals. | | Option 3 | customMessage | string | Custom/Overridden message for generated signals (used in case of Default rule update). | | Option 3 | customName | string | Custom/Overridden name of the rule (used in case of Default rule update). | | Option 3 | filters | [object] | Additional queries to filter matched events before they are processed. | | filters | action | enum | The type of filtering action. Allowed enum values: `require,suppress` | | filters | query | string | Query for selecting logs to apply the filtering action. | | Option 3 | isEnabled [*required*] | boolean | Whether the rule is enabled. | | Option 3 | message [*required*] | string | Message in markdown format for generated findings and signals. | | Option 3 | name [*required*] | string | The name of the rule. | | Option 3 | options [*required*] | object | Options on cloud configuration rules. | | options | complianceRuleOptions [*required*] | object | Options for cloud_configuration rules. Fields `resourceType` and `regoRule` are mandatory when managing custom `cloud_configuration` rules. | | complianceRuleOptions | complexRule | boolean | Whether the rule is a complex one. Must be set to true if `regoRule.resourceTypes` contains more than one item. Defaults to false. | | complianceRuleOptions | regoRule | object | Rule details. | | regoRule | policy [*required*] | string | The policy written in `rego`, see: [https://www.openpolicyagent.org/docs/latest/policy-language/](https://www.openpolicyagent.org/docs/latest/policy-language/) | | regoRule | resourceTypes [*required*] | [string] | List of resource types that will be evaluated upon. Must have at least one element. | | complianceRuleOptions | resourceType | string | Main resource type to be checked by the rule. It should be specified again in `regoRule.resourceTypes`. | | Option 3 | tags | [string] | Tags for generated findings and signals. | | Option 3 | type | enum | The rule type. Allowed enum values: `cloud_configuration` | {% /tab %} {% tab title="Example" %} ##### ```json { "cases": [ { "name": "", "status": "info", "notifications": [], "condition": "a > 0" } ], "hasExtendedTitle": true, "isEnabled": true, "message": "My security monitoring rule", "name": "My security monitoring rule", "options": { "evaluationWindow": 1800, "keepAlive": 1800, "maxSignalDuration": 1800, "detectionMethod": "threshold" }, "queries": [ { "query": "source:source_here", "groupByFields": [ "@userIdentity.assumed_role" ], "distinctFields": [], "aggregation": "count", "name": "" } ], "tags": [ "env:prod", "team:security" ], "type": "log_detection" } ``` ##### ```json { "cases": [ { "name": "", "status": "info", "notifications": [] } ], "hasExtendedTitle": true, "isEnabled": true, "message": "My security monitoring rule", "name": "My security monitoring rule", "options": { "evaluationWindow": 0, "keepAlive": 300, "maxSignalDuration": 600, "detectionMethod": "new_value", "newValueOptions": { "forgetAfter": 7, "instantaneousBaseline": true, "learningDuration": 1, "learningThreshold": 0, "learningMethod": "duration" } }, "queries": [ { "query": "source:source_here", "groupByFields": [ "@userIdentity.assumed_role" ], "distinctFields": [], "metric": "name", "metrics": [ "name" ], "aggregation": "new_value", "name": "", "dataSource": "logs" } ], "tags": [ "env:prod", "team:security" ], "type": "log_detection" } ``` ##### ```json { "cases": [ { "name": "", "status": "info", "notifications": [], "condition": "step_b > 0" } ], "hasExtendedTitle": true, "isEnabled": true, "message": "My security monitoring rule", "name": "My security monitoring rule", "options": { "evaluationWindow": 0, "keepAlive": 300, "maxSignalDuration": 600, "detectionMethod": "sequence_detection", "sequenceDetectionOptions": { "stepTransitions": [ { "child": "step_b", "evaluationWindow": 900, "parent": "step_a" } ], "steps": [ { "condition": "a > 0", "evaluationWindow": 60, "name": "step_a" }, { "condition": "b > 0", "evaluationWindow": 60, "name": "step_b" } ] } }, "queries": [ { "query": "source:source_here", "groupByFields": [ "@userIdentity.assumed_role" ], "distinctFields": [], "aggregation": "count", "name": "" }, { "query": "source:source_here2", "groupByFields": [], "distinctFields": [], "aggregation": "count", "name": "" } ], "tags": [ "env:prod", "team:security" ], "type": "log_detection" } ``` {% /tab %} ### Response {% tab title="204" %} OK {% /tab %} {% tab title="400" %} Bad Request {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="403" %} Not Authorized {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} {% tab title="429" %} Too many requests {% tab title="Model" %} API error response. | Field | Type | Description | | ------------------------ | -------- | ----------------- | | errors [*required*] | [string] | A list of errors. | {% /tab %} {% tab title="Example" %} ```json { "errors": [ "Bad Request" ] } ``` {% /tab %} {% /tab %} ### Code Example ##### \## default # \# Curl command curl -X POST "https://api.datadoghq.com/api/v2/security_monitoring/rules/validation" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "calculatedFields": [ { "expression": "@request_end_timestamp - @request_start_timestamp", "name": "response_time" } ], "cases": [ { "condition": "a \u003e 0", "name": "", "notifications": [], "status": "info" } ], "filters": [ { "action": "require" } ], "groupSignalsBy": [ "service" ], "hasExtendedTitle": true, "isEnabled": true, "message": "My security monitoring rule", "name": "My security monitoring rule.", "options": { "anomalyDetectionOptions": { "bucketDuration": 300, "detectionTolerance": 5, "instantaneousBaseline": false }, "complianceRuleOptions": { "regoRule": { "policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n # Logic that evaluates to true if the resource should be skipped\n true\n} else = \"pass\" {\n # Logic that evaluates to true if the resource is compliant\n true\n} else = \"fail\" {\n # Logic that evaluates to true if the resource is not compliant\n true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n some resource in input.resources[input.main_resource_type]\n result := dd_output.format(resource, eval(resource))\n}", "resourceTypes": [ "gcp_iam_service_account", "gcp_iam_policy" ] }, "resourceType": "aws_acm" }, "decreaseCriticalityBasedOnEnv": false, "detectionMethod": "threshold", "evaluationWindow": 1800, "hardcodedEvaluatorType": "log4shell", "impossibleTravelOptions": { "baselineUserLocations": true, "baselineUserLocationsDuration": 7 }, "keepAlive": 1800, "maxSignalDuration": 1800, "newValueOptions": { "instantaneousBaseline": false, "learningMethod": "duration" }, "thirdPartyRuleOptions": { "defaultStatus": "critical", "rootQueries": [ { "query": "source:cloudtrail" } ] } }, "queries": [ { "aggregation": "count", "distinctFields": [], "groupByFields": [ "@userIdentity.assumed_role" ], "name": "", "query": "source:cloudtrail" } ], "schedulingOptions": { "rrule": "FREQ=HOURLY;INTERVAL=1;", "start": "2025-07-14T12:00:00", "timezone": "America/New_York" }, "tags": [ "env:prod", "team:security" ], "thirdPartyCases": [], "type": "log_detection" } EOF ##### \## default # \# Curl command curl -X POST "https://api.datadoghq.com/api/v2/security_monitoring/rules/validation" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "calculatedFields": [ { "expression": "@request_end_timestamp - @request_start_timestamp", "name": "response_time" } ], "cases": [ { "condition": "a \u003e 0", "name": "", "notifications": [], "status": "info" } ], "filters": [ { "action": "require" } ], "groupSignalsBy": [ "service" ], "hasExtendedTitle": true, "isEnabled": true, "message": "My security monitoring rule", "name": "My security monitoring rule.", "options": { "anomalyDetectionOptions": { "bucketDuration": 300, "detectionTolerance": 5, "instantaneousBaseline": false }, "complianceRuleOptions": { "regoRule": { "policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n # Logic that evaluates to true if the resource should be skipped\n true\n} else = \"pass\" {\n # Logic that evaluates to true if the resource is compliant\n true\n} else = \"fail\" {\n # Logic that evaluates to true if the resource is not compliant\n true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n some resource in input.resources[input.main_resource_type]\n result := dd_output.format(resource, eval(resource))\n}", "resourceTypes": [ "gcp_iam_service_account", "gcp_iam_policy" ] }, "resourceType": "aws_acm" }, "decreaseCriticalityBasedOnEnv": false, "detectionMethod": "threshold", "evaluationWindow": 1800, "hardcodedEvaluatorType": "log4shell", "impossibleTravelOptions": { "baselineUserLocations": true, "baselineUserLocationsDuration": 7 }, "keepAlive": 1800, "maxSignalDuration": 1800, "newValueOptions": { "instantaneousBaseline": false, "learningMethod": "duration" }, "thirdPartyRuleOptions": { "defaultStatus": "critical", "rootQueries": [ { "query": "source:cloudtrail" } ] } }, "queries": [ { "aggregation": "count", "distinctFields": [], "groupByFields": [ "@userIdentity.assumed_role" ], "name": "", "query": "source:cloudtrail" } ], "schedulingOptions": { "rrule": "FREQ=HOURLY;INTERVAL=1;", "start": "2025-07-14T12:00:00", "timezone": "America/New_York" }, "tags": [ "env:prod", "team:security" ], "thirdPartyCases": [], "type": "log_detection" } EOF ##### \## default # \# Curl command curl -X POST "https://api.datadoghq.com/api/v2/security_monitoring/rules/validation" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "calculatedFields": [ { "expression": "@request_end_timestamp - @request_start_timestamp", "name": "response_time" } ], "cases": [ { "condition": "a \u003e 0", "name": "", "notifications": [], "status": "info" } ], "filters": [ { "action": "require" } ], "groupSignalsBy": [ "service" ], "hasExtendedTitle": true, "isEnabled": true, "message": "My security monitoring rule", "name": "My security monitoring rule.", "options": { "anomalyDetectionOptions": { "bucketDuration": 300, "detectionTolerance": 5, "instantaneousBaseline": false }, "complianceRuleOptions": { "regoRule": { "policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n # Logic that evaluates to true if the resource should be skipped\n true\n} else = \"pass\" {\n # Logic that evaluates to true if the resource is compliant\n true\n} else = \"fail\" {\n # Logic that evaluates to true if the resource is not compliant\n true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n some resource in input.resources[input.main_resource_type]\n result := dd_output.format(resource, eval(resource))\n}", "resourceTypes": [ "gcp_iam_service_account", "gcp_iam_policy" ] }, "resourceType": "aws_acm" }, "decreaseCriticalityBasedOnEnv": false, "detectionMethod": "threshold", "evaluationWindow": 1800, "hardcodedEvaluatorType": "log4shell", "impossibleTravelOptions": { "baselineUserLocations": true, "baselineUserLocationsDuration": 7 }, "keepAlive": 1800, "maxSignalDuration": 1800, "newValueOptions": { "instantaneousBaseline": false, "learningMethod": "duration" }, "thirdPartyRuleOptions": { "defaultStatus": "critical", "rootQueries": [ { "query": "source:cloudtrail" } ] } }, "queries": [ { "aggregation": "count", "distinctFields": [], "groupByFields": [ "@userIdentity.assumed_role" ], "name": "", "query": "source:cloudtrail" } ], "schedulingOptions": { "rrule": "FREQ=HOURLY;INTERVAL=1;", "start": "2025-07-14T12:00:00", "timezone": "America/New_York" }, "tags": [ "env:prod", "team:security" ], "thirdPartyCases": [], "type": "log_detection" } EOF ##### ```go // Validate a detection rule returns "OK" response package main import ( "context" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.SecurityMonitoringRuleValidatePayload{ SecurityMonitoringStandardRulePayload: &datadogV2.SecurityMonitoringStandardRulePayload{ Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{ { Name: datadog.PtrString(""), Status: datadogV2.SECURITYMONITORINGRULESEVERITY_INFO, Notifications: []string{}, Condition: datadog.PtrString("a > 0"), }, }, HasExtendedTitle: datadog.PtrBool(true), IsEnabled: true, Message: "My security monitoring rule", Name: "My security monitoring rule", Options: datadogV2.SecurityMonitoringRuleOptions{ EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_THIRTY_MINUTES.Ptr(), KeepAlive: datadogV2.SECURITYMONITORINGRULEKEEPALIVE_THIRTY_MINUTES.Ptr(), MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_THIRTY_MINUTES.Ptr(), DetectionMethod: datadogV2.SECURITYMONITORINGRULEDETECTIONMETHOD_THRESHOLD.Ptr(), }, Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{ { Query: datadog.PtrString("source:source_here"), GroupByFields: []string{ "@userIdentity.assumed_role", }, DistinctFields: []string{}, Aggregation: datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(), Name: datadog.PtrString(""), }, }, Tags: []string{ "env:prod", "team:security", }, Type: datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(), }} ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) r, err := api.ValidateSecurityMonitoringRule(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ValidateSecurityMonitoringRule`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } } ``` ##### ```go // Validate a detection rule with detection method 'new_value' with enabled feature 'instantaneousBaseline' returns "OK" // response package main import ( "context" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.SecurityMonitoringRuleValidatePayload{ SecurityMonitoringStandardRulePayload: &datadogV2.SecurityMonitoringStandardRulePayload{ Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{ { Name: datadog.PtrString(""), Status: datadogV2.SECURITYMONITORINGRULESEVERITY_INFO, Notifications: []string{}, }, }, HasExtendedTitle: datadog.PtrBool(true), IsEnabled: true, Message: "My security monitoring rule", Name: "My security monitoring rule", Options: datadogV2.SecurityMonitoringRuleOptions{ EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_ZERO_MINUTES.Ptr(), KeepAlive: datadogV2.SECURITYMONITORINGRULEKEEPALIVE_FIVE_MINUTES.Ptr(), MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_TEN_MINUTES.Ptr(), DetectionMethod: datadogV2.SECURITYMONITORINGRULEDETECTIONMETHOD_NEW_VALUE.Ptr(), NewValueOptions: &datadogV2.SecurityMonitoringRuleNewValueOptions{ ForgetAfter: datadog.PtrInt32(7), InstantaneousBaseline: datadog.PtrBool(true), LearningDuration: datadog.PtrInt32(1), LearningThreshold: datadogV2.SECURITYMONITORINGRULENEWVALUEOPTIONSLEARNINGTHRESHOLD_ZERO_OCCURRENCES.Ptr(), LearningMethod: datadogV2.SECURITYMONITORINGRULENEWVALUEOPTIONSLEARNINGMETHOD_DURATION.Ptr(), }, }, Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{ { Query: datadog.PtrString("source:source_here"), GroupByFields: []string{ "@userIdentity.assumed_role", }, DistinctFields: []string{}, Metric: datadog.PtrString("name"), Metrics: []string{ "name", }, Aggregation: datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_NEW_VALUE.Ptr(), Name: datadog.PtrString(""), DataSource: datadogV2.SECURITYMONITORINGSTANDARDDATASOURCE_LOGS.Ptr(), }, }, Tags: []string{ "env:prod", "team:security", }, Type: datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(), }} ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) r, err := api.ValidateSecurityMonitoringRule(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ValidateSecurityMonitoringRule`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } } ``` ##### ```go // Validate a detection rule with detection method 'sequence_detection' returns "OK" response package main import ( "context" "fmt" "os" "github.com/DataDog/datadog-api-client-go/v2/api/datadog" "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" ) func main() { body := datadogV2.SecurityMonitoringRuleValidatePayload{ SecurityMonitoringStandardRulePayload: &datadogV2.SecurityMonitoringStandardRulePayload{ Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{ { Name: datadog.PtrString(""), Status: datadogV2.SECURITYMONITORINGRULESEVERITY_INFO, Notifications: []string{}, Condition: datadog.PtrString("step_b > 0"), }, }, HasExtendedTitle: datadog.PtrBool(true), IsEnabled: true, Message: "My security monitoring rule", Name: "My security monitoring rule", Options: datadogV2.SecurityMonitoringRuleOptions{ EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_ZERO_MINUTES.Ptr(), KeepAlive: datadogV2.SECURITYMONITORINGRULEKEEPALIVE_FIVE_MINUTES.Ptr(), MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_TEN_MINUTES.Ptr(), DetectionMethod: datadogV2.SECURITYMONITORINGRULEDETECTIONMETHOD_SEQUENCE_DETECTION.Ptr(), SequenceDetectionOptions: &datadogV2.SecurityMonitoringRuleSequenceDetectionOptions{ StepTransitions: []datadogV2.SecurityMonitoringRuleSequenceDetectionStepTransition{ { Child: datadog.PtrString("step_b"), EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(), Parent: datadog.PtrString("step_a"), }, }, Steps: []datadogV2.SecurityMonitoringRuleSequenceDetectionStep{ { Condition: datadog.PtrString("a > 0"), EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_ONE_MINUTE.Ptr(), Name: datadog.PtrString("step_a"), }, { Condition: datadog.PtrString("b > 0"), EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_ONE_MINUTE.Ptr(), Name: datadog.PtrString("step_b"), }, }, }, }, Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{ { Query: datadog.PtrString("source:source_here"), GroupByFields: []string{ "@userIdentity.assumed_role", }, DistinctFields: []string{}, Aggregation: datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(), Name: datadog.PtrString(""), }, { Query: datadog.PtrString("source:source_here2"), GroupByFields: []string{}, DistinctFields: []string{}, Aggregation: datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(), Name: datadog.PtrString(""), }, }, Tags: []string{ "env:prod", "team:security", }, Type: datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(), }} ctx := datadog.NewDefaultContext(context.Background()) configuration := datadog.NewConfiguration() apiClient := datadog.NewAPIClient(configuration) api := datadogV2.NewSecurityMonitoringApi(apiClient) r, err := api.ValidateSecurityMonitoringRule(ctx, body) if err != nil { fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ValidateSecurityMonitoringRule`: %v\n", err) fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=go) and then save the example to `main.go` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" go run "main.go" ##### ```java // Validate a detection rule returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate; import com.datadog.api.client.v2.model.SecurityMonitoringRuleDetectionMethod; import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow; import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive; import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration; import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions; import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation; import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity; import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate; import com.datadog.api.client.v2.model.SecurityMonitoringRuleValidatePayload; import com.datadog.api.client.v2.model.SecurityMonitoringStandardRulePayload; import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery; import java.util.Arrays; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); SecurityMonitoringRuleValidatePayload body = new SecurityMonitoringRuleValidatePayload( new SecurityMonitoringStandardRulePayload() .cases( Collections.singletonList( new SecurityMonitoringRuleCaseCreate() .name("") .status(SecurityMonitoringRuleSeverity.INFO) .condition("a > 0"))) .hasExtendedTitle(true) .isEnabled(true) .message("My security monitoring rule") .name("My security monitoring rule") .options( new SecurityMonitoringRuleOptions() .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.THIRTY_MINUTES) .keepAlive(SecurityMonitoringRuleKeepAlive.THIRTY_MINUTES) .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.THIRTY_MINUTES) .detectionMethod(SecurityMonitoringRuleDetectionMethod.THRESHOLD)) .queries( Collections.singletonList( new SecurityMonitoringStandardRuleQuery() .query("source:source_here") .groupByFields(Collections.singletonList("@userIdentity.assumed_role")) .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT) .name(""))) .tags(Arrays.asList("env:prod", "team:security")) .type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION)); try { apiInstance.validateSecurityMonitoringRule(body); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#validateSecurityMonitoringRule"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` ##### ```java // Validate a detection rule with detection method 'new_value' with enabled feature // 'instantaneousBaseline' returns "OK" // response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate; import com.datadog.api.client.v2.model.SecurityMonitoringRuleDetectionMethod; import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow; import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive; import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration; import com.datadog.api.client.v2.model.SecurityMonitoringRuleNewValueOptions; import com.datadog.api.client.v2.model.SecurityMonitoringRuleNewValueOptionsLearningMethod; import com.datadog.api.client.v2.model.SecurityMonitoringRuleNewValueOptionsLearningThreshold; import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions; import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation; import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity; import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate; import com.datadog.api.client.v2.model.SecurityMonitoringRuleValidatePayload; import com.datadog.api.client.v2.model.SecurityMonitoringStandardDataSource; import com.datadog.api.client.v2.model.SecurityMonitoringStandardRulePayload; import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery; import java.util.Arrays; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); SecurityMonitoringRuleValidatePayload body = new SecurityMonitoringRuleValidatePayload( new SecurityMonitoringStandardRulePayload() .cases( Collections.singletonList( new SecurityMonitoringRuleCaseCreate() .name("") .status(SecurityMonitoringRuleSeverity.INFO))) .hasExtendedTitle(true) .isEnabled(true) .message("My security monitoring rule") .name("My security monitoring rule") .options( new SecurityMonitoringRuleOptions() .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES) .keepAlive(SecurityMonitoringRuleKeepAlive.FIVE_MINUTES) .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.TEN_MINUTES) .detectionMethod(SecurityMonitoringRuleDetectionMethod.NEW_VALUE) .newValueOptions( new SecurityMonitoringRuleNewValueOptions() .forgetAfter(7) .instantaneousBaseline(true) .learningDuration(1) .learningThreshold( SecurityMonitoringRuleNewValueOptionsLearningThreshold .ZERO_OCCURRENCES) .learningMethod( SecurityMonitoringRuleNewValueOptionsLearningMethod.DURATION))) .queries( Collections.singletonList( new SecurityMonitoringStandardRuleQuery() .query("source:source_here") .groupByFields(Collections.singletonList("@userIdentity.assumed_role")) .metric("name") .metrics(Collections.singletonList("name")) .aggregation(SecurityMonitoringRuleQueryAggregation.NEW_VALUE) .name("") .dataSource(SecurityMonitoringStandardDataSource.LOGS))) .tags(Arrays.asList("env:prod", "team:security")) .type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION)); try { apiInstance.validateSecurityMonitoringRule(body); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#validateSecurityMonitoringRule"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` ##### ```java // Validate a detection rule with detection method 'sequence_detection' returns "OK" response import com.datadog.api.client.ApiClient; import com.datadog.api.client.ApiException; import com.datadog.api.client.v2.api.SecurityMonitoringApi; import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate; import com.datadog.api.client.v2.model.SecurityMonitoringRuleDetectionMethod; import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow; import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive; import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration; import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions; import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation; import com.datadog.api.client.v2.model.SecurityMonitoringRuleSequenceDetectionOptions; import com.datadog.api.client.v2.model.SecurityMonitoringRuleSequenceDetectionStep; import com.datadog.api.client.v2.model.SecurityMonitoringRuleSequenceDetectionStepTransition; import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity; import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate; import com.datadog.api.client.v2.model.SecurityMonitoringRuleValidatePayload; import com.datadog.api.client.v2.model.SecurityMonitoringStandardRulePayload; import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery; import java.util.Arrays; import java.util.Collections; public class Example { public static void main(String[] args) { ApiClient defaultClient = ApiClient.getDefaultApiClient(); SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); SecurityMonitoringRuleValidatePayload body = new SecurityMonitoringRuleValidatePayload( new SecurityMonitoringStandardRulePayload() .cases( Collections.singletonList( new SecurityMonitoringRuleCaseCreate() .name("") .status(SecurityMonitoringRuleSeverity.INFO) .condition("step_b > 0"))) .hasExtendedTitle(true) .isEnabled(true) .message("My security monitoring rule") .name("My security monitoring rule") .options( new SecurityMonitoringRuleOptions() .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES) .keepAlive(SecurityMonitoringRuleKeepAlive.FIVE_MINUTES) .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.TEN_MINUTES) .detectionMethod(SecurityMonitoringRuleDetectionMethod.SEQUENCE_DETECTION) .sequenceDetectionOptions( new SecurityMonitoringRuleSequenceDetectionOptions() .stepTransitions( Collections.singletonList( new SecurityMonitoringRuleSequenceDetectionStepTransition() .child("step_b") .evaluationWindow( SecurityMonitoringRuleEvaluationWindow .FIFTEEN_MINUTES) .parent("step_a"))) .steps( Arrays.asList( new SecurityMonitoringRuleSequenceDetectionStep() .condition("a > 0") .evaluationWindow( SecurityMonitoringRuleEvaluationWindow.ONE_MINUTE) .name("step_a"), new SecurityMonitoringRuleSequenceDetectionStep() .condition("b > 0") .evaluationWindow( SecurityMonitoringRuleEvaluationWindow.ONE_MINUTE) .name("step_b"))))) .queries( Arrays.asList( new SecurityMonitoringStandardRuleQuery() .query("source:source_here") .groupByFields(Collections.singletonList("@userIdentity.assumed_role")) .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT) .name(""), new SecurityMonitoringStandardRuleQuery() .query("source:source_here2") .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT) .name(""))) .tags(Arrays.asList("env:prod", "team:security")) .type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION)); try { apiInstance.validateSecurityMonitoringRule(body); } catch (ApiException e) { System.err.println( "Exception when calling SecurityMonitoringApi#validateSecurityMonitoringRule"); System.err.println("Status code: " + e.getCode()); System.err.println("Reason: " + e.getResponseBody()); System.err.println("Response headers: " + e.getResponseHeaders()); e.printStackTrace(); } } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=java) and then save the example to `Example.java` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" java "Example.java" ##### ```python """ Validate a detection rule returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import ( SecurityMonitoringRuleEvaluationWindow, ) from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import ( SecurityMonitoringRuleMaxSignalDuration, ) from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import ( SecurityMonitoringRuleQueryAggregation, ) from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate from datadog_api_client.v2.model.security_monitoring_standard_rule_payload import SecurityMonitoringStandardRulePayload from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery body = SecurityMonitoringStandardRulePayload( cases=[ SecurityMonitoringRuleCaseCreate( name="", status=SecurityMonitoringRuleSeverity.INFO, notifications=[], condition="a > 0", ), ], has_extended_title=True, is_enabled=True, message="My security monitoring rule", name="My security monitoring rule", options=SecurityMonitoringRuleOptions( evaluation_window=SecurityMonitoringRuleEvaluationWindow.THIRTY_MINUTES, keep_alive=SecurityMonitoringRuleKeepAlive.THIRTY_MINUTES, max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.THIRTY_MINUTES, detection_method=SecurityMonitoringRuleDetectionMethod.THRESHOLD, ), queries=[ SecurityMonitoringStandardRuleQuery( query="source:source_here", group_by_fields=[ "@userIdentity.assumed_role", ], distinct_fields=[], aggregation=SecurityMonitoringRuleQueryAggregation.COUNT, name="", ), ], tags=[ "env:prod", "team:security", ], type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION, ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) api_instance.validate_security_monitoring_rule(body=body) ``` ##### ```python """ Validate a detection rule with detection method 'new_value' with enabled feature 'instantaneousBaseline' returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import ( SecurityMonitoringRuleEvaluationWindow, ) from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import ( SecurityMonitoringRuleMaxSignalDuration, ) from datadog_api_client.v2.model.security_monitoring_rule_new_value_options import SecurityMonitoringRuleNewValueOptions from datadog_api_client.v2.model.security_monitoring_rule_new_value_options_learning_method import ( SecurityMonitoringRuleNewValueOptionsLearningMethod, ) from datadog_api_client.v2.model.security_monitoring_rule_new_value_options_learning_threshold import ( SecurityMonitoringRuleNewValueOptionsLearningThreshold, ) from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import ( SecurityMonitoringRuleQueryAggregation, ) from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate from datadog_api_client.v2.model.security_monitoring_standard_data_source import SecurityMonitoringStandardDataSource from datadog_api_client.v2.model.security_monitoring_standard_rule_payload import SecurityMonitoringStandardRulePayload from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery body = SecurityMonitoringStandardRulePayload( cases=[ SecurityMonitoringRuleCaseCreate( name="", status=SecurityMonitoringRuleSeverity.INFO, notifications=[], ), ], has_extended_title=True, is_enabled=True, message="My security monitoring rule", name="My security monitoring rule", options=SecurityMonitoringRuleOptions( evaluation_window=SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES, keep_alive=SecurityMonitoringRuleKeepAlive.FIVE_MINUTES, max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.TEN_MINUTES, detection_method=SecurityMonitoringRuleDetectionMethod.NEW_VALUE, new_value_options=SecurityMonitoringRuleNewValueOptions( forget_after=7, instantaneous_baseline=True, learning_duration=1, learning_threshold=SecurityMonitoringRuleNewValueOptionsLearningThreshold.ZERO_OCCURRENCES, learning_method=SecurityMonitoringRuleNewValueOptionsLearningMethod.DURATION, ), ), queries=[ SecurityMonitoringStandardRuleQuery( query="source:source_here", group_by_fields=[ "@userIdentity.assumed_role", ], distinct_fields=[], metric="name", metrics=[ "name", ], aggregation=SecurityMonitoringRuleQueryAggregation.NEW_VALUE, name="", data_source=SecurityMonitoringStandardDataSource.LOGS, ), ], tags=[ "env:prod", "team:security", ], type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION, ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) api_instance.validate_security_monitoring_rule(body=body) ``` ##### ```python """ Validate a detection rule with detection method 'sequence_detection' returns "OK" response """ from datadog_api_client import ApiClient, Configuration from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import ( SecurityMonitoringRuleEvaluationWindow, ) from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import ( SecurityMonitoringRuleMaxSignalDuration, ) from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import ( SecurityMonitoringRuleQueryAggregation, ) from datadog_api_client.v2.model.security_monitoring_rule_sequence_detection_options import ( SecurityMonitoringRuleSequenceDetectionOptions, ) from datadog_api_client.v2.model.security_monitoring_rule_sequence_detection_step import ( SecurityMonitoringRuleSequenceDetectionStep, ) from datadog_api_client.v2.model.security_monitoring_rule_sequence_detection_step_transition import ( SecurityMonitoringRuleSequenceDetectionStepTransition, ) from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate from datadog_api_client.v2.model.security_monitoring_standard_rule_payload import SecurityMonitoringStandardRulePayload from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery body = SecurityMonitoringStandardRulePayload( cases=[ SecurityMonitoringRuleCaseCreate( name="", status=SecurityMonitoringRuleSeverity.INFO, notifications=[], condition="step_b > 0", ), ], has_extended_title=True, is_enabled=True, message="My security monitoring rule", name="My security monitoring rule", options=SecurityMonitoringRuleOptions( evaluation_window=SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES, keep_alive=SecurityMonitoringRuleKeepAlive.FIVE_MINUTES, max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.TEN_MINUTES, detection_method=SecurityMonitoringRuleDetectionMethod.SEQUENCE_DETECTION, sequence_detection_options=SecurityMonitoringRuleSequenceDetectionOptions( step_transitions=[ SecurityMonitoringRuleSequenceDetectionStepTransition( child="step_b", evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES, parent="step_a", ), ], steps=[ SecurityMonitoringRuleSequenceDetectionStep( condition="a > 0", evaluation_window=SecurityMonitoringRuleEvaluationWindow.ONE_MINUTE, name="step_a", ), SecurityMonitoringRuleSequenceDetectionStep( condition="b > 0", evaluation_window=SecurityMonitoringRuleEvaluationWindow.ONE_MINUTE, name="step_b", ), ], ), ), queries=[ SecurityMonitoringStandardRuleQuery( query="source:source_here", group_by_fields=[ "@userIdentity.assumed_role", ], distinct_fields=[], aggregation=SecurityMonitoringRuleQueryAggregation.COUNT, name="", ), SecurityMonitoringStandardRuleQuery( query="source:source_here2", group_by_fields=[], distinct_fields=[], aggregation=SecurityMonitoringRuleQueryAggregation.COUNT, name="", ), ], tags=[ "env:prod", "team:security", ], type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION, ) configuration = Configuration() with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) api_instance.validate_security_monitoring_rule(body=body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=python) and then save the example to `example.py` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" python3 "example.py" ##### ```ruby # Validate a detection rule returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::SecurityMonitoringStandardRulePayload.new({ cases: [ DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({ name: "", status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO, notifications: [], condition: "a > 0", }), ], has_extended_title: true, is_enabled: true, message: "My security monitoring rule", name: "My security monitoring rule", options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({ evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::THIRTY_MINUTES, keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::THIRTY_MINUTES, max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::THIRTY_MINUTES, detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::THRESHOLD, }), queries: [ DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({ query: "source:source_here", group_by_fields: [ "@userIdentity.assumed_role", ], distinct_fields: [], aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT, name: "", }), ], tags: [ "env:prod", "team:security", ], type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION, }) api_instance.validate_security_monitoring_rule(body) ``` ##### ```ruby # Validate a detection rule with detection method 'new_value' with enabled feature 'instantaneousBaseline' returns "OK" # response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::SecurityMonitoringStandardRulePayload.new({ cases: [ DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({ name: "", status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO, notifications: [], }), ], has_extended_title: true, is_enabled: true, message: "My security monitoring rule", name: "My security monitoring rule", options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({ evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES, keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::FIVE_MINUTES, max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::TEN_MINUTES, detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::NEW_VALUE, new_value_options: DatadogAPIClient::V2::SecurityMonitoringRuleNewValueOptions.new({ forget_after: 7, instantaneous_baseline: true, learning_duration: 1, learning_threshold: DatadogAPIClient::V2::SecurityMonitoringRuleNewValueOptionsLearningThreshold::ZERO_OCCURRENCES, learning_method: DatadogAPIClient::V2::SecurityMonitoringRuleNewValueOptionsLearningMethod::DURATION, }), }), queries: [ DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({ query: "source:source_here", group_by_fields: [ "@userIdentity.assumed_role", ], distinct_fields: [], metric: "name", metrics: [ "name", ], aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::NEW_VALUE, name: "", data_source: DatadogAPIClient::V2::SecurityMonitoringStandardDataSource::LOGS, }), ], tags: [ "env:prod", "team:security", ], type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION, }) api_instance.validate_security_monitoring_rule(body) ``` ##### ```ruby # Validate a detection rule with detection method 'sequence_detection' returns "OK" response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new body = DatadogAPIClient::V2::SecurityMonitoringStandardRulePayload.new({ cases: [ DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({ name: "", status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO, notifications: [], condition: "step_b > 0", }), ], has_extended_title: true, is_enabled: true, message: "My security monitoring rule", name: "My security monitoring rule", options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({ evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES, keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::FIVE_MINUTES, max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::TEN_MINUTES, detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::SEQUENCE_DETECTION, sequence_detection_options: DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionOptions.new({ step_transitions: [ DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionStepTransition.new({ child: "step_b", evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES, parent: "step_a", }), ], steps: [ DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionStep.new({ condition: "a > 0", evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE, name: "step_a", }), DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionStep.new({ condition: "b > 0", evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE, name: "step_b", }), ], }), }), queries: [ DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({ query: "source:source_here", group_by_fields: [ "@userIdentity.assumed_role", ], distinct_fields: [], aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT, name: "", }), DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({ query: "source:source_here2", group_by_fields: [], distinct_fields: [], aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT, name: "", }), ], tags: [ "env:prod", "team:security", ], type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION, }) api_instance.validate_security_monitoring_rule(body) ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=ruby) and then save the example to `example.rb` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" rb "example.rb" ##### ```rust // Validate a detection rule returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleDetectionMethod; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleValidatePayload; use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRulePayload; use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery; #[tokio::main] async fn main() { let body = SecurityMonitoringRuleValidatePayload::SecurityMonitoringStandardRulePayload(Box::new( SecurityMonitoringStandardRulePayload::new( vec![ SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO) .condition("a > 0".to_string()) .name("".to_string()) .notifications(vec![]), ], true, "My security monitoring rule".to_string(), "My security monitoring rule".to_string(), SecurityMonitoringRuleOptions::new() .detection_method(SecurityMonitoringRuleDetectionMethod::THRESHOLD) .evaluation_window(SecurityMonitoringRuleEvaluationWindow::THIRTY_MINUTES) .keep_alive(SecurityMonitoringRuleKeepAlive::THIRTY_MINUTES) .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::THIRTY_MINUTES), vec![SecurityMonitoringStandardRuleQuery::new() .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT) .distinct_fields(vec![]) .group_by_fields(vec!["@userIdentity.assumed_role".to_string()]) .name("".to_string()) .query("source:source_here".to_string())], ) .has_extended_title(true) .tags(vec!["env:prod".to_string(), "team:security".to_string()]) .type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION), )); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.validate_security_monitoring_rule(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` ##### ```rust // Validate a detection rule with detection method 'new_value' with enabled // feature 'instantaneousBaseline' returns "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleDetectionMethod; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleNewValueOptions; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleNewValueOptionsLearningMethod; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleNewValueOptionsLearningThreshold; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleValidatePayload; use datadog_api_client::datadogV2::model::SecurityMonitoringStandardDataSource; use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRulePayload; use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery; #[tokio::main] async fn main() { let body = SecurityMonitoringRuleValidatePayload::SecurityMonitoringStandardRulePayload( Box::new( SecurityMonitoringStandardRulePayload::new( vec![ SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO) .name("".to_string()) .notifications(vec![]) ], true, "My security monitoring rule".to_string(), "My security monitoring rule".to_string(), SecurityMonitoringRuleOptions::new() .detection_method(SecurityMonitoringRuleDetectionMethod::NEW_VALUE) .evaluation_window(SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES) .keep_alive(SecurityMonitoringRuleKeepAlive::FIVE_MINUTES) .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::TEN_MINUTES) .new_value_options( SecurityMonitoringRuleNewValueOptions::new() .forget_after(7) .instantaneous_baseline(true) .learning_duration(1) .learning_method(SecurityMonitoringRuleNewValueOptionsLearningMethod::DURATION) .learning_threshold( SecurityMonitoringRuleNewValueOptionsLearningThreshold::ZERO_OCCURRENCES, ), ), vec![ SecurityMonitoringStandardRuleQuery::new() .aggregation(SecurityMonitoringRuleQueryAggregation::NEW_VALUE) .data_source(SecurityMonitoringStandardDataSource::LOGS) .distinct_fields(vec![]) .group_by_fields(vec!["@userIdentity.assumed_role".to_string()]) .metric("name".to_string()) .metrics(vec!["name".to_string()]) .name("".to_string()) .query("source:source_here".to_string()) ], ) .has_extended_title(true) .tags(vec!["env:prod".to_string(), "team:security".to_string()]) .type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION), ), ); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.validate_security_monitoring_rule(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` ##### ```rust // Validate a detection rule with detection method 'sequence_detection' returns // "OK" response use datadog_api_client::datadog; use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleDetectionMethod; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSequenceDetectionOptions; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSequenceDetectionStep; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSequenceDetectionStepTransition; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate; use datadog_api_client::datadogV2::model::SecurityMonitoringRuleValidatePayload; use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRulePayload; use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery; #[tokio::main] async fn main() { let body = SecurityMonitoringRuleValidatePayload::SecurityMonitoringStandardRulePayload(Box::new( SecurityMonitoringStandardRulePayload::new( vec![ SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO) .condition("step_b > 0".to_string()) .name("".to_string()) .notifications(vec![]), ], true, "My security monitoring rule".to_string(), "My security monitoring rule".to_string(), SecurityMonitoringRuleOptions::new() .detection_method(SecurityMonitoringRuleDetectionMethod::SEQUENCE_DETECTION) .evaluation_window(SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES) .keep_alive(SecurityMonitoringRuleKeepAlive::FIVE_MINUTES) .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::TEN_MINUTES) .sequence_detection_options( SecurityMonitoringRuleSequenceDetectionOptions::new() .step_transitions(vec![ SecurityMonitoringRuleSequenceDetectionStepTransition::new() .child("step_b".to_string()) .evaluation_window( SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES, ) .parent("step_a".to_string()), ]) .steps(vec![ SecurityMonitoringRuleSequenceDetectionStep::new() .condition("a > 0".to_string()) .evaluation_window( SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE, ) .name("step_a".to_string()), SecurityMonitoringRuleSequenceDetectionStep::new() .condition("b > 0".to_string()) .evaluation_window( SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE, ) .name("step_b".to_string()), ]), ), vec![ SecurityMonitoringStandardRuleQuery::new() .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT) .distinct_fields(vec![]) .group_by_fields(vec!["@userIdentity.assumed_role".to_string()]) .name("".to_string()) .query("source:source_here".to_string()), SecurityMonitoringStandardRuleQuery::new() .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT) .distinct_fields(vec![]) .group_by_fields(vec![]) .name("".to_string()) .query("source:source_here2".to_string()), ], ) .has_extended_title(true) .tags(vec!["env:prod".to_string(), "team:security".to_string()]) .type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION), )); let configuration = datadog::Configuration::new(); let api = SecurityMonitoringAPI::with_config(configuration); let resp = api.validate_security_monitoring_rule(body).await; if let Ok(value) = resp { println!("{:#?}", value); } else { println!("{:#?}", resp.unwrap_err()); } } ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=rust) and then save the example to `src/main.rs` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" cargo run ##### ```typescript /** * Validate a detection rule returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiValidateSecurityMonitoringRuleRequest = { body: { cases: [ { name: "", status: "info", notifications: [], condition: "a > 0", }, ], hasExtendedTitle: true, isEnabled: true, message: "My security monitoring rule", name: "My security monitoring rule", options: { evaluationWindow: 1800, keepAlive: 1800, maxSignalDuration: 1800, detectionMethod: "threshold", }, queries: [ { query: "source:source_here", groupByFields: ["@userIdentity.assumed_role"], distinctFields: [], aggregation: "count", name: "", }, ], tags: ["env:prod", "team:security"], type: "log_detection", }, }; apiInstance .validateSecurityMonitoringRule(params) .then((data: any) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` ##### ```typescript /** * Validate a detection rule with detection method 'new_value' with enabled feature 'instantaneousBaseline' returns "OK" * response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiValidateSecurityMonitoringRuleRequest = { body: { cases: [ { name: "", status: "info", notifications: [], }, ], hasExtendedTitle: true, isEnabled: true, message: "My security monitoring rule", name: "My security monitoring rule", options: { evaluationWindow: 0, keepAlive: 300, maxSignalDuration: 600, detectionMethod: "new_value", newValueOptions: { forgetAfter: 7, instantaneousBaseline: true, learningDuration: 1, learningThreshold: 0, learningMethod: "duration", }, }, queries: [ { query: "source:source_here", groupByFields: ["@userIdentity.assumed_role"], distinctFields: [], metric: "name", metrics: ["name"], aggregation: "new_value", name: "", dataSource: "logs", }, ], tags: ["env:prod", "team:security"], type: "log_detection", }, }; apiInstance .validateSecurityMonitoringRule(params) .then((data: any) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` ##### ```typescript /** * Validate a detection rule with detection method 'sequence_detection' returns "OK" response */ import { client, v2 } from "@datadog/datadog-api-client"; const configuration = client.createConfiguration(); const apiInstance = new v2.SecurityMonitoringApi(configuration); const params: v2.SecurityMonitoringApiValidateSecurityMonitoringRuleRequest = { body: { cases: [ { name: "", status: "info", notifications: [], condition: "step_b > 0", }, ], hasExtendedTitle: true, isEnabled: true, message: "My security monitoring rule", name: "My security monitoring rule", options: { evaluationWindow: 0, keepAlive: 300, maxSignalDuration: 600, detectionMethod: "sequence_detection", sequenceDetectionOptions: { stepTransitions: [ { child: "step_b", evaluationWindow: 900, parent: "step_a", }, ], steps: [ { condition: "a > 0", evaluationWindow: 60, name: "step_a", }, { condition: "b > 0", evaluationWindow: 60, name: "step_b", }, ], }, }, queries: [ { query: "source:source_here", groupByFields: ["@userIdentity.assumed_role"], distinctFields: [], aggregation: "count", name: "", }, { query: "source:source_here2", groupByFields: [], distinctFields: [], aggregation: "count", name: "", }, ], tags: ["env:prod", "team:security"], type: "log_detection", }, }; apiInstance .validateSecurityMonitoringRule(params) .then((data: any) => { console.log( "API called successfully. Returned data: " + JSON.stringify(data) ); }) .catch((error: any) => console.error(error)); ``` #### Instructions First [install the library and its dependencies](https://docs.datadoghq.com/api/latest.md?code-lang=typescript) and then save the example to `example.ts` and run following commands: DD_SITE="datadoghq.com" DD_API_KEY="" DD_APP_KEY="" tsc "example.ts" {% /tab %}