Security Monitoring
Security Monitoring is now available Security Monitoring is now available

Security Monitoring

Detection Rules for generating signals

Create a detection rule

post https://api.datadoghq.comhttps://api.datadoghq.eu/api/v2/security_monitoring/rules

Overview

Create a detection rule.

Request

Body Data

Expand All

Field

Type

Description

cases [required]

[object]

Cases for generating signals.

condition

string

A rule case contains logical operations (>, >=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

name [required]

string

Name of the case.

notifications

[string]

Notification targets for each rule case

status

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

enabled [required]

boolean

Whether the rule is enabled.

message [required]

string

Message for generated signals.

name [required]

string

The name of the rule

options [required]

object

Options on rules.

evaluationWindow

enum

A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Allowed enum values: 0,60,300,600,900,1800,3600,7200

keepAlive

enum

Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window. Allowed enum values: 0,60,300,600,900,1800,3600,7200

maxSignalDuration

enum

A signal will “close” regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

queries [required]

[object]

Queries for selecting logs which are part of the rule.

groupByFields

[string]

Fields to group by.

name [required]

string

Name of the query

query

string

Query to run on logs

tags [required]

[string]

Tags for generated signals.

{
  "cases": [
    {
      "condition": "string",
      "name": "string",
      "notifications": [],
      "status": "string"
    }
  ],
  "enabled": true,
  "message": "",
  "name": "",
  "options": {
    "evaluationWindow": "integer",
    "keepAlive": "integer",
    "maxSignalDuration": "integer"
  },
  "queries": [
    {
      "groupByFields": [],
      "name": "string",
      "query": "string"
    }
  ],
  "tags": [
    "env:prod",
    "team:security"
  ]
}

Response

OK

Detection rule

Expand All

Field

Type

Description

cases

[object]

Cases for generating signals.

condition

string

A rule case contains logical operations (>, >=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

name

string

Name of the case.

notifications

[string]

Notification targets for each rule case

status

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

createdAt

int64

When the rule was created, timestamp in milliseconds.

creationAuthorId

int64

User ID of the user who created the rule.

id

string

The ID of the rule.

isDefault

boolean

Whether the rule is included by default.

isDeleted

boolean

Whether the rule has been deleted.

isEnabled

boolean

Whether the rule is enabled.

message

string

Message for generated signals.

name

string

The name of the rule.

options

object

Options on rules.

evaluationWindow

enum

A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Allowed enum values: 0,60,300,600,900,1800,3600,7200

keepAlive

enum

Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window. Allowed enum values: 0,60,300,600,900,1800,3600,7200

maxSignalDuration

enum

A signal will “close” regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

queries

[object]

Queries for selecting logs which are part of the rule.

groupByFields

[string]

Fields to group by.

name

string

Name of the query

query

string

Query to run on logs

tags

[string]

Tags for generated signals.

version

int64

The version of the rule.

{
  "cases": [
    {
      "condition": "string",
      "name": "string",
      "notifications": [],
      "status": "string"
    }
  ],
  "createdAt": "integer",
  "creationAuthorId": "integer",
  "id": "string",
  "isDefault": false,
  "isDeleted": false,
  "isEnabled": false,
  "message": "string",
  "name": "string",
  "options": {
    "evaluationWindow": "integer",
    "keepAlive": "integer",
    "maxSignalDuration": "integer"
  },
  "queries": [
    {
      "groupByFields": [],
      "name": "string",
      "query": "string"
    }
  ],
  "tags": [],
  "version": "integer"
}

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example


                                        # Curl command
curl -X post https://api.datadoghq.comhttps://api.datadoghq.eu/api/v2/security_monitoring/rules \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_CLIENT_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_CLIENT_APP_KEY}" \
-d @- << EOF
{
  "cases": [
    {}
  ],
  "enabled": true,
  "message": "",
  "name": "",
  "options": {},
  "queries": [
    {}
  ],
  "tags": [
    "env:prod",
    "team:security"
  ]
}
EOF

                                        
package main

import (
    "context"
    "fmt"
    "os"
    datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)

func main() {
    ctx := context.WithValue(
        context.Background(),
        datadog.ContextAPIKeys,
        map[string]datadog.APIKey{
            "apiKeyAuth": {
                Key: os.Getenv("DD_CLIENT_API_KEY"),
            },
            "appKeyAuth": {
                Key: os.Getenv("DD_CLIENT_APP_KEY"),
            },
        },
    )

    body := datadog.SecurityMonitoringRuleCreatePayload{Cases: []SecurityMonitoringRuleCase{datadog.SecurityMonitoringRuleCase{Condition: "Condition_example", Name: "Name_example", Notifications: []string{"Notifications_example"), Status: datadog.SecurityMonitoringRuleSeverity{}}), Enabled: true, Message: "Message_example", Name: "Name_example", Options: datadog.SecurityMonitoringRuleOptions{EvaluationWindow: datadog.SecurityMonitoringRuleEvaluationWindow{}, KeepAlive: datadog.SecurityMonitoringRuleKeepAlive{}, MaxSignalDuration: datadog.SecurityMonitoringRuleMaxSignalDuration{}}, Queries: []SecurityMonitoringRuleQuery{datadog.SecurityMonitoringRuleQuery{GroupByFields: []string{"GroupByFields_example"), Name: "Name_example", Query: "Query_example"}), Tags: []string{"Tags_example")} // SecurityMonitoringRuleCreatePayload |  (optional)

    configuration := datadog.NewConfiguration()
    api_client := datadog.NewAPIClient(configuration)
    resp, r, err := api_client.SecurityMonitoringApi.CreateSecurityMonitoringRule(ctx).Body(body).Execute()
    if err != nil {
        fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringRule``: %v\n", err)
        fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
    }
    // response from `CreateSecurityMonitoringRule`: SecurityMonitoringRuleResponse
    fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityMonitoringRule`: %v\n", resp)
}
// Import classes:
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.auth.*;
import com.datadog.api.v2.client.models.*;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;

public class Example {
    public static void main(String[] args) {
        ApiClient defaultClient = Configuration.getDefaultApiClient();
        // Configure the Datadog site to send API calls to
        HashMap<String, String> serverVariables = new HashMap<String, String>();
        String site = System.getenv("DD_SITE");
        if (site != null) {
            serverVariables.put("site", site);
            defaultClient.setServerVariables(serverVariables);
        }
        // Configure API key authorization: 
        HashMap<String, String> secrets = new HashMap<String, String>();
        secrets.put("apiKeyAuth", System.getenv("DD_CLIENT_API_KEY"));
        secrets.put("appKeyAuth", System.getenv("DD_CLIENT_APP_KEY"));
        defaultClient.configureApiKeys(secrets);

        SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
        SecurityMonitoringRuleCreatePayload body = new SecurityMonitoringRuleCreatePayload(); // SecurityMonitoringRuleCreatePayload | 
        try {
            SecurityMonitoringRuleResponse result = api.createSecurityMonitoringRule()
                .body(body)
                .execute();
            System.out.println(result);
        } catch (ApiException e) {
            System.err.println("Exception when calling SecurityMonitoringApi#createSecurityMonitoringRule");
            System.err.println("Status code: " + e.getCode());
            System.err.println("Reason: " + e.getResponseBody());
            System.err.println("Response headers: " + e.getResponseHeaders());
            e.printStackTrace();
        }
    }
}

Delete an existing rule

delete https://api.datadoghq.comhttps://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}

Overview

Delete an existing rule. Default rules cannot be deleted.

Arguments

Path Parameters

Name

Type

Description

rule_id [required]

string

The ID of the rule.

Response

OK

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example


                                        # Path parameters
export rule_id="CHANGE_ME"
# Curl command curl -X delete https://api.datadoghq.comhttps://api.datadoghq.eu/api/v2/security_monitoring/rules/${rule_id} \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_CLIENT_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_CLIENT_APP_KEY}"
package main

import (
    "context"
    "fmt"
    "os"
    datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)

func main() {
    ctx := context.WithValue(
        context.Background(),
        datadog.ContextAPIKeys,
        map[string]datadog.APIKey{
            "apiKeyAuth": {
                Key: os.Getenv("DD_CLIENT_API_KEY"),
            },
            "appKeyAuth": {
                Key: os.Getenv("DD_CLIENT_APP_KEY"),
            },
        },
    )

    ruleId := "ruleId_example" // string | The ID of the rule.

    configuration := datadog.NewConfiguration()
    api_client := datadog.NewAPIClient(configuration)
    resp, r, err := api_client.SecurityMonitoringApi.DeleteSecurityMonitoringRule(ctx, ruleId).Execute()
    if err != nil {
        fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.DeleteSecurityMonitoringRule``: %v\n", err)
        fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
    }
}
// Import classes:
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.auth.*;
import com.datadog.api.v2.client.models.*;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;

public class Example {
    public static void main(String[] args) {
        ApiClient defaultClient = Configuration.getDefaultApiClient();
        // Configure the Datadog site to send API calls to
        HashMap<String, String> serverVariables = new HashMap<String, String>();
        String site = System.getenv("DD_SITE");
        if (site != null) {
            serverVariables.put("site", site);
            defaultClient.setServerVariables(serverVariables);
        }
        // Configure API key authorization: 
        HashMap<String, String> secrets = new HashMap<String, String>();
        secrets.put("apiKeyAuth", System.getenv("DD_CLIENT_API_KEY"));
        secrets.put("appKeyAuth", System.getenv("DD_CLIENT_APP_KEY"));
        defaultClient.configureApiKeys(secrets);

        SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
        String ruleId = "ruleId_example"; // String | The ID of the rule.
        try {
            api.deleteSecurityMonitoringRule(ruleId)
                .execute();
        } catch (ApiException e) {
            System.err.println("Exception when calling SecurityMonitoringApi#deleteSecurityMonitoringRule");
            System.err.println("Status code: " + e.getCode());
            System.err.println("Reason: " + e.getResponseBody());
            System.err.println("Response headers: " + e.getResponseHeaders());
            e.printStackTrace();
        }
    }
}

Get a rule's details

get https://api.datadoghq.comhttps://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}

Overview

Get a rule’s details.

Arguments

Path Parameters

Name

Type

Description

rule_id [required]

string

The ID of the rule.

Response

OK

Detection rule

Expand All

Field

Type

Description

cases

[object]

Cases for generating signals.

condition

string

A rule case contains logical operations (>, >=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

name

string

Name of the case.

notifications

[string]

Notification targets for each rule case

status

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

createdAt

int64

When the rule was created, timestamp in milliseconds.

creationAuthorId

int64

User ID of the user who created the rule.

id

string

The ID of the rule.

isDefault

boolean

Whether the rule is included by default.

isDeleted

boolean

Whether the rule has been deleted.

isEnabled

boolean

Whether the rule is enabled.

message

string

Message for generated signals.

name

string

The name of the rule.

options

object

Options on rules.

evaluationWindow

enum

A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Allowed enum values: 0,60,300,600,900,1800,3600,7200

keepAlive

enum

Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window. Allowed enum values: 0,60,300,600,900,1800,3600,7200

maxSignalDuration

enum

A signal will “close” regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

queries

[object]

Queries for selecting logs which are part of the rule.

groupByFields

[string]

Fields to group by.

name

string

Name of the query

query

string

Query to run on logs

tags

[string]

Tags for generated signals.

version

int64

The version of the rule.

{
  "cases": [
    {
      "condition": "string",
      "name": "string",
      "notifications": [],
      "status": "string"
    }
  ],
  "createdAt": "integer",
  "creationAuthorId": "integer",
  "id": "string",
  "isDefault": false,
  "isDeleted": false,
  "isEnabled": false,
  "message": "string",
  "name": "string",
  "options": {
    "evaluationWindow": "integer",
    "keepAlive": "integer",
    "maxSignalDuration": "integer"
  },
  "queries": [
    {
      "groupByFields": [],
      "name": "string",
      "query": "string"
    }
  ],
  "tags": [],
  "version": "integer"
}

Not Found

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example


                                        # Path parameters
export rule_id="CHANGE_ME"
# Curl command curl -X get https://api.datadoghq.comhttps://api.datadoghq.eu/api/v2/security_monitoring/rules/${rule_id} \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_CLIENT_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_CLIENT_APP_KEY}"
package main

import (
    "context"
    "fmt"
    "os"
    datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)

func main() {
    ctx := context.WithValue(
        context.Background(),
        datadog.ContextAPIKeys,
        map[string]datadog.APIKey{
            "apiKeyAuth": {
                Key: os.Getenv("DD_CLIENT_API_KEY"),
            },
            "appKeyAuth": {
                Key: os.Getenv("DD_CLIENT_APP_KEY"),
            },
        },
    )

    ruleId := "ruleId_example" // string | The ID of the rule.

    configuration := datadog.NewConfiguration()
    api_client := datadog.NewAPIClient(configuration)
    resp, r, err := api_client.SecurityMonitoringApi.GetSecurityMonitoringRule(ctx, ruleId).Execute()
    if err != nil {
        fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSecurityMonitoringRule``: %v\n", err)
        fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
    }
    // response from `GetSecurityMonitoringRule`: SecurityMonitoringRuleResponse
    fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSecurityMonitoringRule`: %v\n", resp)
}
// Import classes:
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.auth.*;
import com.datadog.api.v2.client.models.*;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;

public class Example {
    public static void main(String[] args) {
        ApiClient defaultClient = Configuration.getDefaultApiClient();
        // Configure the Datadog site to send API calls to
        HashMap<String, String> serverVariables = new HashMap<String, String>();
        String site = System.getenv("DD_SITE");
        if (site != null) {
            serverVariables.put("site", site);
            defaultClient.setServerVariables(serverVariables);
        }
        // Configure API key authorization: 
        HashMap<String, String> secrets = new HashMap<String, String>();
        secrets.put("apiKeyAuth", System.getenv("DD_CLIENT_API_KEY"));
        secrets.put("appKeyAuth", System.getenv("DD_CLIENT_APP_KEY"));
        defaultClient.configureApiKeys(secrets);

        SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
        String ruleId = "ruleId_example"; // String | The ID of the rule.
        try {
            SecurityMonitoringRuleResponse result = api.getSecurityMonitoringRule(ruleId)
                .execute();
            System.out.println(result);
        } catch (ApiException e) {
            System.err.println("Exception when calling SecurityMonitoringApi#getSecurityMonitoringRule");
            System.err.println("Status code: " + e.getCode());
            System.err.println("Reason: " + e.getResponseBody());
            System.err.println("Response headers: " + e.getResponseHeaders());
            e.printStackTrace();
        }
    }
}

List rules

get https://api.datadoghq.comhttps://api.datadoghq.eu/api/v2/security_monitoring/rules

Overview

List rules.

Arguments

Query Strings

Name

Type

Description

page[size]

integer

Size for a given page.

page[number]

integer

Specific page number to return.

Response

OK

List of rules

Expand All

Field

Type

Description

data

[]

TODO.

cases

[object]

Cases for generating signals.

condition

string

A rule case contains logical operations (>, >=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

name

string

Name of the case.

notifications

[string]

Notification targets for each rule case

status

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

createdAt

int64

When the rule was created, timestamp in milliseconds.

creationAuthorId

int64

User ID of the user who created the rule.

id

string

The ID of the rule.

isDefault

boolean

Whether the rule is included by default.

isDeleted

boolean

Whether the rule has been deleted.

isEnabled

boolean

Whether the rule is enabled.

message

string

Message for generated signals.

name

string

The name of the rule.

options

object

Options on rules.

evaluationWindow

enum

A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Allowed enum values: 0,60,300,600,900,1800,3600,7200

keepAlive

enum

Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window. Allowed enum values: 0,60,300,600,900,1800,3600,7200

maxSignalDuration

enum

A signal will “close” regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

queries

[object]

Queries for selecting logs which are part of the rule.

groupByFields

[string]

Fields to group by.

name

string

Name of the query

query

string

Query to run on logs

tags

[string]

Tags for generated signals.

version

int64

The version of the rule.

meta

object

Object describing meta attributes of response.

page

object

Pagination object.

total_count

int64

Total count.

total_filtered_count

int64

Total count of elements matched by the filter.

{
  "data": [
    {
      "cases": [
        {
          "condition": "string",
          "name": "string",
          "notifications": [],
          "status": "string"
        }
      ],
      "createdAt": "integer",
      "creationAuthorId": "integer",
      "id": "string",
      "isDefault": false,
      "isDeleted": false,
      "isEnabled": false,
      "message": "string",
      "name": "string",
      "options": {
        "evaluationWindow": "integer",
        "keepAlive": "integer",
        "maxSignalDuration": "integer"
      },
      "queries": [
        {
          "groupByFields": [],
          "name": "string",
          "query": "string"
        }
      ],
      "tags": [],
      "version": "integer"
    }
  ],
  "meta": {
    "page": {
      "total_count": "integer",
      "total_filtered_count": "integer"
    }
  }
}

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example


                                        # Curl command
curl -X get https://api.datadoghq.comhttps://api.datadoghq.eu/api/v2/security_monitoring/rules \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_CLIENT_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_CLIENT_APP_KEY}"

                                        
package main

import (
    "context"
    "fmt"
    "os"
    datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)

func main() {
    ctx := context.WithValue(
        context.Background(),
        datadog.ContextAPIKeys,
        map[string]datadog.APIKey{
            "apiKeyAuth": {
                Key: os.Getenv("DD_CLIENT_API_KEY"),
            },
            "appKeyAuth": {
                Key: os.Getenv("DD_CLIENT_APP_KEY"),
            },
        },
    )

    pageSize := 987 // int64 | Size for a given page. (optional) (default to 10)
    pageNumber := 987 // int64 | Specific page number to return. (optional) (default to 0)

    configuration := datadog.NewConfiguration()
    api_client := datadog.NewAPIClient(configuration)
    resp, r, err := api_client.SecurityMonitoringApi.ListSecurityMonitoringRules(ctx).PageSize(pageSize).PageNumber(pageNumber).Execute()
    if err != nil {
        fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListSecurityMonitoringRules``: %v\n", err)
        fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
    }
    // response from `ListSecurityMonitoringRules`: SecurityMonitoringListRulesResponse
    fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListSecurityMonitoringRules`: %v\n", resp)
}
// Import classes:
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.auth.*;
import com.datadog.api.v2.client.models.*;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;

public class Example {
    public static void main(String[] args) {
        ApiClient defaultClient = Configuration.getDefaultApiClient();
        // Configure the Datadog site to send API calls to
        HashMap<String, String> serverVariables = new HashMap<String, String>();
        String site = System.getenv("DD_SITE");
        if (site != null) {
            serverVariables.put("site", site);
            defaultClient.setServerVariables(serverVariables);
        }
        // Configure API key authorization: 
        HashMap<String, String> secrets = new HashMap<String, String>();
        secrets.put("apiKeyAuth", System.getenv("DD_CLIENT_API_KEY"));
        secrets.put("appKeyAuth", System.getenv("DD_CLIENT_APP_KEY"));
        defaultClient.configureApiKeys(secrets);

        SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
        Long pageSize = 10lL; // Long | Size for a given page.
        Long pageNumber = 0lL; // Long | Specific page number to return.
        try {
            SecurityMonitoringListRulesResponse result = api.listSecurityMonitoringRules()
                .pageSize(pageSize)
                .pageNumber(pageNumber)
                .execute();
            System.out.println(result);
        } catch (ApiException e) {
            System.err.println("Exception when calling SecurityMonitoringApi#listSecurityMonitoringRules");
            System.err.println("Status code: " + e.getCode());
            System.err.println("Reason: " + e.getResponseBody());
            System.err.println("Response headers: " + e.getResponseHeaders());
            e.printStackTrace();
        }
    }
}

Update an existing rule

put https://api.datadoghq.comhttps://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}

Overview

Update an existing rule. When updating cases, queries or options, the whole field must be included. For example, when modifying a query all queries must be included. Default rules can only be updated to be enabled and to change notifications.

Arguments

Path Parameters

Name

Type

Description

rule_id [required]

string

The ID of the rule.

Request

Body Data

Expand All

Field

Type

Description

cases

[object]

Cases for generating signals.

condition

string

A rule case contains logical operations (>, >=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

name

string

Name of the case.

notifications

[string]

Notification targets for each rule case

status

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

enabled

boolean

Whether the rule is enabled.

message

string

Message for generated signals.

name

string

Name of the rule.

options

object

Options on rules.

evaluationWindow

enum

A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Allowed enum values: 0,60,300,600,900,1800,3600,7200

keepAlive

enum

Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window. Allowed enum values: 0,60,300,600,900,1800,3600,7200

maxSignalDuration

enum

A signal will “close” regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

queries

[object]

Queries for selecting logs which are part of the rule.

groupByFields

[string]

Fields to group by.

name

string

Name of the query

query

string

Query to run on logs

tags

[string]

Tags for generated signals.

{
  "cases": [
    {
      "condition": "string",
      "name": "string",
      "notifications": [],
      "status": "string"
    }
  ],
  "enabled": false,
  "message": "string",
  "name": "string",
  "options": {
    "evaluationWindow": "integer",
    "keepAlive": "integer",
    "maxSignalDuration": "integer"
  },
  "queries": [
    {
      "groupByFields": [],
      "name": "string",
      "query": "string"
    }
  ],
  "tags": []
}

Response

OK

Detection rule

Expand All

Field

Type

Description

cases

[object]

Cases for generating signals.

condition

string

A rule case contains logical operations (>, >=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

name

string

Name of the case.

notifications

[string]

Notification targets for each rule case

status

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

createdAt

int64

When the rule was created, timestamp in milliseconds.

creationAuthorId

int64

User ID of the user who created the rule.

id

string

The ID of the rule.

isDefault

boolean

Whether the rule is included by default.

isDeleted

boolean

Whether the rule has been deleted.

isEnabled

boolean

Whether the rule is enabled.

message

string

Message for generated signals.

name

string

The name of the rule.

options

object

Options on rules.

evaluationWindow

enum

A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Allowed enum values: 0,60,300,600,900,1800,3600,7200

keepAlive

enum

Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window. Allowed enum values: 0,60,300,600,900,1800,3600,7200

maxSignalDuration

enum

A signal will “close” regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

queries

[object]

Queries for selecting logs which are part of the rule.

groupByFields

[string]

Fields to group by.

name

string

Name of the query

query

string

Query to run on logs

tags

[string]

Tags for generated signals.

version

int64

The version of the rule.

{
  "cases": [
    {
      "condition": "string",
      "name": "string",
      "notifications": [],
      "status": "string"
    }
  ],
  "createdAt": "integer",
  "creationAuthorId": "integer",
  "id": "string",
  "isDefault": false,
  "isDeleted": false,
  "isEnabled": false,
  "message": "string",
  "name": "string",
  "options": {
    "evaluationWindow": "integer",
    "keepAlive": "integer",
    "maxSignalDuration": "integer"
  },
  "queries": [
    {
      "groupByFields": [],
      "name": "string",
      "query": "string"
    }
  ],
  "tags": [],
  "version": "integer"
}

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Concurrent Modification

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example


                                        # Path parameters
export rule_id="CHANGE_ME"
# Curl command curl -X put https://api.datadoghq.comhttps://api.datadoghq.eu/api/v2/security_monitoring/rules/${rule_id} \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_CLIENT_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_CLIENT_APP_KEY}" \ -d @- << EOF {} EOF
package main

import (
    "context"
    "fmt"
    "os"
    datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)

func main() {
    ctx := context.WithValue(
        context.Background(),
        datadog.ContextAPIKeys,
        map[string]datadog.APIKey{
            "apiKeyAuth": {
                Key: os.Getenv("DD_CLIENT_API_KEY"),
            },
            "appKeyAuth": {
                Key: os.Getenv("DD_CLIENT_APP_KEY"),
            },
        },
    )

    ruleId := "ruleId_example" // string | The ID of the rule.
    body := datadog.SecurityMonitoringRuleUpdatePayload{Cases: []SecurityMonitoringRuleCase{datadog.SecurityMonitoringRuleCase{Condition: "Condition_example", Name: "Name_example", Notifications: []string{"Notifications_example"), Status: datadog.SecurityMonitoringRuleSeverity{}}), Enabled: false, Message: "Message_example", Name: "Name_example", Options: datadog.SecurityMonitoringRuleOptions{EvaluationWindow: datadog.SecurityMonitoringRuleEvaluationWindow{}, KeepAlive: datadog.SecurityMonitoringRuleKeepAlive{}, MaxSignalDuration: datadog.SecurityMonitoringRuleMaxSignalDuration{}}, Queries: []SecurityMonitoringRuleQuery{datadog.SecurityMonitoringRuleQuery{GroupByFields: []string{"GroupByFields_example"), Name: "Name_example", Query: "Query_example"}), Tags: []string{"Tags_example")} // SecurityMonitoringRuleUpdatePayload |  (optional)

    configuration := datadog.NewConfiguration()
    api_client := datadog.NewAPIClient(configuration)
    resp, r, err := api_client.SecurityMonitoringApi.UpdateSecurityMonitoringRule(ctx, ruleId).Body(body).Execute()
    if err != nil {
        fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.UpdateSecurityMonitoringRule``: %v\n", err)
        fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
    }
    // response from `UpdateSecurityMonitoringRule`: SecurityMonitoringRuleResponse
    fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.UpdateSecurityMonitoringRule`: %v\n", resp)
}
// Import classes:
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.auth.*;
import com.datadog.api.v2.client.models.*;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;

public class Example {
    public static void main(String[] args) {
        ApiClient defaultClient = Configuration.getDefaultApiClient();
        // Configure the Datadog site to send API calls to
        HashMap<String, String> serverVariables = new HashMap<String, String>();
        String site = System.getenv("DD_SITE");
        if (site != null) {
            serverVariables.put("site", site);
            defaultClient.setServerVariables(serverVariables);
        }
        // Configure API key authorization: 
        HashMap<String, String> secrets = new HashMap<String, String>();
        secrets.put("apiKeyAuth", System.getenv("DD_CLIENT_API_KEY"));
        secrets.put("appKeyAuth", System.getenv("DD_CLIENT_APP_KEY"));
        defaultClient.configureApiKeys(secrets);

        SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
        String ruleId = "ruleId_example"; // String | The ID of the rule.
        SecurityMonitoringRuleUpdatePayload body = new SecurityMonitoringRuleUpdatePayload(); // SecurityMonitoringRuleUpdatePayload | 
        try {
            SecurityMonitoringRuleResponse result = api.updateSecurityMonitoringRule(ruleId)
                .body(body)
                .execute();
            System.out.println(result);
        } catch (ApiException e) {
            System.err.println("Exception when calling SecurityMonitoringApi#updateSecurityMonitoringRule");
            System.err.println("Status code: " + e.getCode());
            System.err.println("Reason: " + e.getResponseBody());
            System.err.println("Response headers: " + e.getResponseHeaders());
            e.printStackTrace();
        }
    }
}