Detection rules for generating signals and listing of generated signals.
POST https://api.datadoghq.eu/api/v2/security_monitoring/ruleshttps://api.datadoghq.com/api/v2/security_monitoring/rules
Create a detection rule.
Field
Type
Description
cases [required]
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>
,>=
, &&
, ||
) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
filters
[object]
Additional queries to filter matched events before they are processed.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
isEnabled [required]
boolean
Whether the rule is enabled.
message [required]
string
Message for generated signals.
name [required]
string
The name of the rule.
options [required]
object
Options on rules.
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
queries [required]
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
metric
string
The target field to aggregate over when using the sum or max aggregations.
name
string
Name of the query.
query [required]
string
Query to run on logs.
tags
[string]
Tags for generated signals.
{
"cases": [
{
"condition": "string",
"name": "string",
"notifications": [],
"status": "string"
}
],
"filters": [
{
"action": "string",
"query": "string"
}
],
"isEnabled": true,
"message": "",
"name": "",
"options": {
"evaluationWindow": "integer",
"keepAlive": "integer",
"maxSignalDuration": "integer"
},
"queries": [
{
"aggregation": "string",
"distinctFields": [],
"groupByFields": [],
"metric": "string",
"name": "string",
"query": "a < 3"
}
],
"tags": [
"env:prod",
"team:security"
]
}
OK
Detection rule.
Field
Type
Description
cases
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>
,>=
, &&
, ||
) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
createdAt
int64
When the rule was created, timestamp in milliseconds.
creationAuthorId
int64
User ID of the user who created the rule.
filters
[object]
Additional queries to filter matched events before they are processed.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
id
string
The ID of the rule.
isDefault
boolean
Whether the rule is included by default.
isDeleted
boolean
Whether the rule has been deleted.
isEnabled
boolean
Whether the rule is enabled.
message
string
Message for generated signals.
name
string
The name of the rule.
options
object
Options on rules.
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
queries
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
metric
string
The target field to aggregate over when using the sum or max aggregations.
name
string
Name of the query.
query
string
Query to run on logs.
tags
[string]
Tags for generated signals.
version
int64
The version of the rule.
{
"cases": [
{
"condition": "string",
"name": "string",
"notifications": [],
"status": "string"
}
],
"createdAt": "integer",
"creationAuthorId": "integer",
"filters": [
{
"action": "string",
"query": "string"
}
],
"id": "string",
"isDefault": false,
"isDeleted": false,
"isEnabled": false,
"message": "string",
"name": "string",
"options": {
"evaluationWindow": "integer",
"keepAlive": "integer",
"maxSignalDuration": "integer"
},
"queries": [
{
"aggregation": "string",
"distinctFields": [],
"groupByFields": [],
"metric": "string",
"name": "string",
"query": "string"
}
],
"tags": [],
"version": "integer"
}
Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}
Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}
# Curl command
curl -X POST "https://api.datadoghq.eu"https://api.datadoghq.com/api/v2/security_monitoring/rules" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_CLIENT_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_CLIENT_APP_KEY}" \
-d @- << EOF
{
"cases": [
{
"status": null
}
],
"isEnabled": true,
"message": "",
"name": "",
"options": {},
"queries": [
{
"query": "a < 3"
}
]
}
EOF
package main
import (
"context"
"encoding/json"
"fmt"
"os"
datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)
func main() {
ctx := context.WithValue(
context.Background(),
datadog.ContextAPIKeys,
map[string]datadog.APIKey{
"apiKeyAuth": {
Key: os.Getenv("DD_CLIENT_API_KEY"),
},
"appKeyAuth": {
Key: os.Getenv("DD_CLIENT_APP_KEY"),
},
},
)
body := *datadog.NewSecurityMonitoringRuleCreatePayload([]datadog.SecurityMonitoringRuleCaseCreate{*datadog.NewSecurityMonitoringRuleCaseCreate(datadog.SecurityMonitoringRuleSeverity("info"))}, true, "Message_example", "Name_example", *datadog.NewSecurityMonitoringRuleOptions(), []datadog.SecurityMonitoringRuleQueryCreate{*datadog.NewSecurityMonitoringRuleQueryCreate("a < 3")}) // SecurityMonitoringRuleCreatePayload |
configuration := datadog.NewConfiguration()
api_client := datadog.NewAPIClient(configuration)
resp, r, err := api_client.SecurityMonitoringApi.CreateSecurityMonitoringRule(ctx).Body(body).Execute()
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringRule``: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
// response from `CreateSecurityMonitoringRule`: SecurityMonitoringRuleResponse
response_content, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from SecurityMonitoringApi.CreateSecurityMonitoringRule:\n%s\n", response_content)
}
// Import classes:
import java.util.*;
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.auth.*;
import com.datadog.api.v2.client.model.*;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = Configuration.getDefaultApiClient();
// Configure the Datadog site to send API calls to
HashMap<String, String> serverVariables = new HashMap<String, String>();
String site = System.getenv("DD_SITE");
if (site != null) {
serverVariables.put("site", site);
defaultClient.setServerVariables(serverVariables);
}
// Configure API key authorization:
HashMap<String, String> secrets = new HashMap<String, String>();
secrets.put("apiKeyAuth", System.getenv("DD_CLIENT_API_KEY"));
secrets.put("appKeyAuth", System.getenv("DD_CLIENT_APP_KEY"));
defaultClient.configureApiKeys(secrets);
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
SecurityMonitoringRuleCreatePayload body = new SecurityMonitoringRuleCreatePayload(); // SecurityMonitoringRuleCreatePayload |
try {
SecurityMonitoringRuleResponse result = apiInstance.createSecurityMonitoringRule()
.body(body)
.execute();
System.out.println(result);
} catch (ApiException e) {
System.err.println("Exception when calling SecurityMonitoringApi#createSecurityMonitoringRule");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
import os
from dateutil.parser import parse as dateutil_parser
import datadog_api_client.v2
from datadog_api_client.v2.api import security_monitoring_api
from datadog_api_client.v2.models import *
from pprint import pprint
# Defining the host is optional and defaults to https://api.datadoghq.com
# See configuration.py for a list of all supported configuration parameters.
configuration = datadog_api_client.v2.Configuration(
host = "https://api.datadoghq.com"
)
# The client must configure the authentication and authorization parameters
# in accordance with the API server security policy.
# Examples for each auth method are provided below, use the example that
# satisfies your auth use case.
# Configure API key authorization: apiKeyAuth
configuration.api_key['apiKeyAuth'] = os.getenv('DD_CLIENT_API_KEY')
# Uncomment below to setup prefix (e.g. Bearer) for API key, if needed
# configuration.api_key_prefix['apiKeyAuth'] = 'Bearer'
# Configure API key authorization: appKeyAuth
configuration.api_key['appKeyAuth'] = os.getenv('DD_CLIENT_APP_KEY')
# Uncomment below to setup prefix (e.g. Bearer) for API key, if needed
# configuration.api_key_prefix['appKeyAuth'] = 'Bearer'
# Enter a context with an instance of the API client
with datadog_api_client.v2.ApiClient(configuration) as api_client:
# Create an instance of the API class
api_instance = security_monitoring_api.SecurityMonitoringApi(api_client)
body = SecurityMonitoringRuleCreatePayload(
cases=[],
filters=[
SecurityMonitoringFilter(
action=SecurityMonitoringFilterAction("require"),
query="query_example",
),
],
is_enabled=True,
message="",
name="",
options=SecurityMonitoringRuleOptions(
evaluation_window=SecurityMonitoringRuleEvaluationWindow(0),
keep_alive=SecurityMonitoringRuleKeepAlive(0),
max_signal_duration=SecurityMonitoringRuleMaxSignalDuration(0),
),
queries=[],
tags=["env:prod","team:security"],
) # SecurityMonitoringRuleCreatePayload |
# example passing only required values which don't have defaults set
try:
# Create a detection rule
api_response = api_instance.create_security_monitoring_rule(body)
pprint(api_response)
except datadog_api_client.v2.ApiException as e:
print("Exception when calling SecurityMonitoringApi->create_security_monitoring_rule: %s\n" % e)
require 'time'
require 'datadog_api_client/v2'
# setup authorization
DatadogAPIClient::V2.configure do |config|
# Configure API key authorization: apiKeyAuth
config.api_key['apiKeyAuth'] = ENV["DD_CLIENT_API_KEY"]
# Uncomment the following line to set a prefix for the API key, e.g. 'Bearer' (defaults to nil)
# config.api_key_prefix['apiKeyAuth'] = 'Bearer'
# Configure API key authorization: appKeyAuth
config.api_key['appKeyAuth'] = ENV["DD_CLIENT_APP_KEY"]
# Uncomment the following line to set a prefix for the API key, e.g. 'Bearer' (defaults to nil)
# config.api_key_prefix['appKeyAuth'] = 'Bearer'
end
api_instance = DatadogAPIClient::V2::SecurityMonitoringApi.new
body = DatadogAPIClient::V2::SecurityMonitoringRuleCreatePayload.new({cases: [DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO})], is_enabled: true, message: 'message_example', name: 'name_example', options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new, queries: [DatadogAPIClient::V2::SecurityMonitoringRuleQueryCreate.new({query: 'a < 3'})]}) # SecurityMonitoringRuleCreatePayload |
begin
# Create a detection rule
result = api_instance.create_security_monitoring_rule(body)
p result
rescue DatadogAPIClient::V2::ApiError => e
puts "Error when calling SecurityMonitoringApi->create_security_monitoring_rule: #{e}"
end
DELETE https://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}https://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}
Delete an existing rule. Default rules cannot be deleted.
Name
Type
Description
rule_id [required]
string
The ID of the rule.
OK
Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}
Not Found
API error response.
{
"errors": [
"Bad Request"
]
}
# Path parameters
export rule_id="CHANGE_ME"
# Curl command
curl -X DELETE "https://api.datadoghq.eu"https://api.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_CLIENT_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_CLIENT_APP_KEY}"
package main
import (
"context"
"fmt"
"os"
datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)
func main() {
ctx := context.WithValue(
context.Background(),
datadog.ContextAPIKeys,
map[string]datadog.APIKey{
"apiKeyAuth": {
Key: os.Getenv("DD_CLIENT_API_KEY"),
},
"appKeyAuth": {
Key: os.Getenv("DD_CLIENT_APP_KEY"),
},
},
)
ruleId := "ruleId_example" // string | The ID of the rule.
configuration := datadog.NewConfiguration()
api_client := datadog.NewAPIClient(configuration)
r, err := api_client.SecurityMonitoringApi.DeleteSecurityMonitoringRule(ctx, ruleId).Execute()
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.DeleteSecurityMonitoringRule``: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
}
// Import classes:
import java.util.*;
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.auth.*;
import com.datadog.api.v2.client.model.*;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = Configuration.getDefaultApiClient();
// Configure the Datadog site to send API calls to
HashMap<String, String> serverVariables = new HashMap<String, String>();
String site = System.getenv("DD_SITE");
if (site != null) {
serverVariables.put("site", site);
defaultClient.setServerVariables(serverVariables);
}
// Configure API key authorization:
HashMap<String, String> secrets = new HashMap<String, String>();
secrets.put("apiKeyAuth", System.getenv("DD_CLIENT_API_KEY"));
secrets.put("appKeyAuth", System.getenv("DD_CLIENT_APP_KEY"));
defaultClient.configureApiKeys(secrets);
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
String ruleId = "ruleId_example"; // String | The ID of the rule.
try {
apiInstance.deleteSecurityMonitoringRule(ruleId)
.execute();
} catch (ApiException e) {
System.err.println("Exception when calling SecurityMonitoringApi#deleteSecurityMonitoringRule");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
import os
from dateutil.parser import parse as dateutil_parser
import datadog_api_client.v2
from datadog_api_client.v2.api import security_monitoring_api
from datadog_api_client.v2.models import *
from pprint import pprint
# Defining the host is optional and defaults to https://api.datadoghq.com
# See configuration.py for a list of all supported configuration parameters.
configuration = datadog_api_client.v2.Configuration(
host = "https://api.datadoghq.com"
)
# The client must configure the authentication and authorization parameters
# in accordance with the API server security policy.
# Examples for each auth method are provided below, use the example that
# satisfies your auth use case.
# Configure API key authorization: apiKeyAuth
configuration.api_key['apiKeyAuth'] = os.getenv('DD_CLIENT_API_KEY')
# Uncomment below to setup prefix (e.g. Bearer) for API key, if needed
# configuration.api_key_prefix['apiKeyAuth'] = 'Bearer'
# Configure API key authorization: appKeyAuth
configuration.api_key['appKeyAuth'] = os.getenv('DD_CLIENT_APP_KEY')
# Uncomment below to setup prefix (e.g. Bearer) for API key, if needed
# configuration.api_key_prefix['appKeyAuth'] = 'Bearer'
# Enter a context with an instance of the API client
with datadog_api_client.v2.ApiClient(configuration) as api_client:
# Create an instance of the API class
api_instance = security_monitoring_api.SecurityMonitoringApi(api_client)
rule_id = "rule_id_example" # str | The ID of the rule.
# example passing only required values which don't have defaults set
try:
# Delete an existing rule
api_instance.delete_security_monitoring_rule(rule_id)
except datadog_api_client.v2.ApiException as e:
print("Exception when calling SecurityMonitoringApi->delete_security_monitoring_rule: %s\n" % e)
require 'time'
require 'datadog_api_client/v2'
# setup authorization
DatadogAPIClient::V2.configure do |config|
# Configure API key authorization: apiKeyAuth
config.api_key['apiKeyAuth'] = ENV["DD_CLIENT_API_KEY"]
# Uncomment the following line to set a prefix for the API key, e.g. 'Bearer' (defaults to nil)
# config.api_key_prefix['apiKeyAuth'] = 'Bearer'
# Configure API key authorization: appKeyAuth
config.api_key['appKeyAuth'] = ENV["DD_CLIENT_APP_KEY"]
# Uncomment the following line to set a prefix for the API key, e.g. 'Bearer' (defaults to nil)
# config.api_key_prefix['appKeyAuth'] = 'Bearer'
end
api_instance = DatadogAPIClient::V2::SecurityMonitoringApi.new
rule_id = 'rule_id_example' # String | The ID of the rule.
begin
# Delete an existing rule
api_instance.delete_security_monitoring_rule(rule_id)
rescue DatadogAPIClient::V2::ApiError => e
puts "Error when calling SecurityMonitoringApi->delete_security_monitoring_rule: #{e}"
end
Note: This endpoint is in public beta. If you have any feedback, contact Datadog support.
POST https://api.datadoghq.eu/api/v2/security_monitoring/signals/searchhttps://api.datadoghq.com/api/v2/security_monitoring/signals/search
Returns security signals that match a search query. Both this endpoint and the GET endpoint can be used interchangeably for listing security signals.
Field
Type
Description
filter
object
Search filters for listing security signals.
from
date-time
The minimum timestamp for requested security signals.
query
string
Search query for listing security signals.
to
date-time
The maximum timestamp for requested security signals.
page
object
The paging attributes for listing security signals.
cursor
string
A list of results using the cursor provided in the previous query.
limit
int32
The maximum number of security signals in the response.
sort
enum
The sort parameters used for querying security signals.
Allowed enum values: timestamp,-timestamp
{
"filter": {
"from": "2019-01-02T09:42:36.320Z",
"query": "security:attack status:high",
"to": "2019-01-03T09:42:36.320Z"
},
"page": {
"cursor": "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==",
"limit": 25
},
"sort": "string"
}
OK
The response object with all security signals matching the request and pagination information.
Field
Type
Description
data
[object]
An array of security signals matching the request.
attributes
object
The object containing all signal attributes and their associated values.
attributes
object
A JSON object of attributes in the security signal.
message
string
The message in the security signal defined by the rule that generated the signal.
tags
array
An array of tags associated with the security signal.
timestamp
date-time
The timestamp of the security signal.
id
string
The unique ID of the security signal.
type
enum
The type of event.
Allowed enum values: signal
links
object
Links attributes.
next
string
The link for the next set of results. Note: The request can also be made using the POST endpoint.
meta
object
Meta attributes.
page
object
Paging attributes.
after
string
The cursor used to get the next results, if any. To make the next request, use the same
parameters with the addition of the page[cursor]
.
{
"data": [
{
"attributes": {
"attributes": [
{}
],
"message": "Detect Account Take Over (ATO) through brute force attempts",
"tags": [
"security:attack",
"technique:T1110-brute-force"
],
"timestamp": "2019-01-02T09:42:36.320Z"
},
"id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA",
"type": "signal"
}
],
"links": {
"next": "https://app.datadoghq.com/api/v2/security_monitoring/signals?filter[query]=foo\u0026page[cursor]=eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="
},
"meta": {
"page": {
"after": "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="
}
}
}
Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}
Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}
# Curl command
curl -X POST "https://api.datadoghq.eu"https://api.datadoghq.com/api/v2/security_monitoring/signals/search" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_CLIENT_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_CLIENT_APP_KEY}" \
-d @- << EOF
{}
EOF
package main
import (
"context"
"encoding/json"
"fmt"
"os"
datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)
func main() {
ctx := context.WithValue(
context.Background(),
datadog.ContextAPIKeys,
map[string]datadog.APIKey{
"apiKeyAuth": {
Key: os.Getenv("DD_CLIENT_API_KEY"),
},
"appKeyAuth": {
Key: os.Getenv("DD_CLIENT_APP_KEY"),
},
},
)
body := *datadog.NewSecurityMonitoringSignalListRequest() // SecurityMonitoringSignalListRequest | (optional)
configuration := datadog.NewConfiguration()
configuration.SetUnstableOperationEnabled("SearchSecurityMonitoringSignals", true)
api_client := datadog.NewAPIClient(configuration)
resp, r, err := api_client.SecurityMonitoringApi.SearchSecurityMonitoringSignals(ctx).Body(body).Execute()
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.SearchSecurityMonitoringSignals``: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
// response from `SearchSecurityMonitoringSignals`: SecurityMonitoringSignalsListResponse
response_content, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from SecurityMonitoringApi.SearchSecurityMonitoringSignals:\n%s\n", response_content)
}
// Import classes:
import java.util.*;
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.auth.*;
import com.datadog.api.v2.client.model.*;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = Configuration.getDefaultApiClient();
// Configure the Datadog site to send API calls to
HashMap<String, String> serverVariables = new HashMap<String, String>();
String site = System.getenv("DD_SITE");
if (site != null) {
serverVariables.put("site", site);
defaultClient.setServerVariables(serverVariables);
}
// Configure API key authorization:
HashMap<String, String> secrets = new HashMap<String, String>();
secrets.put("apiKeyAuth", System.getenv("DD_CLIENT_API_KEY"));
secrets.put("appKeyAuth", System.getenv("DD_CLIENT_APP_KEY"));
defaultClient.configureApiKeys(secrets);
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
SecurityMonitoringSignalListRequest body = new SecurityMonitoringSignalListRequest(); // SecurityMonitoringSignalListRequest |
try {
SecurityMonitoringSignalsListResponse result = apiInstance.searchSecurityMonitoringSignals()
.body(body)
.execute();
System.out.println(result);
} catch (ApiException e) {
System.err.println("Exception when calling SecurityMonitoringApi#searchSecurityMonitoringSignals");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
import os
from dateutil.parser import parse as dateutil_parser
import datadog_api_client.v2
from datadog_api_client.v2.api import security_monitoring_api
from datadog_api_client.v2.models import *
from pprint import pprint
# Defining the host is optional and defaults to https://api.datadoghq.com
# See configuration.py for a list of all supported configuration parameters.
configuration = datadog_api_client.v2.Configuration(
host = "https://api.datadoghq.com"
)
# The client must configure the authentication and authorization parameters
# in accordance with the API server security policy.
# Examples for each auth method are provided below, use the example that
# satisfies your auth use case.
# Configure API key authorization: apiKeyAuth
configuration.api_key['apiKeyAuth'] = os.getenv('DD_CLIENT_API_KEY')
# Uncomment below to setup prefix (e.g. Bearer) for API key, if needed
# configuration.api_key_prefix['apiKeyAuth'] = 'Bearer'
# Configure API key authorization: appKeyAuth
configuration.api_key['appKeyAuth'] = os.getenv('DD_CLIENT_APP_KEY')
# Uncomment below to setup prefix (e.g. Bearer) for API key, if needed
# configuration.api_key_prefix['appKeyAuth'] = 'Bearer'
configuration.unstable_operations["search_security_monitoring_signals"] = True
# Enter a context with an instance of the API client
with datadog_api_client.v2.ApiClient(configuration) as api_client:
# Create an instance of the API class
api_instance = security_monitoring_api.SecurityMonitoringApi(api_client)
body = SecurityMonitoringSignalListRequest(
filter=SecurityMonitoringSignalListRequestFilter(
_from=dateutil_parser('2019-01-02T09:42:36.32Z'),
query="security:attack status:high",
to=dateutil_parser('2019-01-03T09:42:36.32Z'),
),
page=SecurityMonitoringSignalListRequestPage(
cursor="eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==",
limit=25,
),
sort=SecurityMonitoringSignalsSort("timestamp"),
) # SecurityMonitoringSignalListRequest | (optional)
# example passing only required values which don't have defaults set
# and optional values
try:
# Get a list of security signals
api_response = api_instance.search_security_monitoring_signals(body=body)
pprint(api_response)
except datadog_api_client.v2.ApiException as e:
print("Exception when calling SecurityMonitoringApi->search_security_monitoring_signals: %s\n" % e)
require 'time'
require 'datadog_api_client/v2'
# setup authorization
DatadogAPIClient::V2.configure do |config|
# Configure API key authorization: apiKeyAuth
config.api_key['apiKeyAuth'] = ENV["DD_CLIENT_API_KEY"]
# Uncomment the following line to set a prefix for the API key, e.g. 'Bearer' (defaults to nil)
# config.api_key_prefix['apiKeyAuth'] = 'Bearer'
# Configure API key authorization: appKeyAuth
config.api_key['appKeyAuth'] = ENV["DD_CLIENT_APP_KEY"]
# Uncomment the following line to set a prefix for the API key, e.g. 'Bearer' (defaults to nil)
# config.api_key_prefix['appKeyAuth'] = 'Bearer'
config.unstable_operations[:search_security_monitoring_signals] = true
end
api_instance = DatadogAPIClient::V2::SecurityMonitoringApi.new
opts = {
body: DatadogAPIClient::V2::SecurityMonitoringSignalListRequest.new # SecurityMonitoringSignalListRequest |
}
begin
# Get a list of security signals
result = api_instance.search_security_monitoring_signals(opts)
p result
rescue DatadogAPIClient::V2::ApiError => e
puts "Error when calling SecurityMonitoringApi->search_security_monitoring_signals: #{e}"
end
Note: This endpoint is in public beta. If you have any feedback, contact Datadog support.
GET https://api.datadoghq.eu/api/v2/security_monitoring/signalshttps://api.datadoghq.com/api/v2/security_monitoring/signals
The list endpoint returns security signals that match a search query. Both this endpoint and the POST endpoint can be used interchangeably when listing security signals.
Name
Type
Description
filter[query]
string
The search query for security signals.
filter[from]
string
The minimum timestamp for requested security signals.
filter[to]
string
The maximum timestamp for requested security signals.
sort
string
The order of the security signals in results.
page[cursor]
string
A list of results using the cursor provided in the previous query.
page[limit]
integer
The maximum number of security signals in the response.
OK
The response object with all security signals matching the request and pagination information.
Field
Type
Description
data
[object]
An array of security signals matching the request.
attributes
object
The object containing all signal attributes and their associated values.
attributes
object
A JSON object of attributes in the security signal.
message
string
The message in the security signal defined by the rule that generated the signal.
tags
array
An array of tags associated with the security signal.
timestamp
date-time
The timestamp of the security signal.
id
string
The unique ID of the security signal.
type
enum
The type of event.
Allowed enum values: signal
links
object
Links attributes.
next
string
The link for the next set of results. Note: The request can also be made using the POST endpoint.
meta
object
Meta attributes.
page
object
Paging attributes.
after
string
The cursor used to get the next results, if any. To make the next request, use the same
parameters with the addition of the page[cursor]
.
{
"data": [
{
"attributes": {
"attributes": [
{}
],
"message": "Detect Account Take Over (ATO) through brute force attempts",
"tags": [
"security:attack",
"technique:T1110-brute-force"
],
"timestamp": "2019-01-02T09:42:36.320Z"
},
"id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA",
"type": "signal"
}
],
"links": {
"next": "https://app.datadoghq.com/api/v2/security_monitoring/signals?filter[query]=foo\u0026page[cursor]=eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="
},
"meta": {
"page": {
"after": "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="
}
}
}
Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}
Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}
# Curl command
curl -X GET "https://api.datadoghq.eu"https://api.datadoghq.com/api/v2/security_monitoring/signals" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_CLIENT_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_CLIENT_APP_KEY}"
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"time"
datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)
func main() {
ctx := context.WithValue(
context.Background(),
datadog.ContextAPIKeys,
map[string]datadog.APIKey{
"apiKeyAuth": {
Key: os.Getenv("DD_CLIENT_API_KEY"),
},
"appKeyAuth": {
Key: os.Getenv("DD_CLIENT_APP_KEY"),
},
},
)
filterQuery := "security:attack status:high" // string | The search query for security signals. (optional)
filterFrom := time.Now() // time.Time | The minimum timestamp for requested security signals. (optional)
filterTo := time.Now() // time.Time | The maximum timestamp for requested security signals. (optional)
sort := datadog.SecurityMonitoringSignalsSort("timestamp") // SecurityMonitoringSignalsSort | The order of the security signals in results. (optional)
pageCursor := "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==" // string | A list of results using the cursor provided in the previous query. (optional)
pageLimit := int32(25) // int32 | The maximum number of security signals in the response. (optional) (default to 10)
configuration := datadog.NewConfiguration()
configuration.SetUnstableOperationEnabled("ListSecurityMonitoringSignals", true)
api_client := datadog.NewAPIClient(configuration)
resp, r, err := api_client.SecurityMonitoringApi.ListSecurityMonitoringSignals(ctx).FilterQuery(filterQuery).FilterFrom(filterFrom).FilterTo(filterTo).Sort(sort).PageCursor(pageCursor).PageLimit(pageLimit).Execute()
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListSecurityMonitoringSignals``: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
// response from `ListSecurityMonitoringSignals`: SecurityMonitoringSignalsListResponse
response_content, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from SecurityMonitoringApi.ListSecurityMonitoringSignals:\n%s\n", response_content)
}
import java.time.OffsetDateTime;
// Import classes:
import java.util.*;
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.auth.*;
import com.datadog.api.v2.client.model.*;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = Configuration.getDefaultApiClient();
// Configure the Datadog site to send API calls to
HashMap<String, String> serverVariables = new HashMap<String, String>();
String site = System.getenv("DD_SITE");
if (site != null) {
serverVariables.put("site", site);
defaultClient.setServerVariables(serverVariables);
}
// Configure API key authorization:
HashMap<String, String> secrets = new HashMap<String, String>();
secrets.put("apiKeyAuth", System.getenv("DD_CLIENT_API_KEY"));
secrets.put("appKeyAuth", System.getenv("DD_CLIENT_APP_KEY"));
defaultClient.configureApiKeys(secrets);
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
String filterQuery = "security:attack status:high"; // String | The search query for security signals.
OffsetDateTime filterFrom = OffsetDateTime.now(); // OffsetDateTime | The minimum timestamp for requested security signals.
OffsetDateTime filterTo = OffsetDateTime.now(); // OffsetDateTime | The maximum timestamp for requested security signals.
SecurityMonitoringSignalsSort sort = SecurityMonitoringSignalsSort.fromValue("timestamp"); // SecurityMonitoringSignalsSort | The order of the security signals in results.
String pageCursor = "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="; // String | A list of results using the cursor provided in the previous query.
Integer pageLimit = 10; // Integer | The maximum number of security signals in the response.
try {
SecurityMonitoringSignalsListResponse result = apiInstance.listSecurityMonitoringSignals()
.filterQuery(filterQuery)
.filterFrom(filterFrom)
.filterTo(filterTo)
.sort(sort)
.pageCursor(pageCursor)
.pageLimit(pageLimit)
.execute();
System.out.println(result);
} catch (ApiException e) {
System.err.println("Exception when calling SecurityMonitoringApi#listSecurityMonitoringSignals");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
import os
from dateutil.parser import parse as dateutil_parser
import datadog_api_client.v2
from datadog_api_client.v2.api import security_monitoring_api
from datadog_api_client.v2.models import *
from pprint import pprint
# Defining the host is optional and defaults to https://api.datadoghq.com
# See configuration.py for a list of all supported configuration parameters.
configuration = datadog_api_client.v2.Configuration(
host = "https://api.datadoghq.com"
)
# The client must configure the authentication and authorization parameters
# in accordance with the API server security policy.
# Examples for each auth method are provided below, use the example that
# satisfies your auth use case.
# Configure API key authorization: apiKeyAuth
configuration.api_key['apiKeyAuth'] = os.getenv('DD_CLIENT_API_KEY')
# Uncomment below to setup prefix (e.g. Bearer) for API key, if needed
# configuration.api_key_prefix['apiKeyAuth'] = 'Bearer'
# Configure API key authorization: appKeyAuth
configuration.api_key['appKeyAuth'] = os.getenv('DD_CLIENT_APP_KEY')
# Uncomment below to setup prefix (e.g. Bearer) for API key, if needed
# configuration.api_key_prefix['appKeyAuth'] = 'Bearer'
configuration.unstable_operations["list_security_monitoring_signals"] = True
# Enter a context with an instance of the API client
with datadog_api_client.v2.ApiClient(configuration) as api_client:
# Create an instance of the API class
api_instance = security_monitoring_api.SecurityMonitoringApi(api_client)
filter_query = "security:attack status:high" # str | The search query for security signals. (optional)
filter_from = dateutil_parser('2019-01-02T09:42:36.320Z') # datetime | The minimum timestamp for requested security signals. (optional)
filter_to = dateutil_parser('2019-01-03T09:42:36.320Z') # datetime | The maximum timestamp for requested security signals. (optional)
sort = SecurityMonitoringSignalsSort("timestamp") # SecurityMonitoringSignalsSort | The order of the security signals in results. (optional)
page_cursor = "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==" # str | A list of results using the cursor provided in the previous query. (optional)
page_limit = 25 # int | The maximum number of security signals in the response. (optional) if omitted the server will use the default value of 10
# example passing only required values which don't have defaults set
# and optional values
try:
# Get a quick list of security signals
api_response = api_instance.list_security_monitoring_signals(filter_query=filter_query, filter_from=filter_from, filter_to=filter_to, sort=sort, page_cursor=page_cursor, page_limit=page_limit)
pprint(api_response)
except datadog_api_client.v2.ApiException as e:
print("Exception when calling SecurityMonitoringApi->list_security_monitoring_signals: %s\n" % e)
require 'time'
require 'datadog_api_client/v2'
# setup authorization
DatadogAPIClient::V2.configure do |config|
# Configure API key authorization: apiKeyAuth
config.api_key['apiKeyAuth'] = ENV["DD_CLIENT_API_KEY"]
# Uncomment the following line to set a prefix for the API key, e.g. 'Bearer' (defaults to nil)
# config.api_key_prefix['apiKeyAuth'] = 'Bearer'
# Configure API key authorization: appKeyAuth
config.api_key['appKeyAuth'] = ENV["DD_CLIENT_APP_KEY"]
# Uncomment the following line to set a prefix for the API key, e.g. 'Bearer' (defaults to nil)
# config.api_key_prefix['appKeyAuth'] = 'Bearer'
config.unstable_operations[:list_security_monitoring_signals] = true
end
api_instance = DatadogAPIClient::V2::SecurityMonitoringApi.new
opts = {
filter_query: 'security:attack status:high', # String | The search query for security signals.
filter_from: Time.parse('2019-01-02T09:42:36.320Z'), # Time | The minimum timestamp for requested security signals.
filter_to: Time.parse('2019-01-03T09:42:36.320Z'), # Time | The maximum timestamp for requested security signals.
sort: DatadogAPIClient::V2::SecurityMonitoringSignalsSort::TIMESTAMP_ASCENDING, # SecurityMonitoringSignalsSort | The order of the security signals in results.
page_cursor: 'eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==', # String | A list of results using the cursor provided in the previous query.
page_limit: 25 # Integer | The maximum number of security signals in the response.
}
begin
# Get a quick list of security signals
result = api_instance.list_security_monitoring_signals(opts)
p result
rescue DatadogAPIClient::V2::ApiError => e
puts "Error when calling SecurityMonitoringApi->list_security_monitoring_signals: #{e}"
end
GET https://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}https://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}
Get a rule’s details.
Name
Type
Description
rule_id [required]
string
The ID of the rule.
OK
Detection rule.
Field
Type
Description
cases
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>
,>=
, &&
, ||
) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
createdAt
int64
When the rule was created, timestamp in milliseconds.
creationAuthorId
int64
User ID of the user who created the rule.
filters
[object]
Additional queries to filter matched events before they are processed.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
id
string
The ID of the rule.
isDefault
boolean
Whether the rule is included by default.
isDeleted
boolean
Whether the rule has been deleted.
isEnabled
boolean
Whether the rule is enabled.
message
string
Message for generated signals.
name
string
The name of the rule.
options
object
Options on rules.
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
queries
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
metric
string
The target field to aggregate over when using the sum or max aggregations.
name
string
Name of the query.
query
string
Query to run on logs.
tags
[string]
Tags for generated signals.
version
int64
The version of the rule.
{
"cases": [
{
"condition": "string",
"name": "string",
"notifications": [],
"status": "string"
}
],
"createdAt": "integer",
"creationAuthorId": "integer",
"filters": [
{
"action": "string",
"query": "string"
}
],
"id": "string",
"isDefault": false,
"isDeleted": false,
"isEnabled": false,
"message": "string",
"name": "string",
"options": {
"evaluationWindow": "integer",
"keepAlive": "integer",
"maxSignalDuration": "integer"
},
"queries": [
{
"aggregation": "string",
"distinctFields": [],
"groupByFields": [],
"metric": "string",
"name": "string",
"query": "string"
}
],
"tags": [],
"version": "integer"
}
Not Found
API error response.
{
"errors": [
"Bad Request"
]
}
# Path parameters
export rule_id="CHANGE_ME"
# Curl command
curl -X GET "https://api.datadoghq.eu"https://api.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_CLIENT_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_CLIENT_APP_KEY}"
package main
import (
"context"
"encoding/json"
"fmt"
"os"
datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)
func main() {
ctx := context.WithValue(
context.Background(),
datadog.ContextAPIKeys,
map[string]datadog.APIKey{
"apiKeyAuth": {
Key: os.Getenv("DD_CLIENT_API_KEY"),
},
"appKeyAuth": {
Key: os.Getenv("DD_CLIENT_APP_KEY"),
},
},
)
ruleId := "ruleId_example" // string | The ID of the rule.
configuration := datadog.NewConfiguration()
api_client := datadog.NewAPIClient(configuration)
resp, r, err := api_client.SecurityMonitoringApi.GetSecurityMonitoringRule(ctx, ruleId).Execute()
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSecurityMonitoringRule``: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
// response from `GetSecurityMonitoringRule`: SecurityMonitoringRuleResponse
response_content, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from SecurityMonitoringApi.GetSecurityMonitoringRule:\n%s\n", response_content)
}
// Import classes:
import java.util.*;
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.auth.*;
import com.datadog.api.v2.client.model.*;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = Configuration.getDefaultApiClient();
// Configure the Datadog site to send API calls to
HashMap<String, String> serverVariables = new HashMap<String, String>();
String site = System.getenv("DD_SITE");
if (site != null) {
serverVariables.put("site", site);
defaultClient.setServerVariables(serverVariables);
}
// Configure API key authorization:
HashMap<String, String> secrets = new HashMap<String, String>();
secrets.put("apiKeyAuth", System.getenv("DD_CLIENT_API_KEY"));
secrets.put("appKeyAuth", System.getenv("DD_CLIENT_APP_KEY"));
defaultClient.configureApiKeys(secrets);
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
String ruleId = "ruleId_example"; // String | The ID of the rule.
try {
SecurityMonitoringRuleResponse result = apiInstance.getSecurityMonitoringRule(ruleId)
.execute();
System.out.println(result);
} catch (ApiException e) {
System.err.println("Exception when calling SecurityMonitoringApi#getSecurityMonitoringRule");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
import os
from dateutil.parser import parse as dateutil_parser
import datadog_api_client.v2
from datadog_api_client.v2.api import security_monitoring_api
from datadog_api_client.v2.models import *
from pprint import pprint
# Defining the host is optional and defaults to https://api.datadoghq.com
# See configuration.py for a list of all supported configuration parameters.
configuration = datadog_api_client.v2.Configuration(
host = "https://api.datadoghq.com"
)
# The client must configure the authentication and authorization parameters
# in accordance with the API server security policy.
# Examples for each auth method are provided below, use the example that
# satisfies your auth use case.
# Configure API key authorization: apiKeyAuth
configuration.api_key['apiKeyAuth'] = os.getenv('DD_CLIENT_API_KEY')
# Uncomment below to setup prefix (e.g. Bearer) for API key, if needed
# configuration.api_key_prefix['apiKeyAuth'] = 'Bearer'
# Configure API key authorization: appKeyAuth
configuration.api_key['appKeyAuth'] = os.getenv('DD_CLIENT_APP_KEY')
# Uncomment below to setup prefix (e.g. Bearer) for API key, if needed
# configuration.api_key_prefix['appKeyAuth'] = 'Bearer'
# Enter a context with an instance of the API client
with datadog_api_client.v2.ApiClient(configuration) as api_client:
# Create an instance of the API class
api_instance = security_monitoring_api.SecurityMonitoringApi(api_client)
rule_id = "rule_id_example" # str | The ID of the rule.
# example passing only required values which don't have defaults set
try:
# Get a rule's details
api_response = api_instance.get_security_monitoring_rule(rule_id)
pprint(api_response)
except datadog_api_client.v2.ApiException as e:
print("Exception when calling SecurityMonitoringApi->get_security_monitoring_rule: %s\n" % e)
require 'time'
require 'datadog_api_client/v2'
# setup authorization
DatadogAPIClient::V2.configure do |config|
# Configure API key authorization: apiKeyAuth
config.api_key['apiKeyAuth'] = ENV["DD_CLIENT_API_KEY"]
# Uncomment the following line to set a prefix for the API key, e.g. 'Bearer' (defaults to nil)
# config.api_key_prefix['apiKeyAuth'] = 'Bearer'
# Configure API key authorization: appKeyAuth
config.api_key['appKeyAuth'] = ENV["DD_CLIENT_APP_KEY"]
# Uncomment the following line to set a prefix for the API key, e.g. 'Bearer' (defaults to nil)
# config.api_key_prefix['appKeyAuth'] = 'Bearer'
end
api_instance = DatadogAPIClient::V2::SecurityMonitoringApi.new
rule_id = 'rule_id_example' # String | The ID of the rule.
begin
# Get a rule's details
result = api_instance.get_security_monitoring_rule(rule_id)
p result
rescue DatadogAPIClient::V2::ApiError => e
puts "Error when calling SecurityMonitoringApi->get_security_monitoring_rule: #{e}"
end
GET https://api.datadoghq.eu/api/v2/security_monitoring/ruleshttps://api.datadoghq.com/api/v2/security_monitoring/rules
List rules.
Name
Type
Description
page[size]
integer
Size for a given page.
page[number]
integer
Specific page number to return.
OK
List of rules.
Field
Type
Description
data
[]
TODO.
cases
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>
,>=
, &&
, ||
) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
createdAt
int64
When the rule was created, timestamp in milliseconds.
creationAuthorId
int64
User ID of the user who created the rule.
filters
[object]
Additional queries to filter matched events before they are processed.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
id
string
The ID of the rule.
isDefault
boolean
Whether the rule is included by default.
isDeleted
boolean
Whether the rule has been deleted.
isEnabled
boolean
Whether the rule is enabled.
message
string
Message for generated signals.
name
string
The name of the rule.
options
object
Options on rules.
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
queries
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
metric
string
The target field to aggregate over when using the sum or max aggregations.
name
string
Name of the query.
query
string
Query to run on logs.
tags
[string]
Tags for generated signals.
version
int64
The version of the rule.
meta
object
Object describing meta attributes of response.
page
object
Pagination object.
total_count
int64
Total count.
total_filtered_count
int64
Total count of elements matched by the filter.
{
"data": [
{
"cases": [
{
"condition": "string",
"name": "string",
"notifications": [],
"status": "string"
}
],
"createdAt": "integer",
"creationAuthorId": "integer",
"filters": [
{
"action": "string",
"query": "string"
}
],
"id": "string",
"isDefault": false,
"isDeleted": false,
"isEnabled": false,
"message": "string",
"name": "string",
"options": {
"evaluationWindow": "integer",
"keepAlive": "integer",
"maxSignalDuration": "integer"
},
"queries": [
{
"aggregation": "string",
"distinctFields": [],
"groupByFields": [],
"metric": "string",
"name": "string",
"query": "string"
}
],
"tags": [],
"version": "integer"
}
],
"meta": {
"page": {
"total_count": "integer",
"total_filtered_count": "integer"
}
}
}
Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}
# Curl command
curl -X GET "https://api.datadoghq.eu"https://api.datadoghq.com/api/v2/security_monitoring/rules" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_CLIENT_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_CLIENT_APP_KEY}"
package main
import (
"context"
"encoding/json"
"fmt"
"os"
datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)
func main() {
ctx := context.WithValue(
context.Background(),
datadog.ContextAPIKeys,
map[string]datadog.APIKey{
"apiKeyAuth": {
Key: os.Getenv("DD_CLIENT_API_KEY"),
},
"appKeyAuth": {
Key: os.Getenv("DD_CLIENT_APP_KEY"),
},
},
)
pageSize := int64(789) // int64 | Size for a given page. (optional) (default to 10)
pageNumber := int64(789) // int64 | Specific page number to return. (optional) (default to 0)
configuration := datadog.NewConfiguration()
api_client := datadog.NewAPIClient(configuration)
resp, r, err := api_client.SecurityMonitoringApi.ListSecurityMonitoringRules(ctx).PageSize(pageSize).PageNumber(pageNumber).Execute()
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListSecurityMonitoringRules``: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
// response from `ListSecurityMonitoringRules`: SecurityMonitoringListRulesResponse
response_content, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from SecurityMonitoringApi.ListSecurityMonitoringRules:\n%s\n", response_content)
}
// Import classes:
import java.util.*;
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.auth.*;
import com.datadog.api.v2.client.model.*;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = Configuration.getDefaultApiClient();
// Configure the Datadog site to send API calls to
HashMap<String, String> serverVariables = new HashMap<String, String>();
String site = System.getenv("DD_SITE");
if (site != null) {
serverVariables.put("site", site);
defaultClient.setServerVariables(serverVariables);
}
// Configure API key authorization:
HashMap<String, String> secrets = new HashMap<String, String>();
secrets.put("apiKeyAuth", System.getenv("DD_CLIENT_API_KEY"));
secrets.put("appKeyAuth", System.getenv("DD_CLIENT_APP_KEY"));
defaultClient.configureApiKeys(secrets);
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
Long pageSize = 10l; // Long | Size for a given page.
Long pageNumber = 0l; // Long | Specific page number to return.
try {
SecurityMonitoringListRulesResponse result = apiInstance.listSecurityMonitoringRules()
.pageSize(pageSize)
.pageNumber(pageNumber)
.execute();
System.out.println(result);
} catch (ApiException e) {
System.err.println("Exception when calling SecurityMonitoringApi#listSecurityMonitoringRules");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
import os
from dateutil.parser import parse as dateutil_parser
import datadog_api_client.v2
from datadog_api_client.v2.api import security_monitoring_api
from datadog_api_client.v2.models import *
from pprint import pprint
# Defining the host is optional and defaults to https://api.datadoghq.com
# See configuration.py for a list of all supported configuration parameters.
configuration = datadog_api_client.v2.Configuration(
host = "https://api.datadoghq.com"
)
# The client must configure the authentication and authorization parameters
# in accordance with the API server security policy.
# Examples for each auth method are provided below, use the example that
# satisfies your auth use case.
# Configure API key authorization: apiKeyAuth
configuration.api_key['apiKeyAuth'] = os.getenv('DD_CLIENT_API_KEY')
# Uncomment below to setup prefix (e.g. Bearer) for API key, if needed
# configuration.api_key_prefix['apiKeyAuth'] = 'Bearer'
# Configure API key authorization: appKeyAuth
configuration.api_key['appKeyAuth'] = os.getenv('DD_CLIENT_APP_KEY')
# Uncomment below to setup prefix (e.g. Bearer) for API key, if needed
# configuration.api_key_prefix['appKeyAuth'] = 'Bearer'
# Enter a context with an instance of the API client
with datadog_api_client.v2.ApiClient(configuration) as api_client:
# Create an instance of the API class
api_instance = security_monitoring_api.SecurityMonitoringApi(api_client)
page_size = 10 # int | Size for a given page. (optional) if omitted the server will use the default value of 10
page_number = 0 # int | Specific page number to return. (optional) if omitted the server will use the default value of 0
# example passing only required values which don't have defaults set
# and optional values
try:
# List rules
api_response = api_instance.list_security_monitoring_rules(page_size=page_size, page_number=page_number)
pprint(api_response)
except datadog_api_client.v2.ApiException as e:
print("Exception when calling SecurityMonitoringApi->list_security_monitoring_rules: %s\n" % e)
require 'time'
require 'datadog_api_client/v2'
# setup authorization
DatadogAPIClient::V2.configure do |config|
# Configure API key authorization: apiKeyAuth
config.api_key['apiKeyAuth'] = ENV["DD_CLIENT_API_KEY"]
# Uncomment the following line to set a prefix for the API key, e.g. 'Bearer' (defaults to nil)
# config.api_key_prefix['apiKeyAuth'] = 'Bearer'
# Configure API key authorization: appKeyAuth
config.api_key['appKeyAuth'] = ENV["DD_CLIENT_APP_KEY"]
# Uncomment the following line to set a prefix for the API key, e.g. 'Bearer' (defaults to nil)
# config.api_key_prefix['appKeyAuth'] = 'Bearer'
end
api_instance = DatadogAPIClient::V2::SecurityMonitoringApi.new
opts = {
page_size: 789, # Integer | Size for a given page.
page_number: 789 # Integer | Specific page number to return.
}
begin
# List rules
result = api_instance.list_security_monitoring_rules(opts)
p result
rescue DatadogAPIClient::V2::ApiError => e
puts "Error when calling SecurityMonitoringApi->list_security_monitoring_rules: #{e}"
end
PUT https://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}https://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}
Update an existing rule. When updating cases
, queries
or options
, the whole field
must be included. For example, when modifying a query all queries must be included.
Default rules can only be updated to be enabled and to change notifications.
Name
Type
Description
rule_id [required]
string
The ID of the rule.
Field
Type
Description
cases
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>
,>=
, &&
, ||
) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
filters
[object]
Additional queries to filter matched events before they are processed.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
isEnabled
boolean
Whether the rule is enabled.
message
string
Message for generated signals.
name
string
Name of the rule.
options
object
Options on rules.
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
queries
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
metric
string
The target field to aggregate over when using the sum or max aggregations.
name
string
Name of the query.
query
string
Query to run on logs.
tags
[string]
Tags for generated signals.
{
"cases": [
{
"condition": "string",
"name": "string",
"notifications": [],
"status": "string"
}
],
"filters": [
{
"action": "string",
"query": "string"
}
],
"isEnabled": false,
"message": "string",
"name": "string",
"options": {
"evaluationWindow": "integer",
"keepAlive": "integer",
"maxSignalDuration": "integer"
},
"queries": [
{
"aggregation": "string",
"distinctFields": [],
"groupByFields": [],
"metric": "string",
"name": "string",
"query": "string"
}
],
"tags": []
}
OK
Detection rule.
Field
Type
Description
cases
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>
,>=
, &&
, ||
) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
createdAt
int64
When the rule was created, timestamp in milliseconds.
creationAuthorId
int64
User ID of the user who created the rule.
filters
[object]
Additional queries to filter matched events before they are processed.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
id
string
The ID of the rule.
isDefault
boolean
Whether the rule is included by default.
isDeleted
boolean
Whether the rule has been deleted.
isEnabled
boolean
Whether the rule is enabled.
message
string
Message for generated signals.
name
string
The name of the rule.
options
object
Options on rules.
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
queries
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
metric
string
The target field to aggregate over when using the sum or max aggregations.
name
string
Name of the query.
query
string
Query to run on logs.
tags
[string]
Tags for generated signals.
version
int64
The version of the rule.
{
"cases": [
{
"condition": "string",
"name": "string",
"notifications": [],
"status": "string"
}
],
"createdAt": "integer",
"creationAuthorId": "integer",
"filters": [
{
"action": "string",
"query": "string"
}
],
"id": "string",
"isDefault": false,
"isDeleted": false,
"isEnabled": false,
"message": "string",
"name": "string",
"options": {
"evaluationWindow": "integer",
"keepAlive": "integer",
"maxSignalDuration": "integer"
},
"queries": [
{
"aggregation": "string",
"distinctFields": [],
"groupByFields": [],
"metric": "string",
"name": "string",
"query": "string"
}
],
"tags": [],
"version": "integer"
}
Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}
Concurrent Modification
API error response.
{
"errors": [
"Bad Request"
]
}
Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}
Not Found
API error response.
{
"errors": [
"Bad Request"
]
}
# Path parameters
export rule_id="CHANGE_ME"
# Curl command
curl -X PUT "https://api.datadoghq.eu"https://api.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_CLIENT_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_CLIENT_APP_KEY}" \
-d @- << EOF
{}
EOF
package main
import (
"context"
"encoding/json"
"fmt"
"os"
datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)
func main() {
ctx := context.WithValue(
context.Background(),
datadog.ContextAPIKeys,
map[string]datadog.APIKey{
"apiKeyAuth": {
Key: os.Getenv("DD_CLIENT_API_KEY"),
},
"appKeyAuth": {
Key: os.Getenv("DD_CLIENT_APP_KEY"),
},
},
)
ruleId := "ruleId_example" // string | The ID of the rule.
body := *datadog.NewSecurityMonitoringRuleUpdatePayload() // SecurityMonitoringRuleUpdatePayload |
configuration := datadog.NewConfiguration()
api_client := datadog.NewAPIClient(configuration)
resp, r, err := api_client.SecurityMonitoringApi.UpdateSecurityMonitoringRule(ctx, ruleId).Body(body).Execute()
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.UpdateSecurityMonitoringRule``: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
// response from `UpdateSecurityMonitoringRule`: SecurityMonitoringRuleResponse
response_content, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from SecurityMonitoringApi.UpdateSecurityMonitoringRule:\n%s\n", response_content)
}
// Import classes:
import java.util.*;
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.auth.*;
import com.datadog.api.v2.client.model.*;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = Configuration.getDefaultApiClient();
// Configure the Datadog site to send API calls to
HashMap<String, String> serverVariables = new HashMap<String, String>();
String site = System.getenv("DD_SITE");
if (site != null) {
serverVariables.put("site", site);
defaultClient.setServerVariables(serverVariables);
}
// Configure API key authorization:
HashMap<String, String> secrets = new HashMap<String, String>();
secrets.put("apiKeyAuth", System.getenv("DD_CLIENT_API_KEY"));
secrets.put("appKeyAuth", System.getenv("DD_CLIENT_APP_KEY"));
defaultClient.configureApiKeys(secrets);
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
String ruleId = "ruleId_example"; // String | The ID of the rule.
SecurityMonitoringRuleUpdatePayload body = new SecurityMonitoringRuleUpdatePayload(); // SecurityMonitoringRuleUpdatePayload |
try {
SecurityMonitoringRuleResponse result = apiInstance.updateSecurityMonitoringRule(ruleId)
.body(body)
.execute();
System.out.println(result);
} catch (ApiException e) {
System.err.println("Exception when calling SecurityMonitoringApi#updateSecurityMonitoringRule");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
import os
from dateutil.parser import parse as dateutil_parser
import datadog_api_client.v2
from datadog_api_client.v2.api import security_monitoring_api
from datadog_api_client.v2.models import *
from pprint import pprint
# Defining the host is optional and defaults to https://api.datadoghq.com
# See configuration.py for a list of all supported configuration parameters.
configuration = datadog_api_client.v2.Configuration(
host = "https://api.datadoghq.com"
)
# The client must configure the authentication and authorization parameters
# in accordance with the API server security policy.
# Examples for each auth method are provided below, use the example that
# satisfies your auth use case.
# Configure API key authorization: apiKeyAuth
configuration.api_key['apiKeyAuth'] = os.getenv('DD_CLIENT_API_KEY')
# Uncomment below to setup prefix (e.g. Bearer) for API key, if needed
# configuration.api_key_prefix['apiKeyAuth'] = 'Bearer'
# Configure API key authorization: appKeyAuth
configuration.api_key['appKeyAuth'] = os.getenv('DD_CLIENT_APP_KEY')
# Uncomment below to setup prefix (e.g. Bearer) for API key, if needed
# configuration.api_key_prefix['appKeyAuth'] = 'Bearer'
# Enter a context with an instance of the API client
with datadog_api_client.v2.ApiClient(configuration) as api_client:
# Create an instance of the API class
api_instance = security_monitoring_api.SecurityMonitoringApi(api_client)
rule_id = "rule_id_example" # str | The ID of the rule.
body = SecurityMonitoringRuleUpdatePayload(
cases=[
SecurityMonitoringRuleCase(
condition="condition_example",
name="name_example",
notifications=[
"notifications_example",
],
status=SecurityMonitoringRuleSeverity("info"),
),
],
filters=[
SecurityMonitoringFilter(
action=SecurityMonitoringFilterAction("require"),
query="query_example",
),
],
is_enabled=True,
message="message_example",
name="name_example",
options=SecurityMonitoringRuleOptions(
evaluation_window=SecurityMonitoringRuleEvaluationWindow(0),
keep_alive=SecurityMonitoringRuleKeepAlive(0),
max_signal_duration=SecurityMonitoringRuleMaxSignalDuration(0),
),
queries=[
SecurityMonitoringRuleQuery(
aggregation=SecurityMonitoringRuleQueryAggregation("count"),
distinct_fields=[
"distinct_fields_example",
],
group_by_fields=[
"group_by_fields_example",
],
metric="metric_example",
name="name_example",
query="query_example",
),
],
tags=[
"tags_example",
],
) # SecurityMonitoringRuleUpdatePayload |
# example passing only required values which don't have defaults set
try:
# Update an existing rule
api_response = api_instance.update_security_monitoring_rule(rule_id, body)
pprint(api_response)
except datadog_api_client.v2.ApiException as e:
print("Exception when calling SecurityMonitoringApi->update_security_monitoring_rule: %s\n" % e)
require 'time'
require 'datadog_api_client/v2'
# setup authorization
DatadogAPIClient::V2.configure do |config|
# Configure API key authorization: apiKeyAuth
config.api_key['apiKeyAuth'] = ENV["DD_CLIENT_API_KEY"]
# Uncomment the following line to set a prefix for the API key, e.g. 'Bearer' (defaults to nil)
# config.api_key_prefix['apiKeyAuth'] = 'Bearer'
# Configure API key authorization: appKeyAuth
config.api_key['appKeyAuth'] = ENV["DD_CLIENT_APP_KEY"]
# Uncomment the following line to set a prefix for the API key, e.g. 'Bearer' (defaults to nil)
# config.api_key_prefix['appKeyAuth'] = 'Bearer'
end
api_instance = DatadogAPIClient::V2::SecurityMonitoringApi.new
rule_id = 'rule_id_example' # String | The ID of the rule.
body = DatadogAPIClient::V2::SecurityMonitoringRuleUpdatePayload.new # SecurityMonitoringRuleUpdatePayload |
begin
# Update an existing rule
result = api_instance.update_security_monitoring_rule(rule_id, body)
p result
rescue DatadogAPIClient::V2::ApiError => e
puts "Error when calling SecurityMonitoringApi->update_security_monitoring_rule: #{e}"
end